Nice box, I don’t think its one ofmy favorites though. An intermediate level box (at least for user). Too much RTFM, although that is pretty much a preresequite for infosec, I find my self speed reading and missing stupid, obvous stuff lol. I’ll give this 4 stars, as it is straightforward, although if you don’t read everything carefully it can turn into a head banger. Some tips so others don’t have to scroll through the thread everytime they need some ideas/help:
Initial Foothold:
Probably the hardest step on this machine. But don’t worry its not that difficult. First like everyone else is saying make sure you enumerate the subdomains, completely, I mean every single commit and line of code. You will see two things that should stand out. One will help with getting a token for the api (look at the code if you’re getting syntax errors when trying to authorize), the other is a naughty programming practice that has something to do with accepting user input. After that its just about making sure you’re payload is working and formatted correctly. If people are having trouble with a nc shell that keeps dropping, ask yourself what symbol/command in BASH can open up a new thread/process in the background?
User:
Hmm, sort of a headbanger, but actually straightforward if you don’t rush things like I did. You actually don’t have to enumerate much. Its also basically about thinking how to leverage running a database query using the files and programs available to you. Also if you find some loot, don’t be like gog and magog and throw it away ;). If you retrace your steps and keep your loot, you’ll find more loot by enumerating more, maybe even a key to the casshtle.
Root:
Easiest, I shouldnt need to give anyone any tips here. Its best to read the --help of an interesting service that isn’t run by defualt on *nix machines.
I’ve actually rooted this a while back I’ve just come back to say that ever since then this has been one of my favorites ever. IMO it’s incredibly realistic, I can tell, as I’ve been working with the exact tools for the past year. So yeah, really congrats to the maker, for me one of the bests, nicely put together, modern, realistic box
I enjoyed this box, it was realistic and straightforward and I always enjoy using python. I did waste a lot of time because I messed up when trying to sh with the i_r**, but other than that it was straightforward.
Tips:
If you’re struggling getting a reverse shell, first try get any connection to your machine then build on it from there.
Try lots of different types of reverse shell (pentestmonkey) until one works.
Once you’ve got a shell you don’t have to look very far to find the way to break out.
Once you have user, use your new creds to take a good look through gogs. Find a way you can log in as root.
hi everyone, i am stuck in user. i have found ev** funct. and i have edited te**.py file for get reverse shell. but how can i trigger this file for take shell ? any hint ? thanks
I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?
If you reached this far in the forum page you are probably stuck ill try to give some hints regarding the time wasters I went through.
Initial Foothold:
-Try to stray away from the common web vuln and focus on enumerating the actual source code… maybe something that’s been recently changed.
-After you find the vuln function, research how to exploit it.
-Try to use some of the scripts already found on there
User:
-Again try to use some of the scripts already found, but focus on reading each line of code to see what it does.
-After you get the info you want try to step back?
Root:
-from the new files you can read, you should be able to see how to use this tool to get to root. Needs some researching
Initial Foothold:
How can I check subdomains of an Ip address, 10.10.10.110 ?
Everything is http error 500
Dirb not work…
Started brute force on 10.10.10.110 but stopped after 2 days.
Try to add api and gog subdomain to hosts file, cannot resolved.
Try to find and dns server that resolve craft.htb not found
If you’re in the jail and trying to figure out what the heck is this and where to look at, just look at this same dir, examine code in that file and figure out what functions do line by line. Chances are that you just like me don’t know this exact function which sets a restriction. Just google documentation, find right one and substitute.
Some simple stuff which took several hours.
Thanks to everyone in this thread for hints.
On to root.
EDIT: rooted.
couldn’t figure out how to use this, then just paused and started reading docs normally
easy step for anyone who knows the service
this is not a vuln or any kind of exploit, so don’t waste time searching for one
once you have user. Just check the machine and gogs on what technology the app uses for managing it’s secrets. once you get to know that, just read the documentation on vendor site and you’ll know what to do. PM for hints on user or root.
I’m trying to exploit the vunerability in the code b***.py, but I don’t understand why my payload doesn’t works. I tried it on my machine and it works without problems. Please, someone can send me a PM to verify my payload and give me a nudge to understand why it doesn’t work ? Tanks
Edit : I have the user now … I’m reading the documentation of V***t . I don’t know exactly what to do , and I hope I will find in the docs.
Edit2 : Rooted … once you get the user, get the root is really easy. Just find something which manages secrets and read the associated doc.