Ghoul

I spent almost 3 days in total to solve this machine, but I’m happy that I have learnt some new things.

Thank you for creating this painful machine @MinatoTW and @egre55 - please make moar of these machines.

For root flag, some basic but useful advice that you may be bored of hearing;

  • monitor processes and file system changes on the machines you get shell
  • enumerate files as much as you can

Good luck.

Thanks guys , glad you liked that challenge.

Type your comment> @MinatoTW said
Thanks guys , glad you liked that challenge.

thanks to you sir, because of you, we learn new things
LOVE FROM INDIA

I have mixed feelings about this machine. I’m still not sure why this box is only 40 points LOL. It is probably the first time for me to see 4 con******* in 1 server in HTB so it should’ve been 50 points really. Just so that everyone here is on the line, this box is rated 6.4 as of now due to the fact that there are about 76.3% more people with user flags and without root flags as of now. Otherwise, I truly believe it would be at least in the 8.

The user was FUN despite the minor trolls, I won’t deny that. I won’t say the same about the root though.

“You’ve done well to come upto here human. But what you seek doesn’t lie here. The journey isn’t over yet…”

This is the moment when I wanted to break things apart.

The root was unrealistic in the files part, which I hated so much btw. Then comes the 30 seconds interval. Seriously?

The balance between the user flag and root flag is very bad in my opinion. So, I’m sorry but I’ll dislike this machine.

And I finally rooted…
Great job: @MinatoTW and @egre55 . I really liked the last step…

Please don’t make boxes like this in the future. You had some nice ideas, but you ruined all of it by making the like half of the box guessing passwords. Definitely the worst box I’ve done so far.

Type your comment> @Ryan412 said:

I have mixed feelings about this machine. I’m still not sure why this box is only 40 points LOL. It is probably the first time for me to see 4 con******* in 1 server in HTB so it should’ve been 50 points really. Just so that everyone here is on the line, this box is rated 6.4 as of now due to the fact that there are about 76.3% more people with user flags and without root flags as of now. Otherwise, I truly believe it would be at least in the 8.

The user was FUN despite the minor trolls, I won’t deny that. I won’t say the same about the root though.

“You’ve done well to come upto here human. But what you seek doesn’t lie here. The journey isn’t over yet…”

This is the moment when I wanted to break things apart.

The root was unrealistic in the files part, which I hated so much btw. Then comes the 30 seconds interval. Seriously?

The balance between the user flag and root flag is very bad in my opinion. So, I’m sorry but I’ll dislike this machine.

Thanks for the feedback, there were some unintentional trolls due to my mistake and I apologise for that. And I agree the root part got stretched a bit, noted it down for the future. The files part is pretty much realistic if I understand what you’re pointing towards. And the 30 second interval is to ensure the connection isn’t killed / dies in between. It’s not easy to simulate user interaction with so many people on the box, we had to make some adjustments to ensure everything works out of the box.

edit:nvm

Thanks @MinatoTW and @egre55 for the big box!!

Do I need to brute-force the login(Members-Area)
I tried all default creds( didn’t worked)

I need help on uploading part. Cant guess the right path. Could someone PM me?
EDIT: Nevermind. Got user :slight_smile:

Hello, i’m struggling for gaining user access. Must i brute-force one of the two login pages ?

Type your comment> @Kalki said:

Hello, i’m struggling for gaining user access. Must i brute-force one of the two login pages ?

no, please dont)

There is a vuln in one of the web app ?

@Kalki said:
There is a vuln in one of the web app ?

sure

Where to find passphrase for ssh key ?
Is se***.jpg a rabit hole.

Type your comment> @AmiToLotto said:

Where to find passphrase for ssh key ?
Is se***.jpg a rabit hole.

change .jpg to .php when search for passphrase

@tabacci
Thx that works

I’m in g*** as “admin” I can also get a rev shell as g** but I don’t know what to look for or escalate…

EDIT: one more step… stuck on the next one. Crazy box!

EDIT2: rooted with a lot of help. Last step is too much

I’ve gained access via ssh, and nmap’d the /24 rather than the /16 and found some hosts – but cant seem to find anything that stands out?