Ellingson

Type your comment> @tiger5tyle said:

I’m stuck after getting a shell as h**. Any hints?

When I got stuck and desperate, I found @Zot’s advice of #yolo-copying directories until you notice something stand out helped.

Nice machine ! Learned a lot !

Need a bit of help with the passphrase for the i*_R** keys… Should I be bruteforcing that locally or am I on the wrong path to user?

Edit: Thank you @BADBIT for putting me on the right path. Just got ssh and have already learned so much from this box.

Hey so i have access as H** user and was able to find and decrypt the file, but the result is not getting me anywhere. Anyone mind PM’ing me a pointer on this?

Edit: Thanks for the pointers, was just impatient.

Finally finished this, but not without help. Really cool theme, I urge everyone to watch the movie, if there still are people who missed it (won’t help with the challenge though).

USER HINT1: once you know how to execute code reset the machine before digging further, as apparently something breaks the level (periodically?).
USER HINT2: once you have something to break, don’t be afraid to give it more time and wait for more results. In my case I needed a bigger input file than usual.
ROOT HINT1: the CampCTF video posted earlier is of GREAT help.
ROOT HINT2: if you are struggling (e.g. EOF while interactive), a good idea may be to locally spin a close copy of the operating system that is used on the challenge machine, remembering to set the permission bits on binaries the same way as they are on the challenge machine. Look for similar exploits for that OS and what they are doing, you may be missing a piece.

PMs welcome.

Finally solved!!! This machine was amazing, I’ve learned a lot expecially in the second part :slight_smile:
Thanks to everyone who helpded me, especially @m4xp0wer @htejeda and @opt1kz

Here my hints:
User: enumerate very well the site until you find something very very juice.
With that you can do a lot of things, including get you access to the machine.
Then it’s just linux enumeration that will help you finding another file very interesting a precious

Root: enumerate very well and you’ll find something strange (it’s pretty obvious).
received a lot of help because it was my first time with something like this. Go back in the discussion you will find the video of your life, that will road you to the light!

PM me if you need help :slight_smile:

After HOURS of banging my head trying to get user I found what I was looking for. I overlooked the file MANY times because somebody changed the permissions for the file… Had to reset the machine to get the permissions back where they belong.

Thanks @Razzty for all the help!

I found the pass for th******* user but I can’t authenticate… am I missing something?

Type your comment> @amra13579 said:

I found the pass for th******* user but I can’t authenticate… am I missing something?

Same.

Edit: Got it. I’m going to quote @psie.
“once you have something to break, don’t be afraid to give it more time and wait for more results. In my case I needed a bigger input file than usual.”

Stuck with the rop part for root. Anyone willing to share a few tips ? I’m relatively new to exploit dev and keep getting “Got EOF while reading in interactive” on my local machine
Otherwise, it’s a lot of fun !

I’m stuck trying to get stage 2 to execute. My code just hangs when it gets to stage 2.

Type your comment> @Phase said:

After HOURS of banging my head trying to get user I found what I was looking for. I overlooked the file MANY times because somebody changed the permissions for the file… Had to reset the machine to get the permissions back where they belong.

Thanks @Razzty for all the help!

I’m pretty sure it’s not malicious attacker, it’s just a slight oversight in the box’s design. If someone from HTB with the ability to fix boxes wants to PM me, it’s easy to fix.

Until then, if you’ve got a full shell but can’t find your way past h**, check the box’s uptime. If it’s over 6 hours I would reset it.

Type your comment> @globule655 said:

Type your comment> @tiger5tyle said:

@globule655 said:

you’re almost there but I think you’re having it backwards. It’s more a game of what the server needs from you to log in without a password than the other way around

How so? I’m giving it the i*_r** key. Am I missing something else?

There’s a specific file you can write into that will help you more than providing the server with its own private key

I am loosing myself at this point. I thought I had this figured out, but it just won’t work.

Please PM me with assistance - I doubt it can be discussed here without spoilers …

Cheers

Type your comment> @N1dhu9 said:

Type your comment> @globule655 said:

Type your comment> @tiger5tyle said:

@globule655 said:

you’re almost there but I think you’re having it backwards. It’s more a game of what the server needs from you to log in without a password than the other way around

How so? I’m giving it the i*_r** key. Am I missing something else?

There’s a specific file you can write into that will help you more than providing the server with its own private key

I am loosing myself at this point. I thought I had this figured out, but it just won’t work.

Please PM me with assistance - I doubt it can be discussed here without spoilers …

Cheers

Think about what YOU can supply the server so you can connect…

I’ve downloaded an _* from the t******** but I’m not getting anywhere with the passphrase, even with the info on the articles. Is this a rabbit-hole?

Edit: Yup, rabbit-hole. Getting tunnel vision and missing the obvious thanks @Razzty for the nudge.

Type your comment> @N1dhu9 said:

Type your comment> @globule655 said:

Type your comment> @tiger5tyle said:

@globule655 said:

you’re almost there but I think you’re having it backwards. It’s more a game of what the server needs from you to log in without a password than the other way around

How so? I’m giving it the i*_r** key. Am I missing something else?

There’s a specific file you can write into that will help you more than providing the server with its own private key

I am loosing myself at this point. I thought I had this figured out, but it just won’t work.

Please PM me with assistance - I doubt it can be discussed here without spoilers …

Cheers

Feel free to send me a message with your questions

Stuck at getting the initial shell…

Any help with the traceback…looked at the debugger but can’t seem to find any good functions to obtain the file needed through some type of LFI.

Type your comment> @pytera said:

Stuck at getting the initial shell…

Any help with the traceback…looked at the debugger but can’t seem to find any good functions to obtain the file needed through some type of LFI.

Try to focus on reading and writing files.

@pytera use python to get initial shell

Still get quite a few DM’s with individuals missing the second one… so… from the box page

We have recently detected suspicious activity on the network. Please make sure you change your password regularly and read my carefully prepared memo on the most commonly used passwords. Now as I so meticulously pointed out the most common passwords are. Love, Secret, ■■■ and God -The Plague

So, knowing that those are the most common passwords, how can you shorten your wordlist to speed things up?