Haystack

User is easy one.Google translate is your friend.

halted on user any nudge ?

@Lucifer6998 said:
halted on user any nudge ?

Find the needle and everything will be clear

ROOTED;)
I’ve found this box quite unstable. Not that easy, not that hard.
Learnt things about ELK. There is a total ZOO on eu-free, resets every 3 mins.
thanks to @JoyDragon

This box is fun and frustrating at the same time.
User: the higher service works as a db and may contains something useful. Important things does not require too many words.

root: this is a two step process. You need to become someone else before that you would be able to get the highest privs. Maybe something else. Check procs and owners.
To get root stay simple. Check what you can do, what you can read and how to bypass that filter. There is a giant rabbit hole, if something does not work, it will not work even if you will wait.
One last thing, it needs to be triggered.

Rooted. Frustrating box but I enjoyed the privilege escalation. PM if you need a nudge.

Hello Guys,
User: Was really fun.
Right now, I’m really stuck to root this machine. Can i have a hint please to move forward.
Thanks a lot.

For people who need help about User, MP me :slight_smile:

Type your comment> @f3v3r said:

@Pa1m0n said:

Is there something in the image that I’m missing?

Yes

Sweet! Now could you tell me what it is? lol or just a nudge because i’m stuck

The part of the user is to know how to use el*********ch, it is like a database engine and like all machines it happens that I do not know this type of technology in depth, which forces us to investigate how to show all the haystack and looking at the records will get the needle.

The part of the root seemed more difficult because I was a whole day watching a file that was not, people speak of three files but it is very likely that you confuse them with others.

The part of the root requires to see these 3 files that are in a folder and see their contents, when looking in the documentation of l******h saw that there is an online Debugger to see the pattern and be sure of what you do

And finally it is required to run the event, this I knew in a forum of questions

Type your comment> @Pa1m0n said:

Is there something in the image that I’m missing?

Yes

EDIT: User get it! It’s a WTF method! Thx a hint on reddit :slight_smile:

You would have never figured out that the higher port works as a database, you figure out this reading these posts in the thread. Now a simple question: everything you can get doing basic recon on the box - running dirb, for example, will only give you unavailable “directories” and a couple of available ones, and when you try to access them, you see nothing. There would be no problem if it would not be a nginx server but some node js. And again folks post “that helped me so much”-like comments thinking it is helpful, but it is more confusing I would say. So yeah, I would have probably never figured out that the higher port works as a database unless some of you posted this, because there is literally no any single pointer to this, and it contains literally useless garbage not giving me an idea about how to extract data.

Some guys find this box frustrating, and the main problem of this is that it’s rated as a simple box and requires hard work. You were probably expecting that you would own the box in 30 minutes after its release or so, but no, there you go.

I am sorry if you guys find this post a toxic one. But that’s exactly what happens in my mind right now. It’s not a tragedy, but I can’t find a foothold to get user at least.

Type your comment> @Tilia said:

You would have never figured out that the higher port works as a database, you figure out this reading these posts in the thread. Now a simple question: everything you can get doing basic recon on the box - running dirb, for example, will only give you unavailable “directories” and a couple of available ones, and when you try to access them, you see nothing. There would be no problem if it would not be a nginx server but some node js. And again folks post “that helped me so much”-like comments thinking it is helpful, but it is more confusing I would say. So yeah, I would have probably never figured out that the higher port works as a database unless some of you posted this, because there is literally no any single pointer to this, and it contains literally useless garbage, nor anything useful giving me an idea about how to extract data.

Some guys find this box frustrating, and the main problem of this is that it’s rated as a simple box and requires hard work. You were probably expecting that you would own the box in 30 minutes after its release or so, but no, there you go.

I am sorry if you guys find this post a toxic one. But that’s exactly what happens in my mind right now. It’s not a tragedy, but I can’t find a foothold to get user at least.

When you got the user you realize it’s easier than you ever though.
Just squeeze all the info you can get from the needle. Do not overthink as I did.

Type your comment> @luixtao said:

When you got the user you realize it’s easier than you ever though.
Just squeeze all the info you can get from the needle. Do not overthink as I did.

maybe it does look easy, but there is a lot of data that you get after executing _s****** on higher port, it look more like riddle solving , or Im just on wrong path…

Type your comment> @el3ctr0 said:

maybe it does look easy, but there is a lot of data that you get after executing _s****** on higher port, it look more like riddle solving , or Im just on wrong path…

Yeah, it is! I mean, I don’t think this pretends to be a “real world” example on how to pentest, cuz nobody saves credentials in that way.

