Ellingson

EDIT: got it.

Is the gar**** executable the path to root? Should I debbug it?

Knowing a little python helps enumerate the os from inside the web app.

After leveraging the trackback to get in, trying to enum. kinda stuck, Mr. Sunglasses doesn’t have much he can do. Nudge please? Also anyone notice constant hangs in their ***ll?

Type your comment> @Negative said:

After leveraging the trackback to get in, trying to enum. kinda stuck, Mr. Sunglasses doesn’t have much he can do. Nudge please? Also anyone notice constant hangs in their ***ll?

Why your ***ll hangs is told on article number 2

Hey,
I have question about crack something ^^ can some one PM me ?

■■■. Why wasn’t this box made sooner? HA! Lol. Perhaps I shouldn’t find this so amusing. But fhlipZero seems to be amused too. Hackthebox.eu The Planet!

just owned it.
Hint for user ~
enumeration on web should give you quick shell and privesc for user is pretty easy after that.
Hint for root ~
Its something u would have notice before u got user and now you can exploit it.
it would not be very hard if you are good with binary exploitation

Well im being flooded on the dm’s, please continue the discussion over here so that everyone can benifit.

@R4J yes sorry fo the flood …

My question is about crack something…

Type your comment> @wabafet said:

this is the coolest challenge i have done ever

Not only do I love the hackers movie from my younger days but what the ■■■■ that bug is so off the wall i got lucky as ■■■■ patreon hats off to you boys :wink: for teaching people like me how to find things to fill my flask with and drink with pure joy

What are some of your favorites? I supported fuzzysecurity for a while but then lost interest; will probably look for others.

box already destroyed? Doesn’t work for me and I can’t reset it :confused:

Fun box! Just got root.

My hints:
User: Enumeration + a small waiting game. Some hints from the first page you saw can cut down on the wait a bit. :slight_smile:

Root:
Quality of life tip: once you know which file(s) to go after, download yourself a local copy to work against so you don’t have to work against the somewhat slow servers.

For any of you not familiar with this web app framework, feel free to DM; i can point you in the general direction of where you need to go; I’m pretty unfamiliar with this myself but I have an idea of what next steps will look like;

Low port bruteforce is the right way ?
Ive made a very small passw list with enumeration and i found some users but it doesnt work…

@Crafty, I tried the same thing and got no results, I’m thinking its the username that is the issue…

any one help me with getting shell ? ive tried all the reverse shell possibilities, non of them are working.

fail2ban lol

Shoutout to box creator; when you find the way forward lmaoooo

Some of you should spend time learning bout ssh; your default shouldn’t be to “crack all the things” that’s not a methodology; my 2 cents

Well, lets see… I’ve got 4 potential users with a dozen or so permutations per username, and 4 passwords with a bunch of different potential variations of those.

I could enter a couple hundred entries by hand trying them out, or I could automate it.

Hmmmmmmm.

“Maybe be more constructive with your criticism” - hip hop hoppotamus