Mango

I think I found a user i*******y. Rabbit hole?

I’d suggest to at least hide somehow the external links on the box from hackthebox people. They could lead to misunderstandings and unintentional scans by mistake.

Found the login form and got the tables working, not seeing where to go next.

I am in the same spot after few hours of enum and recon…

I starting a very long query on elastic server, maybe need to ddos https://olap.flexmonster.com:9200 .

fm-entities has more than 470 000 entries

@rholas said:

I starting a very long query on elastic server, maybe need to ddos https://olap.flexmonster.com:9200 .

fm-entities has more than 470 000 entries

You definitely should not be DDoS’ing any boxes, especially ones outside of the HTB network.

Rooted
Big thanks to @v1p3r0u5 for help and also to @MrR3boot for great box. Learned a lot
@rholas I think a*******s.**p is not right path.

Type your comment> @clubby789 said:

@rholas said:

I starting a very long query on elastic server, maybe need to ddos https://olap.flexmonster.com:9200 .

fm-entities has more than 470 000 entries

You definitely should not be DDoS’ing any boxes, especially ones outside of the HTB network.

This is a hack the box server not outside, but currently near crash state

@rholas said:

Type your comment> @clubby789 said:

@rholas said:

I starting a very long query on elastic server, maybe need to ddos https://olap.flexmonster.com:9200 .

fm-entities has more than 470 000 entries

You definitely should not be DDoS’ing any boxes, especially ones outside of the HTB network.

This is a hack the box server not outside, but currently near crash state

Why do you think that? The rules explicity say not to hack anything outside of 10.10.10.0/24

Everything should be self-contained on the machine.

@rholas Sorry man, but @clubby789 is right, it’s definitely out of scope. Anyways, it’s ALWAYS prudent to check first. Don’t think DOS will accomplish anything here. But just in case could you confirm the scope on this @mRr3b00t ?

Type your comment> @HumanFlyBzzzz said:

@rholas Sorry man, but @clubby789 is right, it’s definitely out of scope. Anyways, it’s ALWAYS prudent to check first. Don’t think DOS will accomplish anything here. But just in case could you confirm the scope on this @mRr3b00t ?

This is run on 10.10.10.162 not outside

and skullkiddo sad to ddosing (4. comment)

@rholas said:

Type your comment> @HumanFlyBzzzz said:

@rholas Sorry man, but @clubby789 is right, it’s definitely out of scope. Anyways, it’s ALWAYS prudent to check first. Don’t think DOS will accomplish anything here. But just in case could you confirm the scope on this @mRr3b00t ?

This is run on 10.10.10.162 not outside

That’s the IP of the box. The IP of olap.flexmonster.com is 52.5.238.221, as seen by pinging it.

Type your comment> @clubby789 said:

@rholas said:

Type your comment> @HumanFlyBzzzz said:

@rholas Sorry man, but @clubby789 is right, it’s definitely out of scope. Anyways, it’s ALWAYS prudent to check first. Don’t think DOS will accomplish anything here. But just in case could you confirm the scope on this @mRr3b00t ?

This is run on 10.10.10.162 not outside

That’s the IP of the box. The IP of olap.flexmonster.com is 52.5.238.221, as seen by pinging it.

But why working in a hack to box page?
Open ./a…php
Select to connect to elastisearch, ok and load data

dudes. the box name is a hint. a big hint. it always is but in this case it’s an especially big hint. i think a lot of the google-ish stuff is a likely distraction but that’s just one opinion. focus on what you might be able to do to the datastores that might possibly be living behind the fruit(s). delicious fruits.

@rholas said:

Type your comment> @clubby789 said:

@rholas said:

Type your comment> @HumanFlyBzzzz said:

@rholas Sorry man, but @clubby789 is right, it’s definitely out of scope. Anyways, it’s ALWAYS prudent to check first. Don’t think DOS will accomplish anything here. But just in case could you confirm the scope on this @mRr3b00t ?

This is run on 10.10.10.162 not outside

That’s the IP of the box. The IP of olap.flexmonster.com is 52.5.238.221, as seen by pinging it.

But why working in a hack to box page?
Open ./a…php
Select to connect to elastisearch, ok and load data

The box uses flexmonster, which by default offers to connect back to the flexmonster website which has examples.

Could someone reassure me if bruteforcing is not needed?

Also, please don’t hack boxes outside of HTB (the pages refer to quite a few ones…) you might be committing a criminal offence…

Everything is self-contained. Brute forcing is useful here, but probably not the method you’re speaking of.

Good box @MrR3boot

im stuck in analytics
any tips dirbuster is not finding anything