Ghoul

And I finally rooted…
Great job: @MinatoTW and @egre55 . I really liked the last step…

Please don’t make boxes like this in the future. You had some nice ideas, but you ruined all of it by making the like half of the box guessing passwords. Definitely the worst box I’ve done so far.

Type your comment> @Ryan412 said:

I have mixed feelings about this machine. I’m still not sure why this box is only 40 points LOL. It is probably the first time for me to see 4 con******* in 1 server in HTB so it should’ve been 50 points really. Just so that everyone here is on the line, this box is rated 6.4 as of now due to the fact that there are about 76.3% more people with user flags and without root flags as of now. Otherwise, I truly believe it would be at least in the 8.

The user was FUN despite the minor trolls, I won’t deny that. I won’t say the same about the root though.

“You’ve done well to come upto here human. But what you seek doesn’t lie here. The journey isn’t over yet…”

This is the moment when I wanted to break things apart.

The root was unrealistic in the files part, which I hated so much btw. Then comes the 30 seconds interval. Seriously?

The balance between the user flag and root flag is very bad in my opinion. So, I’m sorry but I’ll dislike this machine.

Thanks for the feedback, there were some unintentional trolls due to my mistake and I apologise for that. And I agree the root part got stretched a bit, noted it down for the future. The files part is pretty much realistic if I understand what you’re pointing towards. And the 30 second interval is to ensure the connection isn’t killed / dies in between. It’s not easy to simulate user interaction with so many people on the box, we had to make some adjustments to ensure everything works out of the box.

edit:nvm

Thanks @MinatoTW and @egre55 for the big box!!

Do I need to brute-force the login(Members-Area)
I tried all default creds( didn’t worked)

I need help on uploading part. Cant guess the right path. Could someone PM me?
EDIT: Nevermind. Got user :slight_smile:

Hello, i’m struggling for gaining user access. Must i brute-force one of the two login pages ?

Type your comment> @Kalki said:

Hello, i’m struggling for gaining user access. Must i brute-force one of the two login pages ?

no, please dont)

There is a vuln in one of the web app ?

@Kalki said:
There is a vuln in one of the web app ?

sure

Where to find passphrase for ssh key ?
Is se***.jpg a rabit hole.

Type your comment> @AmiToLotto said:

Where to find passphrase for ssh key ?
Is se***.jpg a rabit hole.

change .jpg to .php when search for passphrase

@tabacci
Thx that works

I’m in g*** as “admin” I can also get a rev shell as g** but I don’t know what to look for or escalate…

EDIT: one more step… stuck on the next one. Crazy box!

EDIT2: rooted with a lot of help. Last step is too much

I’ve gained access via ssh, and nmap’d the /24 rather than the /16 and found some hosts – but cant seem to find anything that stands out?

is kaneki crack of encrypted key the way to user (im failing to crack it) ? have shell with other two users, cant find flag :slight_smile:

@ntroot No, you don’t! I got the user flag before I had a decrypted version of that key.

Thanks, i got it. Now try harding to root, LOL :slight_smile:

Could someone pm me where to look for uploaded file? Is it inside the M*** Area (no access yet)? I’ve recursively enumerated all possible dirs searching for it. Or I won’t see it in those and have to exploit?