Writeup

12527293031

Comments

  • edited September 2019

    Type your comment> @Expojetsu said:

    Type your comment> @0rbit4L said:

    Type your comment> @KaniJX said:

    looking for some help with user

    been banging my head against the wall running the c***s exploit, i keep getting a connection error. I've read that I need to toy with the t variable but i've tried many different values for it and nothing. pm me if you have any hints, thanks guys.

    For me i just kept trying...and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.

    My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either..would some kind soul pm me and point me in the right direction with a small hint im sooo close :smile:

    Look for other services in your nmap result ;)

    if you mean port 22 ssh, ive tried it and nada :neutral:

    Nvm thanks @Expojetsu you were right i was making dumb ass noob error

  • I got user, and I'll try to get root, but i dont have idea, i think that could be a recurrent process and overwrite daily process, someone could help me?

  • I think that i have a hint to privilage escalation, i'm into writable directory but i don't have idea how to exploit this, I use some binaries, but don't work, help me!!

  • got user.. thanks @jkr for all your help just call me george j, onto root now.

  • Type your comment> @kazza said:

    @jh305 said:
    One thing I haven't seen anyone mention is how they get p*** onto the machine. wget doesn't seem to work?!

    In Linux, once you have SSH you can always use SCP for file transfer. Failing that, set up a mini web server on your machine and use wget/curl. Or even, just use nc and pipe it.

    Ended up using SCP and learning something new, thanks!

  • edited September 2019

    nvm i think i got it

  • edited September 2019

    I'm getting a failure when running the something against the C*S. Keeps dying at

    '[*] Try: *'

    Are we supposed to have to re-write some portion of what is running?

    EDIT: nvm

  • Type your comment> @sudogetgud said:

    Just got root! Protip: The ippsec LAZY video is most useful starting at 18 mins in!

    Hi, could you give more hints to this?? I can't get root yet

  • edited September 2019

    Anyone give me a nudge on root for writeup. Running the p****4 script but not sure what I am looking for. Seen the ippsec LAZY video and understand the process but not sure how this translates to this host.

  • Type your comment> @kiemera said:

    Anyone give me a nudge on root for writeup. Running the p****4 script but not sure what I am looking for. Seen the ippsec LAZY video and understand the process but not sure how this translates to this host.

    You should check previous comments there are a lot of hints...

    But here's my hint: Focus on understanding what p****4 does, once you know what it does, try to use it for any task you do, "even the one you think is most obvious", from there you just need to apply the logic by following the correct path.

    Good luck!

  • blocked with root ... anyone can send a private message with clear instructions? Thanks guys in advance!

  • Got root. If anyone needs help, feel free to DM.
    Great box to practice the fundamentals. Thanks @jkr

  • edited September 2019

    User was skid level easy. Root was easy, but so convoluted, and not to mention confusing since a lot of comments in this thread are misleading. Not a big fan of this machine, I feel it should have been worth more than 20pts since root requires more thinking than just knowing the fundamentals, you have to really think outside the box. Plus without the forum this machine would be a brainfuck on VIP labs. I'll give this machine a 3/5. Probably better for someone who isn't a total newbie, but still hones in the fundamentals while forcing you to think creatively and like a sys admin. Some tips:

    USER:
    Do your fundamental recon, take notes on the tech used, google for the correct exploit and remember stuffing is not only for turkeys, sometimes its for credentials as well

    ROOT:
    Whew, laddie. I don' t know where to start with this one. @illuminatiguy (page 6) gave the best advice here so far for root. So just go back and read his comments, not much more I can add, except that you'll need to use two terminals and login and out of one while monitoring with the other.

    GL!

    Hack The Box

  • rooted

    That box really put me in my place lol

  • Rooted. Bit overthink on privesc. Thank you @antim4g3 for nudge.

  • edited September 2019

    Could someone PM me for a nudge on root? i know what i need to do with P**H and i used the tool p****4 but i can't seem to find a writable dir.

    EDIT:
    Nevermind i finally got it!!! pretty good machine, root was fun but easy to fall in rabbit holes.
    I've made it without using remote shells or anything pretty easy actually, PM me if someone who got it wants to share different methods.

