Haystack

Rooted! Very interesting path from initial shell to root, learned a good amount about ELK

Found the high port and some of its files. Please give me a hint, how to get to the database.

Any nudge on the ‘empty reply from server’ error? Used quotes. but I am still getting the same error…just making sure if a server side error and not my syntax.

Rooted. Interesting and fun box, learned something new.
PM me for a nudge.

@pytera I was stuck at the same place as you with the empty reply from server for 2 full days of working on this. I finally reset the box and it worked. So buy VIP if you don’t have it already, very helpful for this box!

Edit: Rooted! Hardest part of box is realizing you need to reset the box to get it to work.

Rooted! Nice box!

Hack The Box

Rooted, but very curious as to why the exploit going from sy to ka didn’t work half the time. I have VIP and it worked when I would reset the box, but if I tried to recreate my steps if I lost my k**a connection, it didn’t work. If anyone has insight on this, please PM me

If anyone needs any help with the box, feel free to PM me as well

adding more dotdotslash did the trick for me

Hi, I got an empty reply from server when I do prev.esc from user to k****a. Pleae let me know if you anyone has found a way to handle this. couldn’t able to connect to the reverse shell. found the exploit and running the curl -command but doesn’t help.

Hi, can someone please pm me? need help with root, i know the 3 well known files but i have no idea what to do next. thx

I’ve read through tons of “hints” and NONE of them help a newb.

rooted. had to get vip this one was soooo unstable for me

Type your comment> @Hacker1093 said:

Hi, I got an empty reply from server when I do prev.esc from user to k****a. Pleae let me know if you anyone has found a way to handle this. couldn’t able to connect to the reverse shell. found the exploit and running the curl -command but doesn’t help.

Hi Dude, I have the same issue, have you figured this out yet? I have added more …/ and quotes but it didn’t help… I would appreciate a nudge :slight_smile:

I need help with the redirection for the k**a service, it is only listening on localhost. I have user shell. Please someone DM

Once inside, if you’re having a hard time with privesc, try bouncing the box.

great box, PM if you need help

4/5. Great box, fairly easy, but not total beginner easy! Not very CTF like either, only user. Only one point off because the tempo slows down a little bit (lots of RTFM!) from k****a user to root, and the wonkiness of the CVE for the L** exploit from user to k-. In all honesty I was going to give this machine a 1 becuase the L** payload wasn’t executing for me even with all the tips on the forums, until I realized that it was a copy and paste error. So make sure to read carefully all your payloads before you send them, especially when using a wonky tty/pty. Here are my tips

FOOTHOLD:
The picture isn’t a read herring, infact it has a very important tip inside the quotes once you find the message. Once you figure out what is running on the high port and get all the data from the non defualt database (b**k and .k****a is default). Once you find the correct database go back to the tip within the quotes within the picture, if the name of the database doesn’t give it away, you can use google translate to find the tip word. Now you can either dump the db or just write a script to go through requests and grep using the tip word, you’ll find the cred needle in the haystack of south american history very easily if you can put the CTF tips and hints together.

USER:
search for CVE for a certain process running on the machine. Once you find it you will have to do some SSH Black Magic (google that to see the light at the end of the tunnel), and then you’ll get access to a port that is only accessible from localhost (read the process’s conf files to figure out which port), you can then run the exploit correctly. Also make sure to check the formatting of your rev shell and the payload port.

ROOT:
Look for directories which your new group has access to, something will stand out with root access as well. RTFM and the conf files of this newly available process/service/last part of elk stack. It should be self explanatory on how to get a rev shell(you may need to find a way to get nc on the machine or use another rev shell from pentestmonkey’s website), play around on the debugger from the port you opened using ssh black magic to get the syntax correct (regex knowledge helps). And go make a coffee, because it takes awhile for the payload to fire, but it eventually does (I went and got myself a literal cookie! lol)

GL!

PS> You may need to rename the shell file for your L** every time you need to fire it, that way you won’t need to restart the machine.

Thank you for the box.

Hint for user : A base64 encoded string doesn’t always end with an equal sign =

Hint for root :

If you are using curl and you get errors …

-Use quotes … curl -XGET ‘http://’
-Put your file in /tmp, rather than in your home directory

I think some of the hints being passed around aren’t considering total noobs. I’m still trying to figure out how to properly search… HINT: it is documented, but it’s hard to understand.

Type your comment> @bipolarmorgan said:

I think some of the hints being passed around aren’t considering total noobs. I’m still trying to figure out how to properly search… HINT: it is documented, but it’s hard to understand.

If you are having problems searching, you could dump the database as a JSON using a Github tool.

However, querying all the records should be easier.