Type your comment> @luixtao said:

Type your comment> @Tilia said:

You would have never figured out that the higher port works as a database, you figure out this reading these posts in the thread. Now a simple question: everything you can get doing basic recon on the box - running dirb, for example, will only give you unavailable “directories” and a couple of available ones, and when you try to access them, you see nothing. There would be no problem if it would not be a nginx server but some node js. And again folks post “that helped me so much”-like comments thinking it is helpful, but it is more confusing I would say. So yeah, I would have probably never figured out that the higher port works as a database unless some of you posted this, because there is literally no any single pointer to this, and it contains literally useless garbage, nor anything useful giving me an idea about how to extract data.

Some guys find this box frustrating, and the main problem of this is that it’s rated as a simple box and requires hard work. You were probably expecting that you would own the box in 30 minutes after its release or so, but no, there you go.

I am sorry if you guys find this post a toxic one. But that’s exactly what happens in my mind right now. It’s not a tragedy, but I can’t find a foothold to get user at least.

When you got the user you realize it’s easier than you ever though.
Just squeeze all the info you can get from the needle. Do not overthink as I did.

I don’t know how I can extract something seeing only a couple json lines – provided name and uuids.

You know, there is one problem I can’t handle - it’s a type of database I haven’t experienced with before. I do not know whether it requires credentials to extract data, i don’t know how to extract it in general, because now I can see only a couple json lines having useless numbers and base64-like hashes.

There are too many questions. You decide to find answers for one of the questions - it will take a long, and this waste of time may seem useless in the result.

Type your comment> @deviate said:

Type your comment> @Ramphy said:

But how? I did everything I could but I did not achieve anything, I need a clue.
I have read many books about different types of things to do when it comes to pentesting, but they are very different situations than what I find here.

Yeah, for this one you need to find some books on how to play hide and go seek.

■■■■■

Type your comment> @Tilia said:

Type your comment> @luixtao said:

Type your comment> @Tilia said:

You would have never figured out that the higher port works as a database, you figure out this reading these posts in the thread. Now a simple question: everything you can get doing basic recon on the box - running dirb, for example, will only give you unavailable “directories” and a couple of available ones, and when you try to access them, you see nothing. There would be no problem if it would not be a nginx server but some node js. And again folks post “that helped me so much”-like comments thinking it is helpful, but it is more confusing I would say. So yeah, I would have probably never figured out that the higher port works as a database unless some of you posted this, because there is literally no any single pointer to this, and it contains literally useless garbage, nor anything useful giving me an idea about how to extract data.

Some guys find this box frustrating, and the main problem of this is that it’s rated as a simple box and requires hard work. You were probably expecting that you would own the box in 30 minutes after its release or so, but no, there you go.

I am sorry if you guys find this post a toxic one. But that’s exactly what happens in my mind right now. It’s not a tragedy, but I can’t find a foothold to get user at least.

When you got the user you realize it’s easier than you ever though.
Just squeeze all the info you can get from the needle. Do not overthink as I did.

I don’t know how I can extract something seeing only a couple json lines – provided name and uuids.

You know, there is one problem I can’t handle - it’s a type of database I haven’t experienced with before. I do not know whether it requires credentials to extract data, i don’t know how to extract it in general, because now I can see only a couple json lines having useless numbers and base64-like hashes.

There are too many questions. You decide to find answers for one of the questions - it will take a long, and this waste of time may seem useless in the result.

Got it.

Type your comment> @Tilia said:

There are too many questions. You decide to find answers for one of the questions - it >will take a long, and this waste of time may seem useless in the result.

I disagree 100% with your argument, there’s no useless time in hackthebox. I’ve never worked with elasticsearch before and even if I never reached to get the user I’ve spent some hours learning about this technology and traveling around that DB through URIs. Ok, everybody wants the hash, but I the thing I really love is learning in the progress.

Follow the hints already mentioned: the image isn’t worthless

Type your comment> @Tilia said:

Got it.

You rock, bro! (or sis!)