Craft

I am stuck at the jail. Already got the credentials, all three of them, but I have no idea where to use them. Already tried SSH and looking through their gogs repos, but nothing worked. Can Someone please give me a hint?

If you reached this far in the forum page you are probably stuck ill try to give some hints regarding the time wasters I went through.

Initial Foothold:

-Try to stray away from the common web vuln and focus on enumerating the actual source code… maybe something that’s been recently changed.
-After you find the vuln function, research how to exploit it.
-Try to use some of the scripts already found on there

User:

-Again try to use some of the scripts already found, but focus on reading each line of code to see what it does.
-After you get the info you want try to step back?

Root:

-from the new files you can read, you should be able to see how to use this tool to get to root. Needs some researching

hopefully i didnt spoil :slight_smile:

Initial Foothold:
How can I check subdomains of an Ip address, 10.10.10.110 ?
Everything is http error 500
Dirb not work…
Started brute force on 10.10.10.110 but stopped after 2 days.
Try to add api and gog subdomain to hosts file, cannot resolved.
Try to find and dns server that resolve craft.htb not found

Waste of time this a p…sh

If you’re in the jail and trying to figure out what the heck is this and where to look at, just look at this same dir, examine code in that file and figure out what functions do line by line. Chances are that you just like me don’t know this exact function which sets a restriction. Just google documentation, find right one and substitute.

Some simple stuff which took several hours.

Thanks to everyone in this thread for hints.

On to root.

EDIT: rooted.
couldn’t figure out how to use this, then just paused and started reading docs normally
easy step for anyone who knows the service
this is not a vuln or any kind of exploit, so don’t waste time searching for one

anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.

stuck in jail. g******e gived me a keys but i don’t know how to use them. Any hints?

chmod i*_**a 600 what a shame :smile:

Type your comment> @shadyR said:

anyone getting server error 500 in /api/ ? i keep on getting this since i started 2 days ago. if you know something, please help.

I have same problem, I think api and gig pages just a rabbit

Try to brute force 10.10.10.110 to find php or html files.

.

Root-access to docker container via RCE, i’m stuck here no idea what to do. Dumped database found 3 users… pw reuse…

Got Access to 2 out of 3 users in git (gogs) and found one extra repo

In extra repo found info about vault and one set of not so private key… Also got to know that vault is used for as SSH OTP.

Overall i have some info but i’m unable to connect the dots to even get the user.

help please where do I go from here!!

remark!!! ssh.key use : Chmod 600 ssh.key

Type your comment> @hanter said:

Root-access to docker container via RCE, i’m stuck here no idea what to do. Dumped database found 3 users… pw reuse…

Got Access to 2 out of 3 users in git (gogs) and found one extra repo

In extra repo found info about vault and one set of not so private key… Also got to know that vault is used for as SSH OTP.

Overall i have some info but i’m unable to connect the dots to even get the user.

help please where do I go from here!!

How can you enter gog site?

Thanks

This was a great box !

Tips for root :

once you have user. Just check the machine and gogs on what technology the app uses for managing it’s secrets. once you get to know that, just read the documentation on vendor site and you’ll know what to do. PM for hints on user or root.

beer, silicon valley, and hackthebox? doesn’t get better than this.

User:
don’t overthink the jail. Say hi to your neighbors they may greet you with beer and snacks

Root:
pay close attention to the components involved. And how they may be used to root the box

Cheers! ?

Hello everybody.

I’m trying to exploit the vunerability in the code b***.py, but I don’t understand why my payload doesn’t works. I tried it on my machine and it works without problems. Please, someone can send me a PM to verify my payload and give me a nudge to understand why it doesn’t work ? Tanks

Edit : I have the user now … I’m reading the documentation of V***t . I don’t know exactly what to do , and I hope I will find in the docs.

Edit2 : Rooted … once you get the user, get the root is really easy. Just find something which manages secrets and read the associated doc.

Can somebody PM me and give me a hand on the initial shell?

I’ve gotten a nc shell to launch with an authenticated c*** request, but it’s connecting from my machine instead of the server.

root@craft:~#

:slight_smile:

Hi @ all ! Started with Craft and got Creds from d***** to login and also got ssh key! Tried to exploit the e*** on system it works but when posting on the server it doesn’t! Now i’m stuck can someone help me ? THX to all for helping me :smile:

Hi all,
I found d***** creds, using which I exploited a certain function to get back a reverse shell. However, I am in a B****** shell, I think. Can’t do anything from there. Not sure how to get out of it. Pls PM me someone, any kind of nudge would be appreciated.
Thanks :slight_smile:

Rooted. Lol. :slight_smile:

Is there no webpage? If I go to http://10.10.10.110 I get unable to connect. but I can namp it and see 2 open ports. Is that normal?

Did anyone have any issues with their SSH client hanging after successful authentication? I am working on getting user and believe I have found the correct path. Found interesting file while enum in jail and ran SSH in verbose mode to see auth was successful.

Fixed → Note to anyone that comes across same issue, don’t throw everything at the door until you know what you have.

Hey all,

Can someone pm me help on getting initial foothold, I am able to get RCE however I am not able to get a callback or the desired output i’m expecting. I believe i know what I have to do, according to an article i found online, however i can’t seem to get it working. I believe it’s due to my lack of understanding of how python works and would like to discuss further with someone via PM to avoid spoilers.