Craft

I have RCE and can ping, but cannot get shell. Can someone nudge me on what I am missing?

Finally rooted after a couple days of hammering away at it on and off. It took about 2 days to get the foothold but foothold->root took about 2 hours.

root@craft:~# id
uid=0(root) gid=0(root) groups=0(root)

Really learned a lot from this one, and definitely one of my favorites. Feel free to pm for hints.

Thanks to @zachosk for the nudge in getting foothold.

Nice machine! User had a few steps, and a nice learning curve. Root was more about reading, understand how the “tool” works, and … we are in.
Thanks @rotarydrone for the excelent box

Rooted!
Root part was like 5 minutes.
Hardest part to me was getting the reverse shell.
Very cool box!

Rooted. This was awesome! Many thanks @rotarydrone . I spent a lot of time on this box but I got there in the end without any help or hints which feels good.
Reverse shell was tricky but the process of getting it taught me a few cool things. Getting user after that was straightforward but didn’t work for me for some reason. Reset the box today and tried again and it worked. Root took about 3 minutes because I researched the “tool” I needed to use before I actually got user so I knew where to look. Suggestions of what to try next are most welcome

Thank you @halisha for assistance with initial shell. I need to remember to try everything and not only things I am used to. Now I got into the d***** and finding tons of useful info but nothing to actually get me user.

edit: apparently I was not pasting the pw correctly for passphase to get user. That was easy. now onto root.

Root was easy!

Rooted! excellent box, a little frustrating at times but thanks to my mentor @FailWhale for keeping me from tossing my rig off the balcony, a great teacher for telling me just enough to push me in the right direction. My only advice is, dont lose your ■■■■ , or you may end up without a computer to finish with lol. Thanks to @rotarydrone for a box that taught me alot.

Can someone please PM me? I am having problems with SSH keys.
Edit : Omfg, user was that stupid.
Edit : Rooted. Thank you all for the hints

Can someone please give me a nudge for the RCE payload? I can receive pings but shells won’t work (tried different languages, too)… I’m stuck here for days.

Update: Nevermind, got it working now. That was a tough one…

Rooted, Fun Box
PM for hints

Rooted. Thanks for great box.
But you here for the hints are you? :wink:

###Foothold:

  • Git remember about every you mistake. Even if you think you have fix it, git remember…
  • RTFM about local api, Read the source code and comments.

###User:

  • Insecure methods and user input … again
  • You will be contained with several objects. Try to understand, what methods you can use, and read source again, to understand what may be useful.
  • Enumerate and you will get the key

###Root:

  • Right over your nose

PM for hints, hope not too spoiled

Nice Box

Rooted

root@craft:~# id
uid=0(root) gid=0(root) groups=0(root)

Cool box and real life example.
Although had lot’s of problems with the correct syntax for the reverse shell, thanks @sn4k3r1tu4l for the nudge on the syntax.

After the reverse shell user and root was easy.

Finally got root!!! It took me so looong to get user!
I’ve enumerated everything (many times)… At the end, i knew whole environment like my pockets. Because of that, once got user, it took me about 5 minutes to get root.

There’s everything you need on this board to get both (without any prevous knoledge). Have fun :wink:

Rooted! Arguably the best machine I’ve done on HTB so far.

Really struggled with the payload. I’d love to hear from others what payload did they use. I wonder if my way was the only one.

Hints:

  • The forum thread is very informative for HTB standard. Spoilerish sometimes. I knew what to do to move from foothold to user even before having foothold.

Foothold:

  • Enumerate. A lot. Look under every stone but not in CTFy way. Just look at what the public systems offer and follow the crumbs
  • When you find a vuln you’ll struggle with a payload (I know I did). Don’t fret, just take it slowly. Try simple things first, build up on them. Make sure your payload does what you think it does, test locally.

User:

  • Use what you already know to gain more information. You’ll even have almost-ready scripts for that
  • Enumerate even more with your new info
  • Remember: these guy’s (the dev team from the box) suck at security. Use their mistakes

Root:

  • It’s really easy, compared to the user
  • Find the tool, RTFM, root dance
  • BUT copying command from tutorial won’t do. Make sure you know the keys before you try to stick them into the hole

If you still have problems, PM me, I’ll try to help.

Rooted - really fun box. Plenty of hints here already,b ut if you get stuck you’re welcome to PM me.

Rooted.
Fun box!

User is harder for me than root as usual.

User is not easy and if you get frustrated then PM me for hints.
Root is very easy

Having some issues with the payload. I tried testing it locally and that works, but even trying just a simple print statement via the post request gives me the error: an unhandled exception occurred. I’ve tried every single escape char I can think of but I still get that error. I’m using a modified python script taken from their repo in order to exploit. Any hints would be appreciated.

My hints for user.

1º There’s one evil function that can be abused.

2º If your reverse shell dies fast, try with a different one. No need to complicate things.

@birb said:

Having some issues with the payload. I tried testing it locally and that works, but even trying just a simple print statement via the post request gives me the error: an unhandled exception occurred. I’ve tried every single escape char I can think of but I still get that error. I’m using a modified python script taken from their repo in order to exploit. Any hints would be appreciated.

You are getting an exception since you are doing something the application didn’t expect.

That doesn’t mean however your payload hasn’t been executed. If you are with a payload already, try to create a reverse shell. That’s the best way to see if your approach is working or not.

Rooted!

Really cool box. Lot of fun related to Linux common tools. Very realistic.
There are a lot of hints in this thread.

Thank you @rotarydrone for making this box.
If you need more help, PM me.

=)~