Swagshop

1111214161741

Comments

  • edited May 2019

    Type your comment> @deathflash1411 said:

    Everyone's saying that getting root is simple....but I'm kinda stuck....could someone please help me out !

    Same.. I'm not seeing it either. Been on as user since 30 minutes of release. I guess I'm dumb.

    Edit: Yup I'm dumb, I had all the pieces just needed to figure out how to put them together. Thanks ixxelles for the nudge!

  • edited May 2019

    Edit: double post

  • Sup Peps -
    so i enumerated the webapp a bit and was able to find the admin login page, but i'm stuck there, found a lot of CV Es, some on Ma****o, and some on *p***e, couldn't understand how people got login credentials or RCE, any tips ?

  • @ElPhnek said:
    the admin login page

    You may have been struck by Obi-wan, maybe this wasn't the admin page you were looking for. You may be able to make use of those CVE's eventually...

    Fibbot
    OSCP

  • Hey, I've been able to get a user shell but I'm stuck on privilege escalation, if someone could pm and help me in that regard, i'd really appreciate it.

  • edited May 2019

    No more stickers :'( :'( :'( :'(

  • Elevated my shell, but still stuck.> @idarlund said:

    No more stickers :'( :'( :'( :'(

    I was just about to say that too. Hopefully they'll have some more soon.

  • Woo! Got myself some nice new swag headed my way! That was a fun box. super easy privesc ;)

    Hack The Box

  • Please oh please don’t use the 503 method... i can’t believe how often this happens... there is a much safer way to get user.. ribbit ribbit... that being said the 503 encouraged me to work on web scraping with python and I created a script that will open up my reverse shell right away! :)
  • edited May 2019

    Thanks for all of the hints for user. The tunnel vision was real!

    vldkak

  • I was able to log in as an admin on the M****** last night. In the meantime the box has been reset, so I am restarting the same exploit as yesterday but unable to connect. Am I the only one?

  • hmm was this box recently changed? for some reason .... the method i was using to gain access to the "panel" doesn't seem to gain access to the file system anymore... hmmm brick wall straight to the face.... ouch... please pm if you know what happened or what i stumbled into...

  • Hi, I'm just beginning with this box and I cant seem to find anything. Not even a shell or something. Can someone help me? Contant me over discord: Captain_CrunchV1#8996
    thx

  • Managed to get root, thanks to @NoPurposeInLfe for the assistance.

    @FlewManChew said:
    hmm was this box recently changed? for some reason .... the method i was using to gain access to the "panel" doesn't seem to gain access to the file system anymore... hmmm brick wall straight to the face.... ouch... please pm if you know what happened or what i stumbled into...

    Access to the file system is an optional extra of the CMS that needs to be enabled.

  • For user, you can get a shell using the well-known exploit for this framework& a bit of poking around.

    Root should take less than 2 minutes. Any longer and you are overthinking it.

    Looking for past Hack the Box write-ups or other security stuff? Feel free to visit: https://dastinia.io <3

  • Awesome! Got my goodies.

    Very easy /simple box. Follow your methodology and take good notes.

    For user:
    Wireshark is useful if your exploits aren't working.

    You should find useful content in github, youtube, exploitdb, and many more.

    For priv-esc:
    Literally one of the most basic priv esc there is. This methodology is often used in high schools and CTFs to demonstrate proof of concepts in a couple seconds. Do not overthink it. If you find yourself taking too long, it's not a big deal. Just go through every item you should be checking and eventually you will find it. Just because it's easy doesn't mean it's the FIRST thing you check. Everyone checks different things in different moments of their priv esc enumeration.

    Fun box.

    "ClickmedotEXE"
    CISSP | OSCP
    arodtube

  • Can someone point me in the right direction? I'm struggling to get a reverse shell going or finding the right exploit

  • edited May 2019

    I have user and can get a proper tty, but it has taken at least a week with all the 503, etc.

    Getting root should be simple, but as I am fairly new to all this simple can be quite complicated as @albertojoser points out.

    A nudge for root would be much appreciated!

    Edit: Finally got it - that was a fun one!

  • Finally! Got that root action and came up on some swaaaaaag..... i gotta thank the awesome dudes on the forms who show love to the script monkeys like myself...

    albertojoser
    lemarkus
    mab
    OkaySec
    Thomasian
    and everyone one else who responded .... what a good group!

    fun box!
    i'll be willing to help anyone as well!

  • Type your comment> @Deim0s said:

    I was able to log in as an admin on the M****** last night. In the meantime the box has been reset, so I am restarting the same exploit as yesterday but unable to connect. Am I the only one?

    I'm having the same issue.

    vldkak

  • Is this box still getting lumped?? I reset it and its still unavailable as soon as it comes back up -_-

  • Rooted very easy box !
    Ping me in case you need help!

  • Finally rooted the box. Even though it was very basic privesc and even with the hints given here I was stuck since I woke up a few minutes ago thinking "omg, I am so stupid". lol

  • Could anyone PM me and give me a hand? I've got web shell and user flag and I'm pretty sure I know what to do to get the root, but I cannot use it due to "no tty" and for some reason I cannot reverse shell back to my local machine. Wireshark shows that the packets are arriving, on the correct ports too, but just no netcat connections.

  • rooted, feel i am like a dumb when i figure it out. :(

  • is there suppose to be fileSystem option under the system tab because it seems to be appearing and disappearing?

  • edited May 2019

    @FlompyDoo said:

    is there suppose to be fileSystem option under the system tab because it seems to be appearing and disappearing?

    This is actually a pretty big hint for the next step for you... there's other people on your server making this happen, wonder how they're doing it?

    Fibbot
    OSCP

  • I've now successfully rooted and bought myself a shirt! Thanks to @1c4re1337, @jkr and @dorseyhacks :)

  • Hi, I'm stuck in getting user. I get the tunnel error with the second exploit and I can't find the way to make it work. If someone could PM me to give me a hint, I wold appreciate it. Thanks!

  • @jajajadex said:

    Hi, I'm stuck in getting user. I get the tunnel error with the second exploit and I can't find the way to make it work. If someone could PM me to give me a hint, I wold appreciate it. Thanks!

    I came across this error yesterday and the only tip I can give you are unchecking the first options on the M****** C******. (This hint may make sense for you if you read – and understand – what is this options for.)

    After reverse shell, the privilege escalation is classical as possible. You surely need to understand "permissions" on Linux. Get the root user of this machine is easy, though. That's all. ;-)

    Show +respect with who helped you out!
    https://www.hackthebox.eu/home/users/profile/61374

Sign In to comment.