Craft

17810121319

Comments

  • I`m an idiot. Tried to use 0.0.0.0 at last step.... Then switched to 127... and it worked like a charm.

    OSCP

    Hack The Box

  • Type your comment> @abuyv said:

    Despite I got the foothold on the machine (limited shell), I couldn't to get the user shell. Any small hints would be helpful.

    Note the tools used for the app. Some tool(s) is/are very good for enumerating purposes and tweaking some files may help you with that (not a good idea to do it in jail tho :/ ). PM me if you need more help. Best of luck!

  • Finally got root!

    Quick tip: don't over-think it, everything you need is right there in front of you. Read the code!

    Thanks to @lolxD for the help!

  • edited August 2019

    Rooted!
    Really nice box, I very much enjoyed it!
    For user, as The voice once said: the jailer is the key ;)

  • Can anyone nudge me in the direction of the correct escaping/syntax on the RCE? I'm pretty sure I know the payloads(s) I can use, to verify command execution and a shell, but I don't get anything back and only see the 500 error.

  • edited August 2019

    [email protected]:~#

    Wow, what a ride!
    Don't have enough words to describe this masterpiece! Well designed environment with actual cloud technologies and real life scenario with nudges left behind by the "developers".
    Thank you @rotarydrone !

    It's my 2nd favourite box !

    Quick tips:
    1. Read the source code (leakage).
    2. Use python3 (requests) to automate 2 things. Strange responses ? Take into account the boolean logic ;)
    3. Inside: enumerate with python3 (8 lines of code).
    4. Use the data from 3. Don't overthink!
    5. Grab user.txt
    6. Enumerate, use the documentation, login as root, grab root.txt !

    OSCP | RHCE

  • I Finally rooted it!
    That was such a cool, realistic and interesting box.

    The hints are all here in the forum already, but feel free to PM for nudges!

    Hack The Box

    GitHub repository with writeups: https://github.com/S7uXN37/HackTheBox

  • @S7uXN37 i'v sent you a PM

  • Type your comment> @laszlo said:

    1. Inside: enumerate with python3 (8 lines of code).

    @laszlo can you recommend anything to read? Googling "enumerate with python" spits out nothing helpful...

  • edited August 2019

    https://netsec.ws/?p=309 - can't get the tools inside the d.....-c........ could do enumeration by hand though... can su to two different users, but since I'm "root" already...

    https://security.stackexchange.com/questions/152978/is-it-possible-to-escalate-privileges-and-escaping-from-a-d.....-c........

  • Spoiler Removed

  • Type your comment> @gorg said:

    Type your comment> @laszlo said:

    1. Inside: enumerate with python3 (8 lines of code).

    @laszlo can you recommend anything to read? Googling "enumerate with python" spits out nothing helpful...

    Where the application stores data ? What binary is not available inside the docker ? Please check settings.py ;)

    OSCP | RHCE

  • Took me about 12 actual hours of work to fully root and mostly thanks to everyone who suggested hints in the forums.

    User was interesting, ended up building my own server app to test the payload. Root was straightforward but that is to be expected in the real world as well.

  • Root took 10 seconds after getting user... perhaps it's because I thought learning the tool was required for getting user since I didn't see the *** key right away in the repo...

    koredump
    If you PM, please include the steps you've already taken. Don't forget to hit the respect button!

  • can someone throw me a hint on the RCE syntax for the initial foothold? I'm able to authenticate and verify that I can create new entries. I've even setup a local script to make sure my syntax was right and that an rshell inside the e*l function works locally but whenever I try to apply it to the box I either get that my abv is too high or an unhandled exception.

    I've tried doing it through c**l, b*p and a py script none work and i'm beginning to lose my mind -_-'

  • @laszlo said:

    Where the application stores data ? What binary is not available inside the docker ? Please check settings.py ;)

    autsch... this is my third machine, but with each one I get more and more the impression that the most important thing is to go through every file (shell) and page (web) very closely...

    so far most things have been just right in front of me

  • @laszlo said:

    Don't overthink!

    My head is slowly approaching the size of an big pumpkin, pivoting around in the d.....-c.......

    @kievcast said:

    I've tried doing it through c**l, b*p and a py script none work and i'm beginning to lose my mind -_-'

    I hate when that happens.

    Before you do... lately I got the impression that on the free vpn nodes is too much traffic, changed to VIP and my exploit worked.

  • edited September 2019

    user pwned

    edit: rooted

  • Rooted.

    Tnx to @gorg and @S7uXN37 for there help.

    Base

    --> Read the API code and enumerate everything especially the git log.

    Shell

    --> Use the data collected from the previous enumeration and craft a payload for a shell (try searching for Pyhton vulnerabilities).

    User

    --> More enumeration this time using a running service.

    Root

    --> Documentations will aide you.

    Have a nice hack

  • Just rooted the box :D User was a very nice ride, as for root it was just a read through the documentation of a service, much easier. If you are stuck feel free to PM me with your current progress for hints

    amra13579l

  • Finally! That. Was. Awesome! Thanks, folks, for every hint you left. Still cannot believe that I've lost so much time moving in the wrong direction, but anyway it gave me the knowledge how to obtain root later

    User

    No need to brute. No need to escape. You can get all prerequisites just from the source code.
    It might be easier to get shell if you set up app locally and hack it a bit to bypass t*** validation (Hint: You cannot compare NoneType and int)
    Then you may suffer with a minimalistic editor (which was funny though) or get yourself a proper shell.
    Once you've got all c***, you're in ten minutes to user.

    Root

    It's easier than it seems to be. Just study infrastructure.

    btw, does anyone know why hydra returns false positives for g*** along with the correct results?

  • Rooted. Extraordinary box with real-world experience. There's so much fun in this process. User is much harder than root in my opinion. Feel free to PM if you need a nudge.

  • Rooted. That box is awesome.

    menessim

  • if anyone could pm me some help with the e*** payload it would be much appreciated i cant seem get past "An unhandled exception occurred."

  • Rooted, thanks for the nudges. Total brainfart for me. stuck hours on a typo, but that speeded up the few minutes to root after user :)

  • Rooted,
    What an awesome box. Made super fun. Took me 2 days for the user though.
    Root was fairly simple in comparison.
    Read what you have and look it up

  • i have root permissions but i can't see the user - flag and root - flag! What am I doing wrong? Thanks.

  • Rooted! Very nice box and I managed to do it without any help. The hints in this forum were enough to get me through. My RCE was a bit of a cludge as I didn't know the language but it worked eventually.

  • what a nice box. finally rooted :)

    feel free to pm me at telegam @kod0kk for any nudge/hint

  • rooted ! clearly it's my new favorite box ! A biiig thanks to the owner !!

Sign In to comment.