Haystack

11718202223

Comments

  • Hi will someone be able to help with haystack? confused about the right path

  • Finally rooted this box! I spent way too much time being dumb and trying to get the LFI to run in the K****a debugging console, and couldn't understand why I was just getting weird errors. All that was needed in the end was a good old curl. Root was then pretty simple.

    Some tips:
    User-

    • The image isn't useless, maybe get the help of a feline friend
    • The high port has a well documented API, learn how to talk to it
    • When you know how to talk, look through all the information, and then search for what the image told you (be aware you may be only looking at 10 entries at a time)
    • When you find what you're looking for you should know what to do

    Root-

    • You may need to become someone else
    • If there is a service only available locally, there is a way to make it available to the outside
    • Dont be like me and try to use the stupid debugging console
    • Check the processes running for anything nonstandard, investigate them and then find a way to escalate.
    • A online debugger for G**k helped me a lot

    PM me if you need any help.

    redshift

    If I have been helpful, respect is always appreciated.
    https://www.hackthebox.eu/home/users/profile/67581

  • edited September 2019

    Type your comment> @0x0raco said:

    Can someone help me with the root, please? I am getting '{"statusCode":400,"error":"Bad Request","message":"\"apis\" is a required param."}' error everytime I try to use the exploit.

    We receive the same error :neutral: Did you solve this problem? Please pm me

    Edit: Use quotes, for example curl "http://127.0.0.1:port/a**/c***........"

  • Hi, can someone nudge for escalating to k*** user? All kinds of confused!

  • Fairly easy box. Enjoyed it regardless.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • Im Stuck on trying to pivot from se*y user to k****a i know i have to view something thats only local remotely but my ss command keeps failing and im unable to view that page..can someone nudge m in the rigth direction.

  • Rooted! Very interesting path from initial shell to root, learned a good amount about ELK

  • Found the high port and some of its files. Please give me a hint, how to get to the database.

  • edited September 2019

    Any nudge on the 'empty reply from server' error? Used quotes. but I am still getting the same error..just making sure if a server side error and not my syntax.

    OSCP

  • Rooted. Interesting and fun box, learned something new.
    PM me for a nudge.

    CEH | Red Team

  • edited September 2019

    @pytera I was stuck at the same place as you with the empty reply from server for 2 full days of working on this. I finally reset the box and it worked. So buy VIP if you don't have it already, very helpful for this box!

    Edit: Rooted! Hardest part of box is realizing you need to reset the box to get it to work.

  • Rooted! Nice box!

    <img src="https://www.hackthebox.eu/badge/image/71061" alt="Hack The Box">
  • edited September 2019

    Rooted, but very curious as to why the exploit going from s******y to k****a didn't work half the time. I have VIP and it worked when I would reset the box, but if I tried to recreate my steps if I lost my k****a connection, it didn't work. If anyone has insight on this, please PM me

    If anyone needs any help with the box, feel free to PM me as well

    Always willing to help! Please give respects if I help you on a box :)

  • adding more dotdotslash did the trick for me

    OSCP

  • Hi, I got an empty reply from server when I do prev.esc from user to k****a. Pleae let me know if you anyone has found a way to handle this. couldn't able to connect to the reverse shell. found the exploit and running the curl -command but doesn't help.

  • Hi, can someone please pm me? need help with root, i know the 3 well known files but i have no idea what to do next. thx

  • I've read through tons of "hints" and NONE of them help a newb.

  • rooted. had to get vip this one was soooo unstable for me

  • Type your comment> @Hacker1093 said:

    Hi, I got an empty reply from server when I do prev.esc from user to k****a. Pleae let me know if you anyone has found a way to handle this. couldn't able to connect to the reverse shell. found the exploit and running the curl -command but doesn't help.

    Hi Dude, I have the same issue, have you figured this out yet? I have added more ../ and quotes but it didn't help.. I would appreciate a nudge :)

  • I need help with the redirection for the k**a service, it is only listening on localhost. I have user shell. Please someone DM

    Hack The Box
    If I helped you, I would love it if you cold +rep me on my HTB proifle.
    Somehow OSCP

    Also I will reply quicker on Discord. Hit me up Fr0sty 9#9550

  • Once inside, if you're having a hard time with privesc, try bouncing the box.

