• Rooted. This one was really solid -- 9/10. I've worked with git in the past, but this was a good refresher. Everything was very obvious when I turned my brain off and stopped delving too deep into it.

    I normally would give some hints, but I escalated directly from www-data to root for this one, so I'm not sure how useful the hints would be.

    Great box, regardless.

    Hack The Box - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Rooted. great box

  • Rooted the unconventional way (www-data to root). I know the path to get www-data, then user, then root, but I'd like to talk with someone about reversing R*****C********.*** as I want to learn a bit of it :)

    Otherwise great box, taught me a lot about git

    Hack The Box

  • edited September 11

    For those working on the EXE file... you don't need to run this in Windows to get it. I thought that at first, and that's how I owned root...but I just validated in Kali and was able to get the same result... you just need to know what you're looking for.

    PM and I'll try to give hints as best I can, will respond when I can!

  • @n4sa @v0yager Which article was that?


  • @marlasthemage, pm me, I would rather not post it here as it may be a spoiler for people who haven't gotten to that part yet.


  • Great box, did do the "easy" route from www-data shell to root.

  • Owned directly as root, now need to figure out the correct path as user.

    OSCP | PMP

  • edited September 13

    -im dumb and WAAAAAAAAY overthought this... make sure you enumerate the hell out of the gitlab page, even after shell


  • edited September 12

    Rooted in intended way. Thanks to @daedalusx and @Kucharskov

    See the gitlab help.
    In the low priv shell: sometimes we don't need decode things. ;)

    Root 1: Try .learn .about .git.
    Root 2: R*******.**e is like solve a Reverse challenge of HTB. I finish it using a very know windows tool, but there are a similar in linux.

  • Rooted from www-data to root !!!!

    But wanna know the other way of rooting from www-data --> user --> root !!

    Anyone who have done in that method me !!

  • Rooted. Few different methods for root. 3 that i'm aware of. Only got one so going to keep trying for the others :smile:

  • Rooted. www -> user -> root. (through .exe)

    Could someone share ideas how to do with "www -> root" and "www -> user -> root" (without .exe)



    Hack The Box

  • edited September 13

    Rooted, that was a funny little box :smiley:
    Got root through the "normal" path, got user before root. Someone could PM me about how to do it the other way? I'm quite curious because I found the initial foothold but didn't succeed in elevating.

    USER: Take care to the details and be sure to enumerate the full website (common wordlists are enough, don't waste your time) :wink:
    ROOT the normal way: Got it through my Flare VM and the exe, don't overthink this one and take a break sometimes :wink:

    PM if you need help :smile:

    Hack The Box

  • Could use a nudge or two with exe analysis - have tried with st****, ob***** and rad**** - and have the feeling I am missing something obvious.


  • Finally rooted that box through www->user->root (R.C.xe)
    This was my first time reverse engineering, never used before, so big thanks to @daedalusx and @Nekrom for great hints without spoilers.


  • Anyone want to give me a nudge? I’ve got creds to Gitlab but I’m having a bit of trouble with the next step.
  • edited September 14

    Can someone explain to me why I need to specify a password for g** p*** with the user w**-d***?

  • any one give me hint that how to execute shell after uploading and shell can be upload in snippet or project?

  • @UsmanParacha stuck in the same...

  • Rooted! I went the 'conventional' route through user and then root. Im interested to find out how to go directly from shell to root. I know it involves using s*** g** p***, and possibly leveraging h**ks but couldn't figure it out. If anyone could PM me to explain I'd appreciate it!

    Some tips:

    • Click on all the links you can find till you find something interesting.
    • Find a way to upload your own code, get shell
    • Enumerate gitlab some more!


    • Investigate the interesting file


    If I have been helpful, respect is always appreciated.

  • AklAkl
    edited September 14

    Got USER and ROOT [the hard way] :(

    I think solving that box depends on your knowledge of how gitlab works especially for the easy way which I couldn't complete. Anyone please PM me with their writeup of the commands they used to complete it directly from ww-*** to r*** using gi *** and h**ks?

    Just for learning how it could have been done directly.

  • Can anyone confirm that the www to root was patched? as it was an unconventional thing?

  • Rooted

    Very easy box including user and root.

  • Spoiler Removed

  • @D8ll0, yep I wasn't exactly sure how should I use g.. p... so instead I looked through r.c.exe and (with some help) found the credentials


  • @cspence10 said:

    Can anyone confirm that the www to root was patched? as it was an unconventional thing?

    Wait, it's been patched out?

    Hack The Box
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )

  • @clubby789 thats what ive heard. That that was never an intended way and that it was removed. Ive tried it multiple times and didnt get similar outputs

  • Type your comment> @elearning said:

    @D8ll0, yep I wasn't exactly sure how should I use g.. p... so instead I looked through r.c.exe and (with some help) found the credentials

    Actually, I rooted the box without the g.. p... method.
    So apparently, there are three methods to root the box :D

  • Finally rooted the box. I went the low-priv shell -> root route. My initial instincts told me this would work when I saw a certain thing, but I started to doubt it. I've used g** a lot, and still use it weekly, but researching it for this priv esc taught me something I didn't know about it.

    Great box @frey and @thek!

    DM if you need help with this method.


    Respect always welcome if I can help you:

Sign In to comment.