  • Finally pwned user and root today (my first box!).

    Thanks for the largely non-spoilery tips here guys, learned a lot. Could someone PM me the way they enumerated for user? I wouldn't have figured it out if someone didn't give too much of a hint on enumeration

    To echo others:

    user: enumeration is the key to starting, and once you later find the exploit, READ IT CAREFULLY; it does more than you thing and it will make your last run for this flag much simpler

    root:

    ippsec-lazy. he takes the time to run a couple examples of a trick for simple privesc. you just have to find the right path

  • rooted . Anyone need help on root can dm me. its just in front of ur eyes. find the writable location.

  • rooted..thanks to @jkr and working the second half with @djdale3 it benefits us to work in pairs or even teams on some of these boxes, it makes a huge difference. I have no hints other than what's allready been said on this forum.

  • Great Box, learned a lot.

    Big Respect to @HEXE and @deafheaven for the help at the last PE part!

    P.M me for hints if you need help ;)

  • edited September 2019

    Type your comment> @AfricanHippo said:

    Type your comment> @doates12 said:

    For the exploit for user, should I be using the /w****** or the /w******/a**** path?

    Focus on the /w****** path - find a tool that can help identify what the website is running (databases, language written in.. etc..) then find which one of the services are vulnerable

    if u check the source code of the /w******* page u actually dont need any tool for enumeration. though the tool may come handy in other machines ;-) ..... im too stuck on login page .. searching the google got an exploit on /w*****/a**** but there also no luck. any help much appreciated

  • Rooted!! Thanks and respect to @Shad0wQu35t

    MarsG

  • I'll leave my mark on Root as it was the most difficult part for me.
    What you want to use is a process monitor, the one told here was the best (p**y).
    Once you get it to work, you may need to interact with it, maybe doing what you used to get here
    You have to follow the PATH, even it keeps changing, so you will have to see how to make it not change, you should look for it if you are as lost as I was. IppSec's Lazy Machine explained it very well, and documentation of PATH comes in handy.

    Once you've done all of that, creating a file (in a writeable) called as what you've been monitoring all time should get you the reverse shell!

    I hope all of this works to the person struggling with the box!
    Thanks to @jkr for this amazing box! I've learned a lot of privesc :blush:

  • edited September 2019

    Straightforward box, very reminiscent of the OSCP lab machines. User is fairly straightforward through cve. Privesc was pretty simple, but required a decent understanding of linux environment to pull off. PM for hints/nudge. If you're fairly experienced with HTB/ctfs, this will be a quick 0 to root in about an hour or two.

    If you are struggling on privesc, check out pspy. Some of the other comments on here made it seem like it was alr on the box, I had to upload it myself. checkout what runs on the box and how your current permissions can be used to "trick" these processes. There is another comment on here referencing an ippsec video, you should prob find that.

  • Ready!! i got root some days ago, if you need some hints could you send me a DM.....

    User: Use a CVE and make sure that url work it, after this it's a piece of cake

    Root: Be careful with the cleanear and use pspy with others users, permission are very important

  • Rooted!
    My summary for this machine:
    1) Eumerate all
    2) Basic enumerate but in this case to a popular port
    3) The CVEs are really helpful
    4) Don't forget the salt!
    5) Here we can use the phase one :smiley:

    Hint: Some pages are disctracted.
    Hint2: I am noob in this themes and do it with only read the first three pages o this discussion and I can did it you too!

  • After a couple weeks rooted! Thanks to @OruX , @albertojoser and @GibParadox . If anyone need a hint pm me.

  • Yaay finally rooted. the user was easy but the root was kind of tricky.
    If anyone need hints PM

  • Hi, im having a lot of problems in using w*** in the machine in order to get pspy. I don't know if it's the VM i'm using (VirtualBox), but i spent the past 6 hours trying to figure out how to download pspy binary and it's impossible. It's starts downloading and after 1.31kbs it stops and doesn't download anymore. From local i can use the server as a normal one and it works perfectly. Does anybody know what's the problem? Is it my VM or something else?

    Thanks in advance

Sign In to comment.