Writeup

1235731

Comments

  • Rooted! Really fun box, learn a lot about load order! Anyone who need some nudge feel free to PM ;)

    Hack The Box

  • I found the exploit to access A**** but it gives me always 'Connection aborted'. Any hints so I can resolve it?

  • edited June 2019

    stuck on hash..........

    solved

  • Type your comment> @harryyee said:

    stuck on hash...........
    i try to use hashcat 20 to crack 6******7:5***7 by dict but no lucks, am i missing anything?
    please pm......

    if you read the exploit you'll see where the salt is being put before the server hash it with the pw, eitherway you don't need hashcat, at least I didn't

  • edited June 2019

    Type your comment> @MRwatch0xff said:

    Type your comment> @harryyee said:

    stuck on hash...........
    i try to use hashcat 20 to crack 6******7:5***7 by dict but no lucks, am i missing anything?
    please pm......

    if you read the exploit you'll see where the salt is being put before the server hash it with the pw, eitherway you don't need hashcat, at least I didn't

    i aware but still no lucks, any more hints?

    edit: solved, thanks all :)
    hint: cover more

  • mabmab
    edited June 2019

    Got my 20 points for this fantastic and realistic box. Thanks @jkr for the work <3

    User part is quite easy with the right exploit. There was mentioned a very handy Firefox extension that helped me to enumerate the needed information.

    Root part was extremely tricky for me. I fell in so many rabbit holes. But thanks to the hint from @1NC39T10N i was able to get back on track. His/Her nudge is very handy if you are on a vip box.

    @1NC39T10N said:
    Root is tricky to find if others are not on the box IMO. Use the tool already mentioned
    to monitor processes, but generate traffic to the box while this is running using the VERY
    last step needed to get user. Observe the process, and consider how to leverage.

    A very big shoutout to @Almadjus who helped me when i was completely stuck in the rabbit holes and remind me to double check the things.

    If I could help you, show some respect: https://www.hackthebox.eu/home/users/profile/98930


    Hack The Box

  • edited June 2019

    Rooted after way too many hours because I'm spectacularly stupid at times. Thanks @mab for putting up with me.

    Hints that may help

    • User - already well covered in the thread, if you're not sure what exploit to try then maybe "inspect" your source to see what the date says
    • Root - Really take time to understand what the command is doing (in particular what the flag is doing, the man page is extremely helpful for this
    • Root - There is a difference between ABUSING a command (e.g. running a script on a file you control) and HIJACKING a command (taking control of the script that accesses a file)

    Hugely educational, thanks @jkr - don't think I'll be forgetting what I learned any time soon.

    Happy to help via PMs.

  • User exploit is very bautifull! I get root.txt after somebody echo it to /tmp folder. That's very bad way :disappointed:
    Hints for user:

    • Enumerate by hand NOT by dirbuster.
    • Wappalyzer addon for firefox will be usefull :)
    • Try searchsploit and not use "OWASP TOP 10 (2017) A1" exploit not RCE

    PM me if you have any question for user :)

    If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

  • the page you need to exploit has been down for hours lmao !!! im i the only one with this problem ughhhh

  • Just rooted. Took a while and went down 2 rabbit holes but found a way out.

    Some tips:
    Monitor/snoop processes and perform standard enumerations
    Sort by which processes are running as root
    What commandlines are they using? When do they occur? Are they called with absolute or relative paths?
    What permissions do you have to the paths which you discovered?
    How can you manipulate it to do what you want?

    This should get you on your way :)

    d4rkm0de

  • Type your comment> @thecisco said:

    the page you need to exploit has been down for hours lmao !!! im i the only one with this problem ughhhh

    You know that you can reset the machine if it's not working correctly, right?

  • got user ..
    Moving to root
  • edited June 2019

    i've been working on this box for quite awhile now and i don't know if it's just my lack of knowledge or if i'm just overlooking things ive found the other directory but its just a bunch of writeups for different boxes if someone could point me in the right direction id love you forever

    i think i found creds but now i need some assistance with cracking the salted hash

    if i dont reply add me on discord :) quad#8286

  • Fun box. Very realistic! Went down a rabbit hole on root. Was on the right track, like many others I bet, but was focusing on the wrong "stuff to look at". Thanks to @Mab and @Meeryr :)

    PM for hints :)

    Hack The Box

  • That was a really enjoyable root priv-esc. Good work to the Author

  • edited June 2019

    Not sure what I'm missing. I've gotten the password/salt and successfully decrypted it. Password makes sense, so I'm fairly certain I didn't screw that part up. When I try to login to though, it doesn't work. Anyone that's gotten user have a moment to give me a prod?

    Got user, needed to restart the box....

    On to root

  • Thanks @mab for the help and @jkr for the box. Had fun on both user and root.

    Glad I didn't give up on root, extremely satisfying and learned a ton.

    image

  • Thx a lot @jkr for the machine!
    I learn news things with this machine...

  • That was an excellent machine.

    Getting user was beautiful, and the first time I have used that particular type of flaw.
    Root was fairly time consuming, as the particular instance I was on was very quiet. It's much easier to spot if you're in a busy server.

    Great work, @jkr .

  • i think i found creds but im not to sure but if anyone could help with cracking the salted hash it would be very much appreciated

    if i dont reply add me on discord :) quad#8286

  • Just Rooted! Big thnx to @albertojoser for his amazing help and explanation! :D

  • Just rooted :smile: Feel free to PM if you are stuck to give you a nudge

    amra13579l

  • Rooted!

    Thanks @env @Almadjus

    User:Try to find a common file in webservers, usually associated with privacy / security of the site. After that, if you did not find the exploit that was quoted by other people, it's wise to check if your exploit search program is up to date.

    Root: Monitor processes closely while generating traffic to the machine (if you are a VIP). Pay attention to the action that is triggered by this traffic.

    If need help, feel free to pm me. :bleep_bloop:

    Arrexel

  • Finally got root a big thanks to @godzkid , I got the root in the most easiest way, If anybody needs help feel free to pm me.

    image
    Bug Bounty Hunter | SysAdmin | Cloud Architect

  • edited June 2019

    user owned, onto root!

  • Type your comment> @mab said:

    Got my 20 points for this fantastic and realistic box. Thanks @jkr for the work <3

    User part is quite easy with the right exploit. There was mentioned a very handy Firefox extension that helped me to enumerate the needed information.

    Root part was extremely tricky for me. I fell in so many rabbit holes. But thanks to the hint from @1NC39T10N i was able to get back on track. His/Her nudge is very handy if you are on a vip box.

    @1NC39T10N said:
    Root is tricky to find if others are not on the box IMO. Use the tool already mentioned
    to monitor processes, but generate traffic to the box while this is running using the VERY
    last step needed to get user. Observe the process, and consider how to leverage.

    A very big shoutout to @Almadjus who helped me when i was completely stuck in the rabbit holes and remind me to double check the things.

    Many Thanks Mab for your support!
    Is there another way for rooting other than the one described here? I found it CTF like, how the first one linked the monitoring processes and the trigger !

  • Awesome root. Very sneaky.

    Hack The Box
    OSCP

  • Finally rooted! Sneaky logic! But when it strikes you, it's an eureka moment! Thanks to @0xskywalker @b0ne. Ping me up, if you need a hint!

    writeup_root

  • edited June 2019

    found the username and password r********9 and still no login to a****
    any hints?

  • Thanks @jkr what a great box. Thanks to @albertojoser for the nudge

    Hack The Box
    OSCP | CISSP | CEH | CCNA

Sign In to comment.