onetwoseven

Type your comment> @Alurith said:

Before going too deep in a rabbit hole, about root. One of the steps is changing the h***_****y, right?

Yes.

.

My first root on htb. If that was easy, I would hate to see what a difficult box is going to be like. When watching ippsec videos - root always seems to involve a lot less work than this one did :slight_smile: - great box though.

I’m trying to get my keyboard in my a * I found user.txt … Yes I found It. 3 days after I had my shell on this box XD the user.txt is very close. Do not search so far like me :slight_smile:

Excellent box after all - finally managed to root this after fighting with the privesc for quite a while…

In the end the exploit is & was quite simple & stands out if you enumerate properly, and there is a related blog post available online explaining a very similar attack if you know exactly what to google for based on the enum findings.

Really polished & well thought through box, props to the maker! :star:
And huge props to @dividebyzer0 for kicking me in the right direction & helping out when I started overthinking an after all simple exploit.

That was an excellent box. The a**-g** priv-esc was a ride. Special thanks to PavelKCZ for getting me out of plugin directory ■■■■ as well.

If anyone needs a hand, feel free to message me!

Awesome box from @jkr. 50pts would really be icing on the cake.

Imgur

That was one of the coolest boxes I’ve rooted on HTB.
Great job @jkr !

Thanks a lot to @lantog for helping out with root-hints!

Finally rooted. It was really tricky at some parts, but definitely a fun box.
Thanks for the help @dividebyzer0 and @dreamerscoffee

need a small nudge for finding credentials, i have access to the admin panel but i have not been able to grab any credentials.

Thank @jkr for this interesting machine and for its constant improvement :lol:
And @dreamerscoffee - he stopped me when this cycle of reading was becoming to be endless.
Therefore I repeat after RJ - RAFO. Not WOT but documentation, manpages and guides :lol: All this puzzle needs to solve - is thoughtful reading of documentation.

Enumerate processes, document what they were supposed to do and create your module. Use weakness of this machine - not possible exploits.

need a small nudge for finding credentials, i have access to the admin panel but i have not been able to grab any credentials. Found the /addon/ folder as well

How do u get a shell? I have a php shell but it gives me 403 error. even when i tested with a file that was not present like ex.php, instead of giving a not found, it gave me 403. How do i change the server to accept php file? Or any other ways?

Type your comment> @Alpha19IR1 said:

How do u get a shell? I have a php shell but it gives me 403 error. even when i tested with a file that was not present like ex.php, instead of giving a not found, it gave me 403. How do i change the server to accept php file? Or any other ways?

Try to look and check the code of modules you already see in the admin section. Make your own based on them. Change step by step then if you have to.

This box is a true work of art. Thank you!

I feel like I’m on the right path to root. Can anyone PM me to discuss it? I don’t wanna spam all you guys who rooted this box…

Off topic: There are around 60 machines in the OSCP lab. If you are able to root min 75-80% of the machines, reach also the admin subnet and root the admin machines then you can assume that you are enough prepared for the 24h OSCP exam.
Working on these number of machines in 2-3 months (depends on your lab time) gives a nice routine which helps to manage the 5 machines in 24 hours.

I didn’t have too much time in OSCP labs. I only had a budget for 30 days of lab time. Since I was new to penetration testing I was trying to do as much as I can in those 30 days (taking into account that I have daily job and family). All in all I manage to root less than 20 machines although I concentrated on the hardest ones. The rest I was practicing on HTB and learning by watching IPSEC videos. Those <20 machines plus HTB practice was more that enough to pass OSCP exam. It took me aprox 1.5h per OSCP exam machine. Doing mid level HTB machines were very helpful to me.

guy i found admin port 6*8** and i need to tunnel is through ssh. need help. i did lot of commands.

This was epic - thanks @jkr :slight_smile:

I think this was the first time I accidentally patched the vuln I wanted to exploit in one of my tests :wink:

So I seriously hate that I’ve had to write in the forums for help for every single box I have done but I am seriously stuck on this and I’m going on 8 total hours worked on this box… Anyways, I log into the sp server and use Hp, but I have no idea how to use any of the commands for my good. I have tried everything and nothing seems to get me anywhere. Could someone PM me some hints as I cannot get an initial foothold on this box and its really starting to get to me lol.