  • great box, PM if you need help

  • edited October 2019

    4/5. Great box, fairly easy, but not total beginner easy! Not very CTF like either, only user. Only one point off because the tempo slows down a little bit (lots of RTFM!) from k****a user to root, and the wonkiness of the CVE for the L** exploit from user to k-. In all honesty I was going to give this machine a 1 becuase the L** payload wasn't executing for me even with all the tips on the forums, until I realized that it was a copy and paste error. So make sure to read carefully all your payloads before you send them, especially when using a wonky tty/pty. Here are my tips

    FOOTHOLD:
    The picture isn't a read herring, infact it has a very important tip inside the quotes once you find the message. Once you figure out what is running on the high port and get all the data from the non defualt database (b**k and .k****a is default). Once you find the correct database go back to the tip within the quotes within the picture, if the name of the database doesn't give it away, you can use google translate to find the tip word. Now you can either dump the db or just write a script to go through requests and grep using the tip word, you'll find the cred needle in the haystack of south american history very easily if you can put the CTF tips and hints together.

    USER:
    search for CVE for a certain process running on the machine. Once you find it you will have to do some SSH Black Magic (google that to see the light at the end of the tunnel), and then you'll get access to a port that is only accessible from localhost (read the process's conf files to figure out which port), you can then run the exploit correctly. Also make sure to check the formatting of your rev shell and the payload port.

    ROOT:
    Look for directories which your new group has access to, something will stand out with root access as well. RTFM and the conf files of this newly available process/service/last part of elk stack. It should be self explanatory on how to get a rev shell(you may need to find a way to get nc on the machine or use another rev shell from pentestmonkey's website), play around on the debugger from the port you opened using ssh black magic to get the syntax correct (regex knowledge helps). And go make a coffee, because it takes awhile for the payload to fire, but it eventually does (I went and got myself a literal cookie! lol)

    GL!

    PS> You may need to rename the shell file for your L** every time you need to fire it, that way you won't need to restart the machine.

    Hack The Box

  • edited October 2019

    Thank you for the box.

    Hint for user : A base64 encoded string doesn't always end with an equal sign =

    Hint for root :

    If you are using curl and you get errors ...

    -Use quotes ... curl -XGET 'http://'
    -Put your file in /tmp, rather than in your home directory

    twypsy

  • edited October 2019

    I think some of the hints being passed around aren't considering total noobs. I'm still trying to figure out how to properly search... HINT: it is documented, but it's hard to understand.

  • Type your comment> @bipolarmorgan said:

    I think some of the hints being passed around aren't considering total noobs. I'm still trying to figure out how to properly search... HINT: it is documented, but it's hard to understand.

    If you are having problems searching, you could dump the database as a JSON using a Github tool.

    However, querying all the records should be easier.

    twypsy

  • edited October 2019

    Type your comment> @twypsy said:

    Type your comment> @bipolarmorgan said:

    I think some of the hints being passed around aren't considering total noobs. I'm still trying to figure out how to properly search... HINT: it is documented, but it's hard to understand.

    If you are having problems searching, you could dump the database as a JSON using a Github tool.

    However, querying all the records should be easier.

    Thanks, I finally did figure out the search and got what I needed... any hints on how to go from user to root?

  • Got user!

  • Type your comment> @bipolarmorgan said:

    Type your comment> @twypsy said:

    Type your comment> @bipolarmorgan said:

    I think some of the hints being passed around aren't considering total noobs. I'm still trying to figure out how to properly search... HINT: it is documented, but it's hard to understand.

    If you are having problems searching, you could dump the database as a JSON using a Github tool.

    However, querying all the records should be easier.

    Thanks, I finally did figure out the search and got what I needed... any hints on how to go from user to root?

    If you are not able to escalate to root from one user, pivot to another user that might allow you to do so.

    twypsy

  • @twypsy said:
    If you are not able to escalate to root from one user, pivot to another user that might allow you to do so.

    I sent you a PM, but I have pivoted to another user ... still stuck trying to figure out the privesc to root though.

Sign In to comment.