Ghoul

1234579

Comments

  • edited June 2019

    I'm at the point where I'm root on first step (easy slide, but beware... things might get "slippery" when wet :D), I found a lot of SSH keys and decrypted the one that was encrypted. (Getting the passphrase was easy as it struck me as odd when I first saw it... that's why I tried that first.)

    Scanned the network with nmap, found one box with well-known-service on it but none of the loot so far worked on that. I also found a script that was part of a Black Hat talk and a quite big file that might have been put through that script. I think I have to decrypt that file but I'm quite stuck there.

    I got it to a point where it spits out some code, and I'm using the only thing I found in a known file that has a matching length to be used as a key. But trying that only gives me garbage as far as I can tell.

    (And no, I can't use Pspy to skip this step like others seemingly have done, because on VIP the chance of encountering this is very low.)

    I guess it would be helpful to get a hint at how to locate the offset of the added garbage (so I can tell if my decryption was successful or I'm looking at random garbage) since I don't have the unmodified original file as reference and don't know how big the ciphertext is and if my guess at the key is right or wrong ... or if this script and file are just a troll to waste time. I also found some more credentials from various places but don't know if they might come in handy later, so I've just written them down.

    /Edit: NVM, found it xD I was blind... now at pivot point 2 :)

    image

  • Type your comment> @darkkilla said:

    I'm at the point where I'm root on first step (easy slide, but beware... things might get "slippery" when wet :D), I found a lot of SSH keys and decrypted the one that was encrypted. (Getting the passphrase was easy as it struck me as odd when I first saw it... that's why I tried that first.)

    Scanned the network with nmap, found one box with well-known-service on it but none of the loot so far worked on that. I also found a script that was part of a Black Hat talk and a quite big file that might have been put through that script. I think I have to decrypt that file but I'm quite stuck there.

    I got it to a point where it spits out some code, and I'm using the only thing I found in a known file that has a matching length to be used as a key. But trying that only gives me garbage as far as I can tell.

    (And no, I can't use Pspy to skip this step like others seemingly have done, because on VIP the chance of encountering this is very low.)

    I guess it would be helpful to get a hint at how to locate the offset of the added garbage (so I can tell if my decryption was successful or I'm looking at random garbage) since I don't have the unmodified original file as reference and don't know how big the ciphertext is and if my guess at the key is right or wrong ... or if this script and file are just a troll to waste time. I also found some more credentials from various places but don't know if they might come in handy later, so I've just written them down.

    /Edit: NVM, found it xD I was blind... now at pivot point 2 :)

    Been stuck for a while and I'm in a similar position where i have the *py file, done my Nmap scan and found a host with a single port open but cant ssh to it?

  • can someone please help me with the escape in the first docker

  • Type your comment> @avi7611 said:

    can someone please help me with the escape in the first docker

    yes

  • edited June 2019

    ok

  • edited June 2019

    I am on the last container got compressed file, got creds too but of no use, what now?
    no clue.

    EDIT: rooted, it was fun and something new for me.

    Thanks @MinatoTW @egre55

    lokendra
    Message me with 1) Your problem description. 2) What you tried so far? 3) Conclusions.
    RESPECT++ IF I HELPED YOU.

  • Hello,

    Friends some advice I'm in the second container but I do not know what to look for or where to go, I made a nmap and see no more data there is a second user n*****_adm, thank you for any suggestion.

    Greetings

    Hack The Box

  • Stucked at g*** login page, do I have to log in or it is not necessary? Need an hint plz

  • edited June 2019

    Unable to guess the credentials. Found s*.p. Tried cewl to make a list from the page, any hints on how to move forward?
    Edit: Nevermind, someone changed the password

  • Rooted... needed a lot of help because this machine is insane, really...

    User was funny but root was unnecessary... Moving from machine to machine searching, enumerating, again and again.. I don't recommend it because you could get exhausted. IMHO this machine is not 40 points.

    At least I discovered the anime :tongue:

    PM if you are desperated with the box haha

    leonishan

  • Guys, i can't find any upload stuff. Where the heck you found it? i found a creds for the login page but got in a troll. Tried to dirbust it with the PHP session cookie and also didn't got any result.
    I also analyzed all the requests with burp from the contact form and the login page. I red all the sources and skimmed trough the js but didn't find anything good.

    any hint on how to find the upload form or page?

  • edited June 2019

    What if I told you this is not a 6.7 box, the user was pretty easy but root was excruciating. Bittersweet experience and I learnt quite a lot. Great box @MinatoTW @egre55

    0xskywalker

  • Hey guys, i can't get an initial foothold on this machine. can anyone PM a tool or a hint because maybe i overlooked or don't know something. Do i have to hydra the login page or 8080? Cause all i get is a troll for 3 different logins on that same page (users).
    I have dirbusted all folders and subfolders. I have wfuzzed all subdomains and get only bad requests (400). I used nikto and i also analyzed all requests with burp.
    Heck i even cheated. Yes. This morning when i woke up i did another dirbuster with a huge list to see if i have overlooked something and i saw there was a shell uploaded (i guess its not intended...) so i used it to find that upload page... Nothing!
    Maybe i should not try to go for port 80 first...?

