I'm a noob. I don't see anyone else mention they are having difficulty port-scanning this box.. I've run at least half a dozen different nmap scans, except a UDP scan of ALL ports(waiting on one). All scans have reported that all ports are filtered, this has remained across box resets.. I'm always up for a challenge, but want to make sure this is meant to be happening?
EDIT: Oddly enough, I now AM able to scan the box, 24hrs later.. and no ports are coming back as filtered.. I couldn't see any ports before, nor visit the site, but now it's working. Very odd.
I'm a noob. I don't see anyone else mention they are having difficulty port-scanning this box.. I've run at least half a dozen different nmap scans, except a UDP scan of ALL ports(waiting on one). All scans have reported that all ports are filtered, this has remained across box resets.. I'm always up for a challenge, but want to make sure this is meant to be happening?
You need to enumerate the HTTP service a bit. The initial part is relatively simple.
Fun box, make sure to clean up stuff to prevent spoilers at certain stages. A few hints:
Shell: view the source, check out that one file. You might not necessarily be able to totally bypass certain filtering, but you can still smuggle things inside legit files.
User: enumerate, then return to the source. Timing is everything.
Root: More standard enumeration. No need to overthink getting around filtering; this can be found with some easy manual fuzzing. There is an article out there if you search well enough on the exact vuln, posting the article is too much of a spoiler though.
@nuxmorpheus01 after your initial enumeration you will find some interesting pages, from there you just have to get your shell onto the server, one of the most trivial ones there is
I have found the pages. I tried to use curl to upload my shell. No success.
Maybe the path I am following is correct but I am failling in the execution?
Are you remembering to make your shell file executable? I didn't at first!
User and rooted! Though I’m struggling to understand why root pe works. If you've rooted this box and have a decent understanding of how/why root works, I'd love to know!
I've got a shell, but can't get user. I get the feeling I am missing something obvious. If someone could give me a nudge in the right direction, it would be appreciated.
I've got a shell, but can't get user. I get the feeling I am missing something obvious. If someone could give me a nudge in the right direction, it would be appreciated.
Owned user and root, took me some struggle. What needed to be done was clear to me, just not how to achieve it. All can be achieved without altering existing files, exploits or similar. With look back, fun box
Can someone help me interpret from the source how the rename process is working? I cant figure out how it is naming and would like to understand, pointers appreciated.
Got root but while I know HOW I got it (semi focused thinking or blind luck ) I don't get WHY this works, I understand what I change, I don't understand what's causing the process to work the way it does rather than just throw a hissy fit and error.
Can anyone DM me a why this works, Google turns up how to use the commands rather than why they give the escalation.
Does this box crash and reset every 5 min for anyone else? Like is that supposed to happen? I am even on a VIP server but cannot seem to get more than 3-5 min before it goes offline and comes back reset
I believe it would be upsetting to do this machine on free servers. Anyways, really cool machine.
Hints:
Initial part: Don't forget to look for all type of files while searching dirs, you can also guess it by the content of that one file you find in some folder. It's really basic to get a shell from there.
User: Read the content of the two files in the home directory and then do what you think is right. Waiting will help you.
Root: Don't even need to enumerate much, once you find the right file, try to escape it and execute something
Since you have the sources all you had to do was understand the code and go through it step by step.
User
On VIP you didn't get spoilers just by visiting however on Free its a total different story. If you really want to learn something ignore what others did in the browsable sites and analyze the PHP, THEN do what you think is right.
It takes three steps to user, one forward, one backward and one forward again.
Get shell, take information back, get shell again.
Take the functions used, look them up in the docs/w3schools and run them online. If you are unsure how one initial variable is declared, a certain easy-to-discover page will tell you. Make your own $name variable and run it through function after function just like the website does it.
After each function write down the output, take it to the next function and repeat.
If you want to get fancy, take the files and make your own server locally.
PHP Boolean False = 0
PHP Boolean True = 1
Root
Basic enumeration, you can run the well known script or if you do the most important things manually you will discover it pretty fast too.
If you found it you aren't far away, run it and dont space out, focus on task ahead
Comments
Nm,, rooted
I'm a noob. I don't see anyone else mention they are having difficulty port-scanning this box.. I've run at least half a dozen different nmap scans, except a UDP scan of ALL ports(waiting on one). All scans have reported that all ports are filtered, this has remained across box resets.. I'm always up for a challenge, but want to make sure this is meant to be happening?
EDIT: Oddly enough, I now AM able to scan the box, 24hrs later.. and no ports are coming back as filtered.. I couldn't see any ports before, nor visit the site, but now it's working. Very odd.
