Haystack

Well that box had layers. Nice.
Took me some time since either my shell bugged or someone sabotaged the box, since did not see the confs in the correct dir. And naturally I didn’t look there again until the next day even tough the box was reset multiple times in between. :slight_smile:

Rooted. Going from user to root was challenging, but really satisfying. I agree with those saying this box shouldn’t be categorized as “Easy.” Quite a bit of research necessary. Learned a ton.

If anyone needs a hand, feel free to DM.

I need help with this box. I have gone through all the steps of finding the n**** in the h****. I successfully translated but now the problem is the place I thought it was to be used was wrong, i feel like i am running in circles. Any direction would be greatly appreciated.

Type your comment> @Z0d said:

Type your comment> @alalno said:

Hi,
I’m unable to escalate to ka , tried renaming the js of known vulnerability, does the ka service need to be running for that?
Really appreciate your help
Thanks

you are on 127.0.0.1 you want to access a routable IP your IP then what you need … see my previous comment in Uppercase :slight_smile:

Thanks @Z0d for the port forwarding hint. But still i’m unable to escalate to k****a…unable to listen… am i missing something here?? I’ve configured the correct port & IP but something seems amiss…need a nudge
Thanks

i know the indices, but i have no clue to use it.
i know the ssh username but i dont know the password.

can anybody please help me… its been a week for me… to complete this.

Getting reverse shell was real pain…after all i got root. Learned a lot from this machine . PMs are welcome.

[root@haystack /]# hostname ; date ; echo “haystack nulled”"
haystack
lun oct 7 15:19:21 -03 2019
haystack nulled
[root@haystack /]#

Ok guys, I’ve got user.txt. I little hint?

@andresitompul said:

i know the ssh username but i dont know the password.

can anybody please help me… its been a week for me… to complete this.
How did you figure out the username if you don’t know the password? B/c it’s in the same data dump but a little above. Did you get a spoiler?

Awesome box. Initial foothold was a little too CTF style for my taste, but really enjoyed low priv → root through the elk stack. Highly recommend checking out the grok debugger when you get to that part.

Saw some other comments on here about port forwarding and “ssh black magic”, I did not have to do any port forwarding whatsoever on this.

Great box, that one was alot of divertido

need help … anyone there.?

Type your comment> @qmi said:

@andresitompul said:

i know the ssh username but i dont know the password.

can anybody please help me… its been a week for me… to complete this.
How did you figure out the username if you don’t know the password? B/c it’s in the same data dump but a little above. Did you get a spoiler?

i did a python script to check each default username.
and one of may tested username its valid… thats it.
i dont know how to dump the database.

any clue ?

second…

does the ssh port forwarding also work on this machine without password ?

So I have read through the 3 files and i know what I need to go to get root, but what I thought would work isn’t. If anyone could PM me so I could shoot some ideas that would be amazing.

@andresitompul said:

How did you figure out the username if you don’t know the password? B/c it’s in the same data dump but a little above. Did you get a spoiler?

i did a python script to check each default username.
and one of may tested username its valid… thats it.
I see.

i dont know how to dump the database.

any clue ?
You may need to use an extension to ELK which enables you to view data using SQL queries. You will see tables, columns and finally data dump by the help of the good old cURL.

does the ssh port forwarding also work on this machine without password ?
No. You will need to have SSH user/password.

Why wen i run the exploit from scrity to k**a*a, some times works, sometimes dont?

Hello, Im ki**na, any tip to get root?

@rfalopes said:
Hello, Im ki**na, any tip to get root?

Stuck at the same place. I have the 3 files and I believe I know how Grok works, but how I can use that to get a shell as root?

Nevermind: rooted. PM if you want for tips.

Type your comment> @rfalopes said:

Why wen i run the exploit from scrity to k**a*a, some times works, sometimes dont?

Yes, the exploit is a bit flaky, I think it has to do with other people using it at the same time. Keep trying, it DOES work as described.

@rfalopes said:
Hello, Im ki**na, any tip to get root?

Ponder why the ELK stack has that name, and which letters you have already used so far. Read a bit up on that third part of the trinity. Then figure out what it does on this box and do something quite similar to what you’ve done before.

Type your comment> @BT1483 said:

Type your comment> @rfalopes said:

Why wen i run the exploit from scrity to k**a*a, some times works, sometimes dont?

Yes, the exploit is a bit flaky, I think it has to do with other people using it at the same time. Keep trying, it DOES work as described.

@rfalopes said:
Hello, Im ki**na, any tip to get root?

Ponder why the ELK stack has that name, and which letters you have already used so far. Read a bit up on that third part of the trinity. Then figure out what it does on this box and do something quite similar to what you’ve done before.

Yes i know… Now i need do make a priv. esc. using the Lostah… And i find the CVE-2017-170 but i dont know how to use it :confused:

Yes i know… Now i need do make a priv. esc. using the Lostah… And i find the CVE-2017-170 but i dont know how to use it :confused:

You’re thinking way, way more complicated than it is.

Take a look at what l******h is doing.