Writeup

1141517192031

Comments

  • I can see that under pspy,it runs a script called 1*-u**me.But both file and path owned by root,doesn't let edit or create other file.Am I in a rabbithole or no?

  • WOW I am an idiot. I won't lie it's taken me days to get root on this box because I was looking in so many different places. When I finally worked out what to do I tried all manner of different methods but none would persist or give me what I needed!

    Hint for ROOT: Once you work out what you need to do and where the simplest most basic scripts are often the most elegant.

  • Can some pro hold this noobs hand over direct message? Pretty sure I am close to root - just cant manage.

    NotSmartEnuf

  • Type your comment> @Tugzen said:

    hi guys,I can't find anything specific when I monitor via pspy.Just cron runs and that's it.What am I missing,any nudge please

    Try to wait a few moments while it runs and then connect to SSH again with a terminal session and then examine what pops up in pspy

    v1ew-s0urce.flv
  • elcapitan17> @xdaem00n said:

    Type your comment> @Tugzen said:

    hi guys,I can't find anything specific when I monitor via pspy.Just cron runs and that's it.What am I missing,any nudge please

    Try to wait a few moments while it runs and then connect to SSH again with a terminal session and then examine what pops up in pspy

    Thanks

  • Would be very appreciated if someone could give me a hint about the output from pspy. Everything I've tried so far I can't touch without root. (: Msg me

  • privesc is killing me! I've used tool mentioned in her to view root processes.. used the specific service to generate processes for that tool... i've looked into each command picked up by the tool to see if i can alter anything... I've altered PATH hoping to affect one of the commands that are not using absolute path... i'm pretty defeated at this point... some1 please help.. ive been stuck on this for days

  • Fun box, learned a lot!

    Thanks everyone for the hints on here, really helped me along.

    Root was a bit of a pain even after I saw what I was overlooking, but not too bad.

    Salsa
    OSCP | GCIH | SEC+

  • Rooted thank to @BINtendo

    Hint for root:
    TSp0KiAKd2hhdCBjYW4geW91IHJlYWQKV2hhdCBjYW4geW91IHdyaXRlIApEaXJlY3QgcGF0aD8KSW4qZSp0IGEqYXkgeFA

  • Type your comment> @thePtrPn said:

    Rooted thank to @BINtendo

    Hint for root:
    TSp0KiAKd2hhdCBjYW4geW91IHJlYWQKV2hhdCBjYW4geW91IHdyaXRlIApEaXJlY3QgcGF0aD8KSW4qZSp0IGEqYXkgeFA

    Thanks for the advice, will try to use it :smiley:

    S1ph1lys

    We are the things that were and shall be again

  • I believe this is the only sploit that has TIME. i played on it use the magic number i got when nmapping but it goes superfast ang got refused. Insert some sleeps to throttle down but didnot help me. Can someone dm me or someone offer that i can dm them?

    happy to say im a newb

  • Guys i'm stuck with user flag! I know that i have to enum/spider the host but unfortunately i can't use dirb as we know so i tried with burp buuttt burp suite 2.x 's spider seems to not work anymore :( Any tip?

  • The first step is guessing a directory, the box name hints this as does some of the text on the index page. From here you should be able to make some progress (again without dirb).

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • edited July 2019

    Type your comment> @DAAAALY said:

    The first step is guessing a directory, the box name hints this as does some of the text on the index page. From here you should be able to make some progress (again without dirb).

    Oh wait yes i found that directory! What's next? :( Should i work with the request?

  • Guys, I am stuck at root part. I have done my enumeration with pspy but no luck. Tried to change path but no luck. Kindly help me for root. Please PM me


    If you appreciate my help, please give +1 respect https://www.hackthebox.eu/home/users/profile/22274

  • Managed to get the cred. Now using h...t, will i be able to obtain the required cred using a kali virtualbox? Im not sure because it says 100% but it loops... :confused:

    happy to say im a newb

  • edited July 2019

    Type your comment> @83114C140 said:

    Type your comment> @DAAAALY said:

    The first step is guessing a directory, the box name hints this as does some of the text on the index page. From here you should be able to make some progress (again without dirb).

    Oh wait yes i found that directory! What's next? :( Should i work with the request?

    It says it's not made with VI, maybe it's using something to manage the pages... dig around.

    da1y

    OSWE | OSCP | eCPPTv2

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • Hey guys,
    Stuck with root since 3 days, I believe I am so close to get it, but I miss something.
    Ran pspy and noticed the odds, the permissions, but stuck with manipulating things.

    I appreciate a nudge here.

  • Hey guys, Im also stuck on privilege scalation. I got user flag, found write permissions on some interesting directorys, i tryed to take advantage of it but failed to change path of f*******-s*****

    I appreciate some help

  • Same here stuck on root, see the processes but cant manipulate anything.. as far as i know. Anyone with a hint would really be helpful, this is only my 3rd box and still learning along the way.

    Hack The Box

  • finally got root! Thanks to @DAAAALY helpful nudge

  • edited July 2019
    salt: 5.......7
    mpass: 6.......7

    is this correct?

    pwned user. now onto root. :sweat_smile:

    happy to say im a newb

  • Got the salt and pass, unsure how to proceed with these? Trying to brute force with hashcat but looks like it's going to take a while... I'm assuming there has to be a better way? Please DM if you can offer a hint.

    Please send respect if I helped you out
    Discord: east_west#9811

  • Type your comment> @east said:
    > Got the salt and pass, unsure how to proceed with these? Trying to brute force with hashcat but looks like it's going to take a while... I'm assuming there has to be a better way? Please DM if you can offer a hint.

    You are correct to use that tool. What will matter next is the attack and hash you will use. Dont forget the "stone" cause the pass is there

    happy to say im a newb

  • @govsec said:

    You are correct to use that tool. What will matter next is the attack and hash you will use. Dont forget the "stone" cause the pass is there

    Thanks, I ended up doing it with the exploit itself and the queen song wordlist.

    Now stuck on root. See the processes with pspy but don't know what to do with them.

    Please send respect if I helped you out
    Discord: east_west#9811

  • Finally got root! .Very nice machine..Especially for beginners like me.I learned to much things.Thank you for @squeakyzeeky and @Salsa for nudging me when I lost my way.And thank you for @jkr for creating this machine.

  • I enjoyed this one a lot. Getting user was pretty straightforward; getting root was a lot of fun!

  • edited July 2019

    Type your comment> @dividebyzer0 said:

    Tell you what... if you can decrypt this, you'll know what you need to do to root this box.

    Ubj nobhg lbh chg va gur rssbeg naq QB VG LBHEFRYS lbh ynml cvrpr bs fuvg?

    Once you decrypt it u will immediately do the rest :smiley:

  • Got Root!
    Thanks @jkr for this machine. :smile:

    PM for nudges if you are stuck...

  • PM me any nudges I'm having issues with permissions and trying to get root

Sign In to comment.