Craft

Edit: Overlooked totally stupid open door ā€¦ rooted

Spoiler Removed

Nice box, I donā€™t think its one ofmy favorites though. An intermediate level box (at least for user). Too much RTFM, although that is pretty much a preresequite for infosec, I find my self speed reading and missing stupid, obvous stuff lol. Iā€™ll give this 4 stars, as it is straightforward, although if you donā€™t read everything carefully it can turn into a head banger. Some tips so others donā€™t have to scroll through the thread everytime they need some ideas/help:

Initial Foothold:
Probably the hardest step on this machine. But donā€™t worry its not that difficult. First like everyone else is saying make sure you enumerate the subdomains, completely, I mean every single commit and line of code. You will see two things that should stand out. One will help with getting a token for the api (look at the code if youā€™re getting syntax errors when trying to authorize), the other is a naughty programming practice that has something to do with accepting user input. After that its just about making sure youā€™re payload is working and formatted correctly. If people are having trouble with a nc shell that keeps dropping, ask yourself what symbol/command in BASH can open up a new thread/process in the background?

User:
Hmm, sort of a headbanger, but actually straightforward if you donā€™t rush things like I did. You actually donā€™t have to enumerate much. Its also basically about thinking how to leverage running a database query using the files and programs available to you. Also if you find some loot, donā€™t be like gog and magog and throw it away ;). If you retrace your steps and keep your loot, youā€™ll find more loot by enumerating more, maybe even a key to the casshtle.

Root:
Easiest, I shouldnt need to give anyone any tips here. Its best to read the --help of an interesting service that isnā€™t run by defualt on *nix machines.

GL!

Iā€™ve actually rooted this a while back Iā€™ve just come back to say that ever since then this has been one of my favorites ever. IMO itā€™s incredibly realistic, I can tell, as Iā€™ve been working with the exact tools for the past year. So yeah, really congrats to the maker, for me one of the bests, nicely put together, modern, realistic box :slight_smile:

I enjoyed this box, it was realistic and straightforward and I always enjoy using python. I did waste a lot of time because I messed up when trying to sh with the i_r**, but other than that it was straightforward.

Tips:

  • If youā€™re struggling getting a reverse shell, first try get any connection to your machine then build on it from there.
  • Try lots of different types of reverse shell (pentestmonkey) until one works.
  • Once youā€™ve got a shell you donā€™t have to look very far to find the way to break out.
  • Once you have user, use your new creds to take a good look through gogs. Find a way you can log in as root.

Feel free to PM for more help.

Type your comment> @MetinYigit said:

hi everyone, i am stuck in user. i have found ev** funct. and i have edited te**.py file for get reverse shell. but how can i trigger this file for take shell ? any hint ? thanks

EDIT: GOT ROOTED! THANKS TO EVERYONE :slight_smile:

Finally rooted ! Very realistic box, learned a lot.
Feel free to pm me if you are stuck !

I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?

If you reached this far in the forum page you are probably stuck ill try to give some hints regarding the time wasters I went through.

Initial Foothold:

-Try to stray away from the common web vuln and focus on enumerating the actual source codeā€¦ maybe something thatā€™s been recently changed.
-After you find the vuln function, research how to exploit it.
-Try to use some of the scripts already found on there

User:

-Again try to use some of the scripts already found, but focus on reading each line of code to see what it does.
-After you get the info you want try to step back?

Root:

-from the new files you can read, you should be able to see how to use this tool to get to root. Needs some researching

hopefully i didnt spoil :slight_smile:

Initial Foothold:
How can I check subdomains of an Ip address, 10.10.10.110 ?
Everything is http error 500
Dirb not workā€¦
Started brute force on 10.10.10.110 but stopped after 2 days.
Try to add api and gog subdomain to hosts file, cannot resolved.
Try to find and dns server that resolve craft.htb not found

Waste of time this a pā€¦sh

If youā€™re in the jail and trying to figure out what the heck is this and where to look at, just look at this same dir, examine code in that file and figure out what functions do line by line. Chances are that you just like me donā€™t know this exact function which sets a restriction. Just google documentation, find right one and substitute.

Some simple stuff which took several hours.

Thanks to everyone in this thread for hints.

On to root.

EDIT: rooted.
couldnā€™t figure out how to use this, then just paused and started reading docs normally
easy step for anyone who knows the service
this is not a vuln or any kind of exploit, so donā€™t waste time searching for one

anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.

stuck in jail. g******e gived me a keys but i donā€™t know how to use them. Any hints?

chmod i*_**a 600 what a shame :smile:

Type your comment> @shadyR said:

anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.

I have same problem, I think api and gig pages just a rabbit

Try to brute force 10.10.10.110 to find php or html files.

.

Root-access to docker container via RCE, iā€™m stuck here no idea what to do. Dumped database found 3 usersā€¦ pw reuseā€¦

Got Access to 2 out of 3 users in git (gogs) and found one extra repo

In extra repo found info about vault and one set of not so private keyā€¦ Also got to know that vault is used for as SSH OTP.

Overall i have some info but iā€™m unable to connect the dots to even get the user.

help please where do I go from here!!

remark!!! ssh.key use : Chmod 600 ssh.key

Type your comment> @hanter said:

Root-access to docker container via RCE, iā€™m stuck here no idea what to do. Dumped database found 3 usersā€¦ pw reuseā€¦

Got Access to 2 out of 3 users in git (gogs) and found one extra repo

In extra repo found info about vault and one set of not so private keyā€¦ Also got to know that vault is used for as SSH OTP.

Overall i have some info but iā€™m unable to connect the dots to even get the user.

help please where do I go from here!!

How can you enter gog site?

Thanks

This was a great box !

Tips for root :

once you have user. Just check the machine and gogs on what technology the app uses for managing itā€™s secrets. once you get to know that, just read the documentation on vendor site and youā€™ll know what to do. PM for hints on user or root.

beer, silicon valley, and hackthebox? doesnā€™t get better than this.

User:
donā€™t overthink the jail. Say hi to your neighbors they may greet you with beer and snacks

Root:
pay close attention to the components involved. And how they may be used to root the box

Cheers! ?

Hello everybody.

Iā€™m trying to exploit the vunerability in the code b***.py, but I donā€™t understand why my payload doesnā€™t works. I tried it on my machine and it works without problems. Please, someone can send me a PM to verify my payload and give me a nudge to understand why it doesnā€™t work ? Tanks

Edit : I have the user now ā€¦ Iā€™m reading the documentation of V***t . I donā€™t know exactly what to do , and I hope I will find in the docs.

Edit2 : Rooted ā€¦ once you get the user, get the root is really easy. Just find something which manages secrets and read the associated doc.