Scavenger

I have an RCE but it’s very limited with limited R/W permissions. No reverse shell too, or anything remotely better.

Any tips would be appreciated.

ok got past the first vuln, so much to look at cant seem to find which avenue is the right way yo go

Finally rooted, a box that I did not particularly appreciate especially since she has a lot of rabbits.

Could I get a PM nudge in the right direction for syntax errors with a certain early step?
I can give my notes, just not sure what i’m missing since i’m not too familiar with the method. I keep getting syntax errors no matter what I try but i can manipulate the output of those errors.

Thanks @jorgemorgado for your nudge in the right direction. I appreciate your help!

Totally lost on this one…trying to S*L inject WH**s but lost there…Can someone PM me on initial foothold

Type your comment> @jayjay25 said:

Totally lost on this one…trying to S*L inject WH**s but lost there…Can someone PM me on initial foothold

You are on the right track, you must try a lot harder and counter the mistake.

I’m terrible with the S//i vuln, tried for ages without any success, so I’m instead trying to guess the information I’m looking for by bruteforcing the service in question with a large wordlist… Am I wasting my time? Should I just keep on with the S//i instead?

Type your comment> @mech said:

I’m terrible with the S//i vuln, tried for ages without any success, so I’m instead trying to guess the information I’m looking for by bruteforcing the service in question with a large wordlist… Am I wasting my time? Should I just keep on with the S//i instead?

You should continue with S ** I. Just try to analyze and counter the error. Imagine in your head how the query is created.

Type your comment> @Seepckoa said:

Type your comment> @mech said:

I’m terrible with the S//i vuln, tried for ages without any success, so I’m instead trying to guess the information I’m looking for by bruteforcing the service in question with a large wordlist… Am I wasting my time? Should I just keep on with the S//i instead?

You should continue with S ** I. Just try to analyze and counter the error. Imagine in your head how the query is created.

Managed to get it now thanks :slight_smile: Was missing something when I was trying to imagine how things looked on the other end.

Hey!
I found a way to retrieve something from W***S with a wildcard, but i don’t know if it’s correct or i need to try another way…
Unfortunately I didn’t find a method to inject correct query. If someone can PM me an hint of how to “close” query field…

THX

update: looking for a way to RCE… Should i look to W***S or to web?

Can anyone tip my hat and tell me if i’m shopping for the right way to get RCE ?

Got past the w**** thing a few days ago using s***ap, there’s a way to do it, you just have to hack some things together.

For the initial foothold, consider everything. If you see something that is interesting but you’re not sure what to do with it, consider spending more time on it instead.

Getting from foothold to user required enumeration of a lot of things. I knew what I was looking for, but not where. One of the last places I’d looked, really. The slow thing is slow, but you don’t really need to use it unless you’re stuck and need to find where you are.

Gotta get to root…

Finally rooted this box
What a nice box to say the least i really enjoyed all the way especially the user part there were lots of rabbitholes …really well done for the creator of this box @ompamo thank you i learned alot :slight_smile: … just i think that user was a bit more complicated then root
I would to thank all the people that helped me especially @Angel235 and @Seepckoa i wouldnt make it without you guys
I will drop some hints
For user :

  • You need to find all what you can about the box and really enumurate everything , once you see the lower port in which you will be asked to query something once you found it is vulnerable do more enumuration you to Dig all the way around
  • Once you found what you are looking redo a step that you made before you will find what the http port is asking you , you will have your hat xD , do more enumurations you will get the user flag but with restricted access by analysing some p**p file you will find some creds use them to your advance
    For root :
  • You need to do some googling when you find that file

@lfabname said:
Finally rooted this box
What a nice box to say the least i really enjoyed all the way especially the user part there were lots of rabbitholes …really well done for the creator of this box @ompamo thank you i learned alot :slight_smile: … just i think that user was a bit more complicated then root
I would to thank all the people that helped me especially @Angel235 and @Seepckoa i wouldnt make it without you guys
I will drop some hints
For user :

  • You need to find all what you can about the box and really enumurate everything , once you see the lower port in which you will be asked to query something once you found it is vulnerable do more enumuration you to Dig all the way around
  • Once you found what you are looking redo a step that you made before you will find what the http port is asking you , you will have your hat xD , do more enumurations you will get the user flag but with restricted access by analysing some p**p file you will find some creds use them to your advance
    For root :
  • You need to do some googling when you find that file

No problem, and congratulations, after a moment of work, you have succeeded. The advices of @lfabname are well explained.

Finally rooted. What a fun one! This was the first time I attempted a new box that didn’t have many hints, but that turned out to be an experience.

got the vhosts after the s**i aaaaand im stuck. What am i missing here ? i enumerated everything. any hints ?

@awkward said:
got the vhosts after the s**i aaaaand im stuck. What am i missing here ? i enumerated everything. any hints ?

You didn’t enumerate everything, go back and do your basic steps again

This is one old-school style HTB box! Reminded me of some of the classic early nix boxes that were released, such as popcorn, beep and cronos, for some reason. It would be a good practice box for those preparing for the OSCP exam as well. Great job @ompamo - I can tell a fair bit of effort went into creating this one. Cheers and I hope you make more.

Wow, finally rooted after three days of intense work and learning. Hardest box I’ve ever done, had to pull on bits of knowledge from just about every box I’ve done so far.

Incredibly cool box and had a ton of fun doing it. @ompamo you did an absolutely fantastic job. Look forward to your future boxes.

Also gotta say thanks to @Jacker31 for the hints and emotional support ■■■■.

Staring this stupid insect in the eyes right now… I’m in, but need some clarity. Any nudges?