Craft

18911131419

Comments

  • rooted. Stuck on root due to somebody who got root before on this instance changed permissions (again!!! - I must take a habit reboot instance if stuck %) . Rebooted and got root. Hint from @tomteng helped realize that I get lost again %)

  • HI, Need a hint here .. I am stuck in the jail. I got a reverse shell using the script and creds. Am in the d****** . I can enumerate the database but only retrieve one user which is the creds from before. Have found db creds but they don't work on anything (except accessing the db with a script) There is one other pass which I have used with other users but nothing. Can't find any hidden keys. If i go out and use original script with creds i don't get t**** or connection.

  • Finally rooted, It was tough for me, but learned many things. for any hint I can help, PM if you need any help

    N3v3r Giv3Up, 3v3ry th!ng !s p0ss!ble .

  • @chiefgreek said:

    HI, Need a hint here .. I am stuck in the jail. I got a reverse shell using the script and creds. Am in the d****** . I can enumerate the database but only retrieve one user which is the creds from before.

    Hi, in the jail you'll have to find a way to reveal other users' creds besides d****h. Read the Python code, it's a bit tricky. You'll have to modify one line in the script to retrieve additional data from the DB. You'll need somebody else's creds in order to step ahead.

    Regards,
    qmi

  • Let me answer to this post, as this was most disturbing comment that provided no help in whatsoever finding the flags.

    @laszlo said:

    It's my 2nd favourite box !

    Quick tips:
    1. Read the source code (leakage).

    Actually, it's not a data leakage. It is a well-known function that can be exploited and can give you a reverse shell.

    1. Use python3 (requests) to automate 2 things. Strange responses ? Take into account the boolean logic ;)

    What? Never mind..

    1. Inside: enumerate with python3 (8 lines of code).

    In fact, more than enumeration is needed: find the line and update the code in order to retrieve more information you need. Credentials.

    1. Use the data from 3. Don't overthink!

    Useless comment. Of course you will need the data you have found in the previous step to carry on.

    1. Grab user.txt

    Again, useless to say. Actually, you will have to SSH to the box after you have found the private key of the right user. The obtain the private key, it will require you to properly authenticate to the Git repo (d***** user won't have it).

    1. Enumerate, use the documentation, login as root, grab root.txt !

    Naturally as always, but too little said. From user shell, you'll have to find a secure technology used on the server in a container - utilising OTP - and successfully extract data from it. That helps you to gain root access. You have to know how to use it, if not, you 'd better look it up. After that log on as root and get the flag.

    Regards,
    qmi

  • edited September 2019

    I think I have all the important information to get a reverse shell. I am able to make modifications to the DB without any issues but I am unable to figure the right shell syntax. Not a pro with python so a little bit of help would be great. Thank you!

    edit: Found my mistake.

  • Finally rooted. Was a great box and it sensed like a real world scenario. Loved it! Fell free to Pm if you need hints.

    90n20

  • Really nice box, had a great time.

    If you are stuck somewhere, don't hesitate to ask for a nudge - I'm happy to assist.

  • edited September 2019

    Edit: Overlooked totally stupid open door ... rooted

  • edited September 2019

    Spoiler Removed

  • edited September 2019

    Nice box, I don't think its one ofmy favorites though. An intermediate level box (at least for user). Too much RTFM, although that is pretty much a preresequite for infosec, I find my self speed reading and missing stupid, obvous stuff lol. I'll give this 4 stars, as it is straightforward, although if you don't read everything carefully it can turn into a head banger. Some tips so others don't have to scroll through the thread everytime they need some ideas/help:

    Initial Foothold:
    Probably the hardest step on this machine. But don't worry its not that difficult. First like everyone else is saying make sure you enumerate the subdomains, completely, I mean every single commit and line of code. You will see two things that should stand out. One will help with getting a token for the api (look at the code if you're getting syntax errors when trying to authorize), the other is a naughty programming practice that has something to do with accepting user input. After that its just about making sure you're payload is working and formatted correctly. If people are having trouble with a nc shell that keeps dropping, ask yourself what symbol/command in BASH can open up a new thread/process in the background?

    User:
    Hmm, sort of a headbanger, but actually straightforward if you don't rush things like I did. You actually don't have to enumerate much. Its also basically about thinking how to leverage running a database query using the files and programs available to you. Also if you find some loot, don't be like gog and magog and throw it away ;). If you retrace your steps and keep your loot, you'll find more loot by enumerating more, maybe even a key to the casshtle.

    Root:
    Easiest, I shouldnt need to give anyone any tips here. Its best to read the --help of an interesting service that isn't run by defualt on *nix machines.

    GL!

    Hack The Box

  • I've actually rooted this a while back I've just come back to say that ever since then this has been one of my favorites ever. IMO it's incredibly realistic, I can tell, as I've been working with the exact tools for the past year. So yeah, really congrats to the maker, for me one of the bests, nicely put together, modern, realistic box :)

    rowra

  • I enjoyed this box, it was realistic and straightforward and I always enjoy using python. I did waste a lot of time because I messed up when trying to sh with the i_r**, but other than that it was straightforward.

