Unattended

Hi everyone, I’m currently struggling quite a bit with root. I did the usual enumeration and looked around further than that, but I couldn’t find anything noteworthy yet. Could someone help me out with a nudge in the right direction? I have no idea what to continue to look for.

Edit: Finally got it. After help from @TheJ0k3r and @legendsoftware (although a step too late :D) I was able once again learn a lot and solve it.

Instead of leaving my own hint or something like that I’ll just put in one place and order what is already in this thread. I hope this isn’t too much of a spoiler, if so please remove it.
If you need help feel free to pm me, obviously for user as well as root.

@lolwut said: […]
privesc: […]

@Malone5923 said:
they got hacked recently.
After getting root I still have no idea how that comes into play.

@R4J
root:
try something u must have already noticed before the user
I don’t think everyone is going to realize this before user.

Someone in this thread once said:

root is too unusual (even if not that hard to identify)
It initially brought me on the right track but I made a mistake.

Something that I should have paid more attention to is:

Pay particular attention to details, […]. Once you got the first hint, do not hesitate to deep dive, and leave no stone unturned.
I didn’t go deep enough.

Type your comment> @Ryan412 said:

I’m going to be honest.

This is NOT an intermediate level box. This is at least HARD and I would even lean towards insane. I have no idea why this is a 30 points box and rates as intermediate. I really think HTB should see people’s ranking of this box (7.6 at the moment).

The user was CRAZY but fun.

The root was hard :slight_smile:

The box was VERY nice, I loved it, although I haven’t really got in with the intended method, which may be even harder lol.

Fully agree. Crazy but nice box.
It is important for me that it encourages to learn about useful trick that I hope will help in future investigations.

Hey guys, I’m pulling my hair out when it comes to user, I have no clue if its even possible to gain RCE through s** due to the grants so any nudges in the right direction are much appreciated!

feeling stupid… still looking for the websites… I don’t see anything via dirb/nikto/wfuzz for days… maybe I should become a gardener… Someone said a first clue is visible within nikto results :frowning:

jesus I know as soon as I post this I’ll find a hint myself…

In my opinion it should be 50. Somehow both user and root got me confused. I knew what I was looking at, but wasn’t able to exploit it, as apparently my tests didn’t run deep enough. What’s with that mail though? Hard is good, but in the end my feelings are mixed.

Hint if you are stuck on root (that is more general than just for this machine): mtime.

Hi guys, I have a shell as w**-*, but am struggling to privesc. Any hints would be appreciated!

Yeah if anyone feels like helping me out a bit with Unattended then let me know :slight_smile: me and a friend are a bit stuck on what approach to take after finding the initial vulnerability!

We found the S*** vulnerability, and have a few ideas.

I’m learning a TON though :).

Hi guys, Ive been stucked already for about a week in escalating from w**-d*** to presumably g***. I’m really on a desperation and need a help. Thanks!

Edit: managed to solve this, thanks for the help. +respect to those who reached out.

Type your comment> @rocux said:

Hi guys, Ive been stucked already for about a week in escalating from w**-d*** to presumably g***. I’m really on a desperation and need a help. Thanks!

Go through the database and carefully analyze it. There’s only one table you need. Keep in mind that in most cases what seems useless may also be the only way to go. Don’t stop thinking about things that confuse you until you know that what you’re doing is not going to lead you anywhere. Always try harder and listen to yourself. When you want to leave something that confuse you, try asking yourself - “am I really sure that it’s useless?”

Well any who could help me for approaching root, I think I have looked for every thing.
Don’t know what I’m missing
Pm me please

Beautiful machine, but it is very hard, not a medium level IMHO. I am going to give some hints, I hope there are not spoilers:

  • User : Dumping is not the solution, you should understand which parameter the application is using and how the response is back using this parameter. Maybe you can manipulate the payload to achieve something else. After that, try to get some reverse shell looking for reflections in the response.
    Once you get a reverse shell, try to play with what you have played before. There is something that is refreshing if you do some updates… suspicious :wink:

  • Root : Try to enumerate what privileges has this user, there is one that is not common that will give u a hint. It is not easy because is very sysadmin related.

Anyways, PM if you are stuck :slight_smile:

Congrats @guly, I have really learned some new things :blush:

Hi,

I’ve dumped the trash and found something useful information. But stuck after that phase. Can someone give me a hint in PM? Thanks :slight_smile:

This has got to be the box that has given me the most trouble so far. Took me about 2 weeks of working on and off to figure out the doctor’s visit (thanks much to @Leonishan ) and I’m stuck just a few steps ahead of that. Could someone PM me with some advice? I have a few questions. Thanks in advance!

a lot of caffeine was wasted during the user part : p wonder what about root now

any help? I stuck on L**

I already get some interesting info with sq**, but unable to move on…hints please

rooted thanks to some tips from a patient @dr0ctag0n!

PM if you need a nudge. I barely made it through the box, but I’ll try and help out where I can.

This machine made me bleeding for gaining user shell. Still try hard for root user :smiley:

Rooted the box …!!! Its insane …