onetwoseven

Hi there,
I managed to get the user flag and have a shell on the box.
I think I know what needs to be done to get the root flag, leveraging a*****-****** and I have a high level idea on how to do that. I have already a couple of things set up and working, I believe I am very close.
Could someone PM me for help to perform the last couple of steps ?

Type your comment> @PavelKCZ said:

GordonFreeman: thx for the info. I was asking because I read somewhere that for OSCP, you must do five boxes during 24 hours or something similar.

And I tried to imagine, what I should learn if I would like to do five boxes like OTS during 24 hours…

Off topic: There are around 60 machines in the OSCP lab. If you are able to root min 75-80% of the machines, reach also the admin subnet and root the admin machines then you can assume that you are enough prepared for the 24h OSCP exam.
Working on these number of machines in 2-3 months (depends on your lab time) gives a nice routine which helps to manage the 5 machines in 24 hours.

Type your comment> @D4n1aLLL said:

Type your comment> @IgorLB said:

Type your comment> @Ripc0rd said:

stuck on “unkown plugin type” can anyone lend a hand?

Try to create your own plugin step by step. Start from a copy of existed, make little changes and check :slight_smile:

Why do we need to replicate a plugin? I uploaded a file without replicating anything.

You need not. :lol:
Just because this box (1-2-7) is constantly changing, “step-by-step” method might help not to stuck after such changes.

I am currently stuck at a location, after s**p access, and I have enumerated what I believe to be my path to gaining a user shell but it is not acting the way I understand. I have done a good bit of research and found myself running in a circle now. Would anyone be willing to PM me so I can explain my thought process and steps, then provide me with a nudge only. I feeling like I am extremely close, but hitting a wall (happens often when being away from the practice for sometime). Thank you all!

Rooted. Just wanna say to @jkr… holy ■■■■. Well done!!! This is hands down the most fun I’ve had on HTB in the month I’ve been a member. Phenomenal job and thank you for all your work on this awesome box. Learned a ton and the vector for root is something I’ve never seen before. Had a blast!

Now that that’s out of the way, here’s my tips for those that are hung up.

[ * ] Use HELP. Examine your environment. Think of what you can leverage.
[ * ] Read everything you can lay your grubby little hands on.
[ * ] Again. Read. EVERYTHING. Take plenty of notes.
[ * ] Once you work backwards and pop user, prep for root!
[ * ] Prepare to do everything locally. Custom exploitation out the ■■■!
[ * ] RTFM. Seriously. 99% of what you need is in the man pages.
[ * ] “Measure twice, cut once.” Debugging/Deployment == slowwww…

Above all else, have fun! This box is not the CTF shitshow we’ve seen repeatedly recently. Literally everything you need is staring you in the face from start to finish.

What a ride. An instant HTB classic! Up there with the other HTB *nix greats (holiday, joker, jail, ariekei, reddish, etc) in my opinion. Extremely well thought out - gotta love boxes that teach you new tricks. Excellent work @jkr cheers for creating it and I hope you make more boxes.

I can only agree to delo: Very nice, well prepared and somehow challenging. Learned again some new tricks, and will use the priv esc for awareness if @jkr allows for that :wink:
Looking forward to your next one!

Before going too deep in a rabbit hole, about root. One of the steps is changing the h***_****y, right?

thank bro #Alurith for the help

Type your comment> @Alurith said:

Before going too deep in a rabbit hole, about root. One of the steps is changing the h***_****y, right?

Yes.

.

My first root on htb. If that was easy, I would hate to see what a difficult box is going to be like. When watching ippsec videos - root always seems to involve a lot less work than this one did :slight_smile: - great box though.

I’m trying to get my keyboard in my a * I found user.txt … Yes I found It. 3 days after I had my shell on this box XD the user.txt is very close. Do not search so far like me :slight_smile:

Excellent box after all - finally managed to root this after fighting with the privesc for quite a while…

In the end the exploit is & was quite simple & stands out if you enumerate properly, and there is a related blog post available online explaining a very similar attack if you know exactly what to google for based on the enum findings.

Really polished & well thought through box, props to the maker! :star:
And huge props to @dividebyzer0 for kicking me in the right direction & helping out when I started overthinking an after all simple exploit.

That was an excellent box. The a**-g** priv-esc was a ride. Special thanks to PavelKCZ for getting me out of plugin directory ■■■■ as well.

If anyone needs a hand, feel free to message me!

Awesome box from @jkr. 50pts would really be icing on the cake.

Imgur

That was one of the coolest boxes I’ve rooted on HTB.
Great job @jkr !

Thanks a lot to @lantog for helping out with root-hints!

Finally rooted. It was really tricky at some parts, but definitely a fun box.
Thanks for the help @dividebyzer0 and @dreamerscoffee

need a small nudge for finding credentials, i have access to the admin panel but i have not been able to grab any credentials.

Thank @jkr for this interesting machine and for its constant improvement :lol:
And @dreamerscoffee - he stopped me when this cycle of reading was becoming to be endless.
Therefore I repeat after RJ - RAFO. Not WOT but documentation, manpages and guides :lol: All this puzzle needs to solve - is thoughtful reading of documentation.

Enumerate processes, document what they were supposed to do and create your module. Use weakness of this machine - not possible exploits.