Type your comment> @Lodovico said:
You need to enumerate the HTTP service a bit. The initial part is relatively simple.
Type your comment> @Seepckoa said:
I thought I had tried that.. looks like I hadn't gone deep enough. I guess my suspicions about an obstacle in my way may be confirmed. Thanks!
Privesc to root is making me scratch my head. I see my ability but trying to understand how to leverage it to get that # sign.
Rooted
Appropriately rated box. What I didn't like is even though the paths to exploit were clear if others didn't clean up afterwards it spoiled the box.
OSCP | CISSP | CSSLP
Respect always welcome if I can help you: https://www.hackthebox.eu/home/users/profile/140630
Type your comment> @Lodovico said:
No worries, and good luck for exploiting the flaws of this system.
#Initial,user and root
Analyse the flaw in code
OSCP
Fun box, make sure to clean up stuff to prevent spoilers at certain stages. A few hints:
Shell: view the source, check out that one file. You might not necessarily be able to totally bypass certain filtering, but you can still smuggle things inside legit files.
User: enumerate, then return to the source. Timing is everything.
Root: More standard enumeration. No need to overthink getting around filtering; this can be found with some easy manual fuzzing. There is an article out there if you search well enough on the exact vuln, posting the article is too much of a spoiler though.
Just got user.txt with the most ridiculous method. No idea at this moment in time how to get even a user shell (ie g*** as the whoami) !
Type your comment> @nuxmorpheus01 said:
Are you remembering to make your shell file executable? I didn't at first!
User and rooted! Though I’m struggling to understand why root pe works. If you've rooted this box and have a decent understanding of how/why root works, I'd love to know!
Got root! All about trial and error
A+ | Net+ | Sec+ | Server+ | CySA+ | PenTest+ | CASP+
I've got a shell, but can't get user. I get the feeling I am missing something obvious. If someone could give me a nudge in the right direction, it would be appreciated.
rooted , I found I overthought this one way too much. Like others said, everything you need is right in front of you. DM's welcome if you need a nudge
Finally rooted, my first machine in ages.
Type your comment> @reverendin said:
Im in the same boat.
Any hint on root flag?
Owned user and root, took me some struggle. What needed to be done was clear to me, just not how to achieve it. All can be achieved without altering existing files, exploits or similar. With look back, fun box
Finally got root. Hint: read, try and repeat. I was frustrated beyond belief but finally started putting things in and reading what happened.
Can someone help me interpret from the source how the rename process is working? I cant figure out how it is naming and would like to understand, pointers appreciated.
Got root but while I know HOW I got it (semi focused thinking or blind luck ) I don't get WHY this works, I understand what I change, I don't understand what's causing the process to work the way it does rather than just throw a hissy fit and error.
Can anyone DM me a why this works, Google turns up how to use the commands rather than why they give the escalation.
Does this box crash and reset every 5 min for anyone else? Like is that supposed to happen? I am even on a VIP server but cannot seem to get more than 3-5 min before it goes offline and comes back reset
Need a nudge for user. I do have a shell, but need priv esc.
I believe it would be upsetting to do this machine on free servers. Anyways, really cool machine.
Hints:
Initial part: Don't forget to look for all type of files while searching dirs, you can also guess it by the content of that one file you find in some folder. It's really basic to get a shell from there.
User: Read the content of the two files in the home directory and then do what you think is right. Waiting will help you.
Root: Don't even need to enumerate much, once you find the right file, try to escape it and execute something
I am stuck at root...found a file that has sudo priv . but idk how to escape and get shell. any hints will be appreciated. tq
Hey guys can I get a dm on user esc. I got initial shell but have no idea what the php is doing or how it helps me get user.
Rooted, really liked the box.
Since you have the sources all you had to do was understand the code and go through it step by step.
User
On VIP you didn't get spoilers just by visiting however on Free its a total different story. If you really want to learn something ignore what others did in the browsable sites and analyze the PHP, THEN do what you think is right.
It takes three steps to user, one forward, one backward and one forward again.
Get shell, take information back, get shell again.
https://www.php.net/docs.php
https://www.w3schools.com/php/php_ref_overview.asp
Take the functions used, look them up in the docs/w3schools and run them online. If you are unsure how one initial variable is declared, a certain easy-to-discover page will tell you. Make your own $name variable and run it through function after function just like the website does it.
After each function write down the output, take it to the next function and repeat.
If you want to get fancy, take the files and make your own server locally.
PHP Boolean False = 0
PHP Boolean True = 1
Root
Basic enumeration, you can run the well known script or if you do the most important things manually you will discover it pretty fast too.
If you found it you aren't far away, run it and dont space out, focus on task ahead
spoiler