    Tips:

    • If you're struggling getting a reverse shell, first try get any connection to your machine then build on it from there.
    • Try lots of different types of reverse shell (pentestmonkey) until one works.
    • Once you've got a shell you don't have to look very far to find the way to break out.
    • Once you have user, use your new creds to take a good look through gogs. Find a way you can log in as root.

    Feel free to PM for more help.

    redshift

    If I have been helpful, respect is always appreciated.
    https://www.hackthebox.eu/home/users/profile/67581

  • Type your comment> @MetinYigit said:

    hi everyone, i am stuck in user. i have found ev** funct. and i have edited te**.py file for get reverse shell. but how can i trigger this file for take shell ? any hint ? thanks

    EDIT: GOT ROOTED! THANKS TO EVERYONE :)

  • Finally rooted ! Very realistic box, learned a lot.
    Feel free to pm me if you are stuck !

    Hack The Box
    Pm me and tell me what you already have and where are you stuck. Feel free to give me some respect if I helped you !

  • I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?

  • edited September 2019

    If you reached this far in the forum page you are probably stuck ill try to give some hints regarding the time wasters I went through.

    Initial Foothold:

    -Try to stray away from the common web vuln and focus on enumerating the actual source code.. maybe something that's been recently changed.
    -After you find the vuln function, research how to exploit it.
    -Try to use some of the scripts already found on there

    User:

    -Again try to use some of the scripts already found, but focus on reading each line of code to see what it does.
    -After you get the info you want try to step back?

    Root:

    -from the new files you can read, you should be able to see how to use this tool to get to root. Needs some researching

    hopefully i didnt spoil :)

  • edited September 2019

    Initial Foothold:
    How can I check subdomains of an Ip address, 10.10.10.110 ?
    Everything is http error 500
    Dirb not work...
    Started brute force on 10.10.10.110 but stopped after 2 days.
    Try to add api and gog subdomain to hosts file, cannot resolved.
    Try to find and dns server that resolve craft.htb not found

    Waste of time this a p.....sh

  • edited September 2019

    If you’re in the jail and trying to figure out what the heck is this and where to look at, just look at this same dir, examine code in that file and figure out what functions do line by line. Chances are that you just like me don’t know this exact function which sets a restriction. Just google documentation, find right one and substitute.

    Some simple stuff which took several hours.

    Thanks to everyone in this thread for hints.

    On to root.

    EDIT: rooted.
    couldn't figure out how to use this, then just paused and started reading docs normally
    easy step for anyone who knows the service
    this is not a vuln or any kind of exploit, so don't waste time searching for one

  • anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.

  • edited September 2019

    stuck in jail. g******e gived me a keys but i don't know how to use them. Any hints?

    chmod i*_**a 600 what a shame :smile:

    kratek

  • edited September 2019

    Type your comment> @shadyR said:

    anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.

    I have same problem, I think api and gig pages just a rabbit

    Try to brute force 10.10.10.110 to find php or html files.

  • edited September 2019

    .

  • edited September 2019

    Root-access to docker container via RCE, i'm stuck here no idea what to do. Dumped database found 3 users... pw reuse..

    Got Access to 2 out of 3 users in git (gogs) and found one extra repo

    In extra repo found info about vault and one set of not so private key... Also got to know that vault is used for as SSH OTP.

    Overall i have some info but i'm unable to connect the dots to even get the user.

    help please where do I go from here!!

    remark!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ssh.key use : Chmod 600 ssh.key

  • edited September 2019

    Type your comment> @hanter said:

    Root-access to docker container via RCE, i'm stuck here no idea what to do. Dumped database found 3 users... pw reuse..

    Got Access to 2 out of 3 users in git (gogs) and found one extra repo

    In extra repo found info about vault and one set of not so private key... Also got to know that vault is used for as SSH OTP.

    Overall i have some info but i'm unable to connect the dots to even get the user.

    help please where do I go from here!!

    How can you enter gog site?

    Thanks

  • This was a great box !

    Tips for root :

    once you have user. Just check the machine and gogs on what technology the app uses for managing it's secrets. once you get to know that, just read the documentation on vendor site and you'll know what to do. PM for hints on user or root.

  • beer, silicon valley, and hackthebox? doesn't get better than this.

    User:
    don't overthink the jail. Say hi to your neighbors they may greet you with beer and snacks

    Root:
    pay close attention to the components involved. And how they may be used to root the box

    Cheers! 🍺

  • edited September 2019

    Hello everybody.

    I'm trying to exploit the vunerability in the code b***.py, but I don't understand why my payload doesn't works. I tried it on my machine and it works without problems. Please, someone can send me a PM to verify my payload and give me a nudge to understand why it doesn't work ? Tanks

    Edit : I have the user now ... I'm reading the documentation of V***t . I don't know exactly what to do , and I hope I will find in the docs.

    Edit2 : Rooted ... once you get the user, get the root is really easy. Just find something which manages secrets and read the associated doc.

    sh0dawn badge
    If I could help you, show some respect: https://www.hackthebox.eu/home/users/profile/171175

  • Can somebody PM me and give me a hand on the initial shell?

    I've gotten a nc shell to launch with an authenticated c*** request, but it's connecting from my machine instead of the server.

  • Always willing to help! Please give respects if I help you on a box :)

Sign In to comment.