• Rooted :smiley:
    That was a really fun box ! thx to the owners

  • Currenty have the w******a shell and access to p**m*****n and am now stuck. any hint would be appreciated

  • So I have been trying to use sqli to get into the users of the website and see if I can't get the passwords to be able to ssh in as ww-data. Is there an easier way to find the access in the account?

  • @gNarv3 said:
    So I have been trying to use sqli to get into the users of the website and see if I can't get the passwords to be able to ssh in as ww-data. Is there an easier way to find the access in the account?

    one does not simply ssh as www-data, if you're using sqli there's one tool that can let you get a shell from exploiting such vuln...

  • Finally got around to doing this box. Unfortunately people kept resetting the box all the time, so I had to redo a lot of the first steps again and again.
    The very last step for root gave me a lot of trouble until I decided to spend some time to get a better shell (S*H), then it was relatively easy with the right documentation.

    If you need any hint, DM me with where you are at and what you have tried.


    Very interesting machine, I learned a lot from this. Thanks to @manulqwerty and @Ghostpp7

    Foothold: using two well known sec tools is quite easy, but I still don't get why people talk about spotting differences between page 1 and 6

    User: I spent too much time here then I realized my mistake was a syntax error. Basic privesc and googling is enough

    Root: Basic enumeration and googling, a link posted here some pages ago will give you all you need to get root

    Probably without reading posts here I would have rated this box as "medium". Well, if you need hints PM me! ^__^

    Hack The Box


  • Finally rooted,

    !!! -> pls DON'T remove files that other users created, is pretty selfish and useless.

    PM me if you need some hints (and write your current situation ;) )

  • edited September 2019

    Working on root now, but I think everyone should know that the comments "recommending" getting a better shell is actually more of a requirement, at least as I was trying to progress.

    I had unknowingly figured out how to get user a long time ago, but it didn't actually work until I upgraded my shell.

    EDIT: Rooted! Happy to help anyone who's stuck. All I ask is that you send me what you've already done and where you're stuck.


  • finally got the user 10x to @Yerdua95 that confirm the right path i was.
    i failed with the syntax but learned a lot about linux privilege escalation.

    need help ? PM

  • edited September 2019

    Can somebody PM with a nudge on syntax or something for the initial foothold at ****.?c=?

    I'm not sure if I'm supposed to be trying to catch a shell or serve a file from this point and I've been banging my head against it for two days.

    EDIT: Got into an OS-shell, new things to bang my head against, thanks for the help ya'll

  • Rooted! Big thanks to @hostilenode
    @WhiteVoid and @ml19 for the initial hint!
    My first "medium" dfficulty machine, cool experience!
    Learned how to spawn fully interactive shell

  • Just finished, my first on the site :smile: Just a quick question.

    I was wondering, at some point in the process I decided to use ssh (by setting a key), but after about 5 minutes connections reset and all the temporary files would be gone. But the system uptime did not reset.

    It happened twice, then I fell back to just using a normal reverse shell, and it did not happen again. Is this some type of protection at HTB? Or was it just an unlucky consequent and someone pressed the reset button on the web ui?

    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • Rooted, you can pm for nudge, privesc is much more simple than getting a shell

  • Rooted. I've struggled the most at foothold, after that enum to get a user. Some dolars might be needed 8). And enum to get a root (the easiest part).
    Nice box, learned few things.
    PM me for nudge :smile:

  • edited September 2019

    Great Box. Thank You @manulqwerty & @Ghostpp7 for the awesome box..

    User - You don't have escape characters if you can execute scripts. if you know what i mean..
    ROOT - tmp directory is not a good place when it come to services ;)

  • Rooted. to next machine.

    N3v3r Giv3Up, 3v3ry th!ng !s p0ss!ble .

  • Straightforward box. Thanks to creators!

    User: enum, dump, enum
    Root: enum, you have all privileges

  • [email protected]:~# echo " rooted by harshallakare" ; id ; hostname ; date
    echo " rooted by harshallakare" ; id ; hostname ; date
    rooted by harshallakare
    uid=0(root) gid=0(root) groups=0(root)
    Thu Sep 12 02:25:22 EDT 2019
    [email protected]:~#

    PM are welcome for hint.

  • edited September 2019

    Great box. Lightweight more for intermediates than pure beginners, but perfect progression for a study lab. Also there seems to be multiple routes to root this box. Some quick tips

    Enumerate properly, don't worry about ban hammer and thinks OWASP top 10.

    Was hardest for me, lots of good tips on the first 9 pages of this thread. Basically read the code and think of ALL the ways to break out of the filter (not every single one is covered)

    Eazy-peazy; basic enumeration and it shouldn't take you more than five minutes, although I'll admit that the name of the vulnerable binary threw me off, I had to check on my machine to make sure its not setup that way by default. GTFObins also helped


    Hack The Box

  • Good box. I learned some things about linux exploitation. I think there are multiples ways to root this box. Feel free to pm me if you need help !

    Hack The Box
    Pm me and tell me what you already have and where are you stuck. Feel free to give me some respect if I helped you !

  • finally ROOTED
    thanks to great ppl that point me to the right way
    there is few path to all.
    to many reverse shells :)

  • edited September 2019

    Anyone else having issues pinging the box? nmap scans get no response from the host. Tried resetting multiple times with no luck

    Edit: nvm it was something up with the vpn

  • edited September 2019

    Could be possible that the S** I******** has been patched? I exploited it many times before today, now every time I get ban.

    [Edit] It wasn't real, I forget to pass an important flag to the tool.


  • Need help with pivoting. I found the file, but I'm having trouble with exploitation, please PM me

  • I don't know what they are doing so that the machine does not work stop doing that if they need help ask for it and respect the files of others,

  • Really liked this box, PM for hints ;)

  • Favorite box so far, feel free to PM if you need help/tips
  • Nothing like somebody resetting the box as you're a few keystrokes from root... :angry:


  • If you guys use an exploit to cp/cat either one of the flags to a very visible directory, please delete the file as well...


  • I need some help on root pls :)
    am stuck on S*******l not able to create service
    pm me pls

Sign In to comment.