Just got root, this was my first box and iāve spend about 20 hours on it.
It was way harder then I anticipated at first. Learned alot of new stuff, hope Iām more prepared for new challenges now since I was not really prepared for the āpuzzleā part of this one.
If you donāt give up on this box you will eventually get it, this thread has alot of info to tie it all together. GL!
Type your comment> @wish said:
Type your comment> @Nick said:
Type your comment> @wish said:
I have found some B**k details and some q****s ā¦is this a right path ā¦how to use this infoā¦
i have same question with you,any hints?thanks
nothing yetā¦
Finally got userā¦
I have no idea what to do once I get access to the initial user. How do I do a privesc to the k* user
I just need a nudge to go from s* to k*. I looked at the R*M file I ran the script nothing.
Type your comment> @wish said:
Type your comment> @wish said:
Type your comment> @Nick said:
Type your comment> @wish said:
I have found some B**k details and some q****s ā¦is this a right path ā¦how to use this infoā¦
i have same question with you,any hints?thanks
nothing yetā¦
Finally got userā¦
great job!!
i still stuck in here,any hint for me?thanks alot
Hello guys
Just started haystack.
Could you tell me if the needle.img is connected with steganography? Do I need to use steganography tools to obtain some information from this picture?
Edit: Ok, I found it
Hint: use e.g. burp guys!
I found the pā¦: s******.i*.k** but it doesnāt seem to work anywhere, I ve tried some default users front door, didnāt seem to work, is it a rabbit hole or am I overthinking it? Hint pls x)
EDIT: Okey that was stupid from me, when you find the pā¦ donāt be excited and forget to see what else is there
thanks @penturmeade for the Hint: āif you found the password, the user is very close byā
Eventually got the machineās root. It was a headache but very interesting. Learnt quite a few things along the way.
Iām having trouble performing privesc from the user account. Iām trying to run a js file uploaded to the machine using the LFI vuln. The response i get back from sending the GET request with CURL is a 400 Bad request. apis paramerer is required. My query however does include a apis value. Did anyone else experience this?
I managed to get a shell once but right now the same command is doing nothing.
Can anyone give me a tip please?
Trying to get root and I get 404 when trying to curl my exploitā¦ does it have to be in a certain path?
@vGsec; You are missing something probably. DM if you want me to check your payload.
Type your comment> @vGsec said:
@fasetto said:
@Xtrato Use quotes. curl āurl-hereāI managed to get a shell once but right now the same command is doing nothing.
Try renaming it. Things only seem work one time
@KeyboardCaper said:
I managed to get a shell once but right now the same command is doing nothing.
Try renaming it. Things only seem work one time
Hey would you mind DMing me, Iām super stuck trying to get the LFI to executeā¦ just getting 404 or some error about a parameterā¦
Type your comment> @aj8417 said:
Type your comment> @mofa28 said:
User is awful. Root is nice
Iām finding the exact opposite.
Same, user was pretty easy. Root. Spent 2 days banging head against wall trying to get LFI to workā¦
stuck on the ka user. I know I am supposed to do something with l**h, just not sure how or what to do. Any nudge would be awesome
Is there any exploit to become k****a userā¦i found one exploit which is RCE which is not workingā¦
Those who are stuck at going banana, you need to look at a certain config file and see why the *F* exploit you are using is not working (it can only be ran from a certain place, you already have the tool on the machine to do it)