onetwoseven

Type your comment> @ZerkerEOD said:

Type your comment> @PavelKCZ said:

Check if you do not suddenly have two tun interfaces on your Kali. If so, restart your machine, not the server.

I didn’t check to see if I had more than one tun interface but I did reset my machine. I walked away a couple times and came back fresh throughout the day.

Folks you don’t have to reset or reboot your machine for the tunnel issue. you can just kill your vpn tunnel by “pkill openvpn” and it will remove any openvpn you have established. Everytime you connect to hackthebox, a new interface is created starting from tun range 0, and if you establish another vpn, then you have tun1 & tun0. which then makes it hard for the system to find his gateway. so just “pkill openvpn” and re-establish your vpn :slight_smile:

Finally rooted thanks to @siryarbles . Here are some hints that may help:

User: Everything you need is in this forum. In the upload part try to understand how the machine is processing U-Ls, what process first and what next and how htaccess works. Read the code carefully and check ad—s headers from examples.

Root: If you have already found this blog about a-t M–M is the right one. But you will have to do some changes. First, a-p sp—ing is not going to work. Remember network layers… There is a var that a-g uses in some cases. You might have already seen it with s— -l. You don’t need D-S sp—ing either. Just give to the box what it requests. You can use the same thing you found in that var but in your side. After that just read outputs and fix trees.

PM me for hints.

Type your comment

That was awesome, just beware of the trap, I certainly fell in to it. Drop me a PM if you want pointers.

I had basic shell but have no luck with root… some hint?

Guys for upload php I get 404 not found, tried many other urls, I even created a custom dictionary and ran it with dirb, but still couldn’t fix it, anyone willing to help?

Rooted. Might be the best box I’ve done to date, learned a lot, thanks @jkr

User: no shell required.

Hardest part of this box for me was getting the first shell. Burned a lot of time trying to get my p****n to upload. Finally the light bulb went off. For those of you who get stuck here with a 404, 200, or even the success message - if you can’t easily find your file, you’re doing something wrong.

Root: What to exploit should be apparent pretty quickly. The obvious exploits won’t work though. There’s a useful article in Google that walks through the steps. It needs to be adapted. The steps are a bit tedious and require some trial and error to get things just right.

feel free to PM for hints.

root@onetwoseven:~/bin# id
uid=0(root) gid=0(root) groups=0(root)
Wow, what a challenge! Phenomenal work @jkr . Super satisfying to do these boxes that don’t rely on some CVE, or on CTF style puzzle, or automation, but just require that you know your stuff (or learn it quick) and figure things out by hand. Tons of fun. I got caught up for an embarrassing amount of time like half a step from root on an incredibly foolish oversight – always consider very deeply exactly what the service/program etc. that you are trying to exploit does. I didn’t and it cost me like 4 hours. PM me for nudges! Also big thanks to @antares341 for giving me the clue I needed to get out of the hole I dug myself into, one of the biggest facepalms in my life when I realized lol.

Finally got user, as of now user for this box was a lot harder than Fortune box. Feel free to PM me for hints.

on to root, folks I know what to take advantage of, but it is not working, if anyone is willing to help, would be much appreciated.

I know exactly what to do, but ettercap and arpspoof both fails because of tun0 interface, how am I suppose to be blamed for that? @jkr

Been stuck at user for ages. I am confident about the tunnel, but the box just serves me blank pages - no data, only headers!

I suppose that I am on the right path, but am I missing something? Are the blank pages a natural step towards the actual content?

The returned headers do not seem interesting, but maybe I am missing something …

I can get results using DB*er, but the pages are blank, although certain paths show directory listings.

A nudge/hint would be nice!

Edit: Thanks to @jkr I finally got it!

I have this problem that i get a message saying that the file is uploaded. But shouldn’t be located in the same place as all the other files? I’ve tried several paths, but i don’t seem to be able to find it.

Thanks for the great machine @jkr !

User: ssh is not needed, uploads are not needed. You ONLY need: provided s**p access, basic logic, help commands and "what if i… " comment in the very beginning of this thread
looking at exposed web pages (those you start with) is also helpful.

Root: Creds are available thru s**p. To process the upload, read the source carefully, there is a statement missing at some point. Modified request helps to solve this problem. Look out for examples to run it properly after upload. On final step do not pay attention to errors, go ahead and install it.

Finally rooted! Thank you @jkr for such a great machine. Also thank you @denstr for a nudge.
All I needed for the last step to root was the A** M**M blog, knowledge of how to keep env in sd and Burp.

EDIT: Got it, Wow what a ride! Awesome box @jkr mad respect! I learned so much from this box, thank you!

Finally rooted! That probably was my longest jorney on HTB. Thanks for all guys who helped me, HackTheBox community is the best!
Pm if you need hint :slight_smile:

Hehe, got root. Huge huge thanks to @flipflop139874 for the help.

Noticed some weird stuff. e.g you should intercept the first request and leave the second one go forward without any intervention.
had to reset the box couple of times cause of the cache.

prior MITM knowledge is really handy for root on this box.
you have to find alternatives for some stuff explained in online articles.

and thank you @jkr for the box.

as usual if anyone need help, PM me.

Got user, well, very interesting, thanks for all the tips. Now on the road to root

Damnit. I’ve tried to upload that file back and forth for a couple of weeks. There was 1 little thing i not had tested… I payed to much detail to what was in the file without thinking about the consequences running it that way (hence successfully uploaded, without a file…).

Great Box @jkr

A box where you learn a little.

User

Getting the user is quite easy with the comments in this thread. However, the part that confused me was that of the plugin.

Root

The root part was amazing!
Frustrating but in the end exciting, it is only trial and error again and again until it is achieved. MM seems to be a complicated attack at first, but just look at so and save you certain steps in the network part. However, a fundamental part is to investigate and understand the attack.

A very good root track is this:

@antares341 said:
Finally rooted thanks to @siryarbles . Here are some hints that may help:

User: Everything you need is in this forum. In the upload part try to understand how the machine is processing U-Ls, what process first and what next and how htaccess works. Read the code carefully and check ad—s headers from examples.

Root: If you have already found this blog about a-t M–M is the right one. But you will have to do some changes. First, a-p sp—ing is not going to work. Remember network layers… There is a var that a-g uses in some cases. You might have already seen it with s— -l. You don’t need D-S sp—ing either. Just give to the box what it requests. You can use the same thing you found in that var but in your side. After that just read outputs and fix trees.

PM me for hints.