Craft

This is one of the few boxes that I will comment on. Pretty sweet ride. Took me more than hours to complete than I am willing to admit. This is not a typical CTF-like box. Think more like a real life scenarios, with real developers, maybe making mistakes and whatnots.

I went down a really deep rabbit whole in the beginning. Gaining a shell that I think I shouldn’t have been. I thought that was it, I got root and everything but then, where is the user/root.txt? Dammit, such a fool.

Most of the important stuff are in the gogs. Go through everything. I do mean EVERYTHING. It is not that much any ways.

After that you should be able to get USER.

For root just go through the machine that you have just gained access to; the purpose, the services running, do your enumeration thoroughly. You should check for left over stuff as well.

hint: One of the file will unlock every secret you need.

Hope I didn’t spoil too much

Should I be exporting $v***t_addr to a local ip? Service doesnt work and I’m getting 403 for all requests, including login

Switching it to a local ip works but the O** doesnt work for root

edit: Never mind, not sure what happened but restarting fixed it for me.

Rooted :smile:
Pm if need a nudge :wink:

Hi everyone, when I try to access apii.craft.htb / api it gives me an error that I can’t resolve the name. how can i solve

@nemen add https://

Type your comment> @TGZed said:

@nemen add https://

I’m already in https but it doesn’t work. could it be that i have to insert something in resolv.conf?

i got the creds and tokn, able to read the source, but stuck with the attack vector, does it related with the inj**ion?, anyone can PM please?

edit: got rce, thanks to @pp123

is the debug a rabbit hole? couldn’t find no RCE or LFI or anything useful

Type your comment> @nemen said:

I’m already in https but it doesn’t work. could it be that i have to insert something in resolv.conf?

yup.

Hi,

■■■!! After suffering for some days on this box, I was able to obtain user.txt. Special thanks to @Kucharskov for the time taken to explain to me few concepts to understand how to proceed with the vulnerability.

From here, I will continue to root, but if someone needs some help please let me know.

PP

EDIT: Got root. After reviewing the hints on the forum.

PP

Rooted. This might be my new favorite box tbh.

A lot of hints are mentioned in this thread already, but I might add this for user: Sometimes backtracking is useful

PM me if you want some tips

Oh boy, this has got to be my favorite box so far, there are lots of steps, but it’s very straightforward and you probably have already found your next step before you know how to use it. In my years as developer I’ve seen how common a lot of these mistakes are, so it feels very real.

User: You should have easily found an issue with the code you have access to, it’s a shame no one hardcodes credentials anymore… but they do reuse passwords.

PS: If you’re having trouble exploiting the code, try it locally. And after you’re in initially don’t overthink (like I did) and start reading on technical exploits to escape your situation, you probably will find quickly what to extract from that experience, you just need to find a way to use that somewhere else.

Root: Your initial enumeration should have shown you something interesting, then it’s just a matter of understanding how to use the tool that you have a way of authenticating to allow you to use that interesting thing.

This root.txt is going to be the death of me. Just saying ( with a desperate cry for help and the whispering sound of defeat creeping in) :slight_smile:

Got root. Huge thanks to everyone who helped me. A super enjoyable box even though I had an unusually difficult time catching a reverse shell.

I think there are plenty enough hints already but I’ll add a clarification:

  • People are mentioning ‘going back to the beginning’ and I was attempting to do this too early (thanks to rev shell issues). You must have a shell that you use to enumerate further. THEN step back

If you are also struggling to get a shell callback shoot me a PM - I’ve probably gone through the same problem.

I am stuck at user. I have creds, token and one place to use them. Still stuck.
Asking kindly for help.

Woo! Finally got root! Thanks to @Kucharskov and @captainworm for help.

Rooted! It was a good box for an AWAE student

So much fun!
Hmu for hints.

I enjoyed that. There were several “wtf now” moments and getting the payload to work without any feedback was infuriating.

PM if you need hints.

Well crafted box! Enough clues to lead you around and pays off in the end to read things. Lots of fundamental stuff to learn here for many, but not so tedious to be (overly) frustrating.