  • That machine was brutal. I loved many aspects and learned a lot, but some twists seemed to be designed by sadists. Still a positive experience overall.

    Thanks @Leonishan and @r4w47 for nudging me away from the abyss. PM if you're stuck.

  • Regarding the last step to get root.txt since I can't find the file and have rooted the gogs machine 172.18.0.2 and I have the aogiri-app.7z. Do I need to do something else still or work with the information on the file? I'm almost there but can't seem to find the last step.

  • can any one pm me please regarding the location of the uploaded file ?

  • Rooted! ^_^

    Thanks you guys @BADBIT, @Phase, @Skid3ow, @Schiehallion for your nudges!
    @MinatoTW and @egre55 that was great experience. So many new things have been learnt along the way!

  • I've rooted this stupid machine. I very dislike in which way i need to figure out some parts. I always said "PM me if you wanna help", but not there. I can help on PM only with user part. That box is to strange and to mixed to describe that.

    If you need help with something, PM me how far you've got already and what you've tried. I won't respond to profile comments. And remember to +respect me if I helped you <3

  • Finished - but only through massive amounts of help from @phase, @badbit and @leonishan.

    Too long, too many trolls, too many random guesses and then a final, you only have 30 seconds to complete this last pivot thing.

    As interesting as some of the exploits were, they could have been split into different challenges .

    This is the movie you skip and wait until it comes out on video.

  • What a ride!!. For rooting this machine, one needs to acquire root on four machines. Thanks everyone for providing helpful hints in forum . Special thanks to @Leonishan @0xskywalker for helping me a various steps
    Hack The Box

  • could someone please help me with root for ghoul???

    if i dont reply add me on discord :) quad#8286

  • This box seemed unnecessarily complex for root.

    There was way too much stuff to enumerate, way too many users/files/network configs to keep up with for a single box. This almost seemed like a Fortress challenge to me. Honestly, it would have been better in that format where there are several flags scattered around on the different machines with hints in the title of each flag to vaguely hint in the next direction.

    I got the user flag like 2 weeks before getting root on this box. If it wasn't for @pepelu patiently guiding me past the roadblocks, I would have given up long ago.

    Thanks for breaking my brain @MinatoTW and @egre55 !

  • Same here, where is the root.txt file. I have the 3 set of credentials and I'm at root on the last container where se**.sh is located, but can't seem to figure out the location of the file

  • edited July 2019

    If you are trying to crack ssh passphrase dont waste your time with rockyou or any other large wordlist - use custom (maybe cewl'ed) wordlist.

  • Type your comment> @Anyway said:
    > Same here, where is the root.txt file. I have the 3 set of credentials and I'm at root on the last container where se**.sh is located, but can't seem to figure out the location of the file

    There were friends youtube video. And if watched it you should know that the sofa went back to the store where he bought it...
  • please stop reseting the machine !!! please

  • edited July 2019

    Type your comment> @bL4ckWoRk said:

    please stop reseting the machine !!! please

    Resets are not needed.
    Whoever is doing this to make exploit work just change repo name inside python file (there are plenty of comments) and use --c****up key. It's just can't create the same repo that's why it stops working

  • So I've been busy on this machine, enumerated, enumerated and enumerated some more. All I've got to show for it are some pages, a load of usernames and one pair of credentials for l**in, which seems to be a dead end to me. It's my first post here, and don't want to spoil too much details, butreally hitting a wall here, is there anyone that could give a push in the right direction? Apparently there's this upload page that everyone's talking about?

  • edited July 2019

    Any hing about escaping **-pc? I found new web server and potential username in to-do, but dont know password.
    EDIT: If you struggling with gogs password - take a step back, and from your first docker enumerate common places where something stores credentials, even if it is not related to anything what you thing will help you move on.

  • edited July 2019

    Type your comment> @oztechmuse said:

    Finished - but only through massive amounts of help from @phase, @badbit and @leonishan.

    Too long, too many trolls, too many random guesses and then a final, you only have 30 seconds to complete this last pivot thing.

    As interesting as some of the exploits were, they could have been split into different challenges .

    This is the movie you skip and wait until it comes out on video.

    Your movie analogy is the most accurate description of this box I think I've seen. Went to see it (do it), was kinda pissed I spent "money" (time...) on it, and now wishing I'd just waited for it to come out on video (retire) instead...

    Oh well 🤷‍♂️


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

Sign In to comment.