Edit: Overlooked totally stupid open door ā¦ rooted
Spoiler Removed
Nice box, I donāt think its one ofmy favorites though. An intermediate level box (at least for user). Too much RTFM, although that is pretty much a preresequite for infosec, I find my self speed reading and missing stupid, obvous stuff lol. Iāll give this 4 stars, as it is straightforward, although if you donāt read everything carefully it can turn into a head banger. Some tips so others donāt have to scroll through the thread everytime they need some ideas/help:
Initial Foothold:
Probably the hardest step on this machine. But donāt worry its not that difficult. First like everyone else is saying make sure you enumerate the subdomains, completely, I mean every single commit and line of code. You will see two things that should stand out. One will help with getting a token for the api (look at the code if youāre getting syntax errors when trying to authorize), the other is a naughty programming practice that has something to do with accepting user input. After that its just about making sure youāre payload is working and formatted correctly. If people are having trouble with a nc shell that keeps dropping, ask yourself what symbol/command in BASH can open up a new thread/process in the background?
User:
Hmm, sort of a headbanger, but actually straightforward if you donāt rush things like I did. You actually donāt have to enumerate much. Its also basically about thinking how to leverage running a database query using the files and programs available to you. Also if you find some loot, donāt be like gog and magog and throw it away ;). If you retrace your steps and keep your loot, youāll find more loot by enumerating more, maybe even a key to the casshtle.
Root:
Easiest, I shouldnt need to give anyone any tips here. Its best to read the --help of an interesting service that isnāt run by defualt on *nix machines.
GL!
Iāve actually rooted this a while back Iāve just come back to say that ever since then this has been one of my favorites ever. IMO itās incredibly realistic, I can tell, as Iāve been working with the exact tools for the past year. So yeah, really congrats to the maker, for me one of the bests, nicely put together, modern, realistic box
I enjoyed this box, it was realistic and straightforward and I always enjoy using python. I did waste a lot of time because I messed up when trying to sh with the i_r**, but other than that it was straightforward.
Tips:
- If youāre struggling getting a reverse shell, first try get any connection to your machine then build on it from there.
- Try lots of different types of reverse shell (pentestmonkey) until one works.
- Once youāve got a shell you donāt have to look very far to find the way to break out.
- Once you have user, use your new creds to take a good look through gogs. Find a way you can log in as root.
Feel free to PM for more help.
Type your comment> @MetinYigit said:
hi everyone, i am stuck in user. i have found ev** funct. and i have edited te**.py file for get reverse shell. but how can i trigger this file for take shell ? any hint ? thanks
EDIT: GOT ROOTED! THANKS TO EVERYONE
Finally rooted ! Very realistic box, learned a lot.
Feel free to pm me if you are stuck !
I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?
If you reached this far in the forum page you are probably stuck ill try to give some hints regarding the time wasters I went through.
Initial Foothold:
-Try to stray away from the common web vuln and focus on enumerating the actual source codeā¦ maybe something thatās been recently changed.
-After you find the vuln function, research how to exploit it.
-Try to use some of the scripts already found on there
User:
-Again try to use some of the scripts already found, but focus on reading each line of code to see what it does.
-After you get the info you want try to step back?
Root:
-from the new files you can read, you should be able to see how to use this tool to get to root. Needs some researching
hopefully i didnt spoil
Initial Foothold:
How can I check subdomains of an Ip address, 10.10.10.110 ?
Everything is http error 500
Dirb not workā¦
Started brute force on 10.10.10.110 but stopped after 2 days.
Try to add api and gog subdomain to hosts file, cannot resolved.
Try to find and dns server that resolve craft.htb not found
Waste of time this a pā¦sh
If youāre in the jail and trying to figure out what the heck is this and where to look at, just look at this same dir, examine code in that file and figure out what functions do line by line. Chances are that you just like me donāt know this exact function which sets a restriction. Just google documentation, find right one and substitute.
Some simple stuff which took several hours.
Thanks to everyone in this thread for hints.
On to root.
EDIT: rooted.
couldnāt figure out how to use this, then just paused and started reading docs normally
easy step for anyone who knows the service
this is not a vuln or any kind of exploit, so donāt waste time searching for one
anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.
stuck in jail. g******e gived me a keys but i donāt know how to use them. Any hints?
chmod i*_**a 600 what a shame
Type your comment> @shadyR said:
anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.
I have same problem, I think api and gig pages just a rabbit
Try to brute force 10.10.10.110 to find php or html files.
.
Root-access to docker container via RCE, iām stuck here no idea what to do. Dumped database found 3 usersā¦ pw reuseā¦
Got Access to 2 out of 3 users in git (gogs) and found one extra repo
In extra repo found info about vault and one set of not so private keyā¦ Also got to know that vault is used for as SSH OTP.
Overall i have some info but iām unable to connect the dots to even get the user.
help please where do I go from here!!
remark!!! ssh.key use : Chmod 600 ssh.key
Type your comment> @hanter said:
Root-access to docker container via RCE, iām stuck here no idea what to do. Dumped database found 3 usersā¦ pw reuseā¦
Got Access to 2 out of 3 users in git (gogs) and found one extra repo
In extra repo found info about vault and one set of not so private keyā¦ Also got to know that vault is used for as SSH OTP.
Overall i have some info but iām unable to connect the dots to even get the user.
help please where do I go from here!!
How can you enter gog site?
Thanks
This was a great box !
Tips for root :
once you have user. Just check the machine and gogs on what technology the app uses for managing itās secrets. once you get to know that, just read the documentation on vendor site and youāll know what to do. PM for hints on user or root.
beer, silicon valley, and hackthebox? doesnāt get better than this.
User:
donāt overthink the jail. Say hi to your neighbors they may greet you with beer and snacks
Root:
pay close attention to the components involved. And how they may be used to root the box
Cheers! ?
Hello everybody.
Iām trying to exploit the vunerability in the code b***.py, but I donāt understand why my payload doesnāt works. I tried it on my machine and it works without problems. Please, someone can send me a PM to verify my payload and give me a nudge to understand why it doesnāt work ? Tanks
Edit : I have the user now ā¦ Iām reading the documentation of V***t . I donāt know exactly what to do , and I hope I will find in the docs.
Edit2 : Rooted ā¦ once you get the user, get the root is really easy. Just find something which manages secrets and read the associated doc.