Ellingson

I’m stuck trying to get stage 2 to execute. My code just hangs when it gets to stage 2.

Type your comment> @Phase said:

After HOURS of banging my head trying to get user I found what I was looking for. I overlooked the file MANY times because somebody changed the permissions for the file… Had to reset the machine to get the permissions back where they belong.

Thanks @Razzty for all the help!

I’m pretty sure it’s not malicious attacker, it’s just a slight oversight in the box’s design. If someone from HTB with the ability to fix boxes wants to PM me, it’s easy to fix.

Until then, if you’ve got a full shell but can’t find your way past h**, check the box’s uptime. If it’s over 6 hours I would reset it.

Type your comment> @globule655 said:

Type your comment> @tiger5tyle said:

@globule655 said:

you’re almost there but I think you’re having it backwards. It’s more a game of what the server needs from you to log in without a password than the other way around

How so? I’m giving it the i*_r** key. Am I missing something else?

There’s a specific file you can write into that will help you more than providing the server with its own private key

I am loosing myself at this point. I thought I had this figured out, but it just won’t work.

Please PM me with assistance - I doubt it can be discussed here without spoilers …

Cheers

Type your comment> @N1dhu9 said:

Type your comment> @globule655 said:

Type your comment> @tiger5tyle said:

@globule655 said:

you’re almost there but I think you’re having it backwards. It’s more a game of what the server needs from you to log in without a password than the other way around

How so? I’m giving it the i*_r** key. Am I missing something else?

There’s a specific file you can write into that will help you more than providing the server with its own private key

I am loosing myself at this point. I thought I had this figured out, but it just won’t work.

Please PM me with assistance - I doubt it can be discussed here without spoilers …

Cheers

Think about what YOU can supply the server so you can connect…

I’ve downloaded an _* from the t******** but I’m not getting anywhere with the passphrase, even with the info on the articles. Is this a rabbit-hole?

Edit: Yup, rabbit-hole. Getting tunnel vision and missing the obvious thanks @Razzty for the nudge.

Type your comment> @N1dhu9 said:

Type your comment> @globule655 said:

Type your comment> @tiger5tyle said:

@globule655 said:

you’re almost there but I think you’re having it backwards. It’s more a game of what the server needs from you to log in without a password than the other way around

How so? I’m giving it the i*_r** key. Am I missing something else?

There’s a specific file you can write into that will help you more than providing the server with its own private key

I am loosing myself at this point. I thought I had this figured out, but it just won’t work.

Please PM me with assistance - I doubt it can be discussed here without spoilers …

Cheers

Feel free to send me a message with your questions

Stuck at getting the initial shell…

Any help with the traceback…looked at the debugger but can’t seem to find any good functions to obtain the file needed through some type of LFI.

Type your comment> @pytera said:

Stuck at getting the initial shell…

Any help with the traceback…looked at the debugger but can’t seem to find any good functions to obtain the file needed through some type of LFI.

Try to focus on reading and writing files.

@pytera use python to get initial shell

Still get quite a few DM’s with individuals missing the second one… so… from the box page

We have recently detected suspicious activity on the network. Please make sure you change your password regularly and read my carefully prepared memo on the most commonly used passwords. Now as I so meticulously pointed out the most common passwords are. Love, Secret, ■■■ and God -The Plague

So, knowing that those are the most common passwords, how can you shorten your wordlist to speed things up?

Stuck with Got EOF while reading in interactive…

If anyone has any advice to put me on the right path I’d really appreciate it.

I have an idea of what I need to do just not too sure how to code it.

Type your comment> @Phase said:

Stuck with Got EOF while reading in interactive…

If anyone has any advice to put me on the right path I’d really appreciate it.

I have an idea of what I need to do just not too sure how to code it.

i am stuck on this part in the first stage of exploit too
anyone willing to help?

Type your comment> @ShayNay said:

@pytera use python to get initial shell

Tried a few things…like running a nc shell from> @pytera said:

Stuck at getting the initial shell…

Any help with the traceback…looked at the debugger but can’t seem to find any good functions to obtain the file needed through some type of LFI.

I got intial shell…DM if anybody needs a nudge.

I’m creating a custom wordlist to crack some hashes, anyone know a good mutator? I’ve tried rsmangler but it always crashes when I try the --full-leet option.

Type your comment> @mogyub said:

I’m creating a custom wordlist to crack some hashes, anyone know a good mutator? I’ve tried rsmangler but it always crashes when I try the --full-leet option.

It’s not necessary. Try one of the ones that come with kali.

Working on root. Trying to follow the CampCTF video recommended, however, I have no previous experience in this general area, not even the easier types. When it gets to the R2 part, (around 9:09), it returns nothing for rdi. I suppose I could use rbp instead? What other changes would I need to make with this substitution? Should I instead first learn some of the challenges to build up knowledge in this area? Thanks guys, I love the HTB community!

Type your comment> @neversploit said:

Working on root. Trying to follow the CampCTF video recommended, however, I have no previous experience in this general area, not even the easier types. When it gets to the R2 part, (around 9:09), it returns nothing for rdi. I suppose I could use rbp instead? What other changes would I need to make with this substitution? Should I instead first learn some of the challenges to build up knowledge in this area? Thanks guys, I love the HTB community!

I found myself stuck here to. Talking with other members, I was made aware of other tools other than radare that can achieve this. One is called ropper. I suggest watching the video a few times first to see what’s going on. At the end he shows you how to use pwntools to automate this. What I did was the automatic way and once its ran It should show you the values you’re looking for. I could’t get the automatic way to work so I just got the values from it and did it the manual way.

Still having EOF errors but I’m almost there.

Type your comment> @Phase said:

I found myself stuck here to. Talking with other members, I was made aware of other tools other than radare that can achieve this. One is called ropper. I suggest watching the video a few times first to see what’s going on. At the end he shows you how to use pwntools to automate this. What I did was the automatic way and once its ran It should show you the values you’re looking for. I could’t get the automatic way to work so I just got the values from it and did it the manual way.

Still having EOF errors but I’m almost there.

Thanks, I’ll check it out!

Have an exploit for g******, just need to figure out how to execute it on remote machine :confused:

Got EOF while sending/reading in interactive
on the second stage
could anyone help ?