Registry

13468915

Comments

  • edited November 2019

    Stuck cloning the d****r r******y, got the basic auth so can view v/_c*****g, but can't get any further

    E: Thanks to a nudge from @noob2sec managed to get user, on to root now!

  • rooted. Thank you @masquerad3r for your hints.

    As for root, I gave up to make outbound connection to my local machine. Everything was done in this machine besides cracking creds.
    For the final touch, I didn't know r***-s***** is portable.

  • edited November 2019

    I logged in via ssh as b**t user. Found some creds but couldn't find a way to crack it can someone help me ?

  • edited November 2019

    EDIT:

    Rooted, special thanks to @PlayerThree and @rholas !

  • edited November 2019

    Why all the B**t C*s pages return 404?

  • IDK if i get initial footlhold the intended way, can someone who feels the same PM?.


  • uid=0(root) gid=0(root) groups=0(root)
    [email protected]:~#

    if u need help . Write me from DM

  • how can I get root ? any nudges

  • Type your comment

  • just rooted. I wanna thank @GibParadox for the patience and help! Feel free to contact me for hints.

  • Finally rooted!
    User was not very hard.
    Root was quite a long journey. Had quite hard time with r****c..

    Hack The Box

  • I got stuck on: /v2/b****-i****/b****/sha256:*******

    I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

  • Type your comment> @roelvb said:

    I got stuck on: /v2/b****-i****/b****/sha256:*******

    I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

    There is something obvious just keep looking, did you notice any common port open when you enumerate the box?. Maybe you can look for the key to open the door.

  • edited November 2019

    Type your comment> @mcruz said:

    Type your comment> @roelvb said:

    I got stuck on: /v2/b****-i****/b****/sha256:*******

    I have downloaded some directories with the blob****. I have checked all of them but did not find anything obvious for further use. Am I missing something there or is it the wrong place to look?

    There is something obvious just keep looking, did you notice any common port open when you enumerate the box?. Maybe you can look for the key to open the door.

    Got it, thanks!

  • I am struck on the root part.
    i got a password and successfully logged into the website, but i can't get anything.
    Anyone who can PM me for a nudge on what to do next for root?

  • Great machine, thank @thek.

    I managed to proceed like a knife through butter to the "last two stations". Gaining user level access was also interesting, but it was much easier than the root one. There are little tricks needed to discover the vulnerability, and it is easy to find attack description on the Internet after the identification.

    Although I got much data by the attack, it was clear what I should have found and used. Result was a friendly remote shell. It is worth running a fast nmap tcp port scan from the machine to the attacker host in this phase.

    Based on the difficulty category of the machine, I guessed that I met a non-traditional privilege escalation challenge. I have learned from my earlier successful attempts that there is a valuable data source which often contains relevant information, and it was also true in this case. After some routine operations I reached the penultimate "station".

    That was the beginning of a suffering but instructive "journey". Some advice for this "station":

    • read but do not believe everything,
    • guess how to stabilize an unstable situation,
    • be fast and repeat your process if it is needed.

    Result was a usual but less friendly remote access. I thought it was the difficult part of the attack, but I soon realized that I was wrong.

    It was easy to find the vulnerability but was difficult to create a successful exploit. First I thought that a newer little trick could solve my problem. After about an hour I realized that the application had a strict rule to set permissions and I couldn't apply the "Local" method in a useful way. So that I needed to use the "Server" method.

    Since I knew the result of the earlier "reverse" nmap scan, I realized that I needed to apply "Server" method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.

    I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.

    bumika

  • rooted
    thank you @sbridgens and @Rolesa

  • Got user.
    Thanks @Rolesa, @noob2sec and @masquerad3r.
    Go to root.
    PM for hints.

  • edited November 2019

    I'm stuck to the very start. I got the c.t, I tried to get the c*****g, but obviously I don't have the auth, neither the k.y. Any nudge for the initial foothold?

    BadRain

  • Type your comment> @FoX01 said:

    Got user.
    Thanks @Rolesa, @noob2sec and @masquerad3r.
    Go to root.
    PM for hints.

    Glad I could help :)

  • Got root flag with r****c but wasn't able to execute code with that method

  • Type your comment> @sulcud said:
    > Got root flag with r****c but wasn't able to execute code with that method

    Just use same method and grab bigger.

    bumika

  • edited November 2019

    When I do 'locate root.txt' there is no root.txt on the system?

  • Any nudge for the run to w**-***a?

    BadRain

  • Spoiler Removed

  • edited November 2019

    Rooted.
    Really frustating machine, but it was a great teacher to me.

    User 1: What a ride. Enumerate and don't ignore anything. Scan smart not hard.

    User 2: Quite simple to find if you enumerated, but not so simple to actually do it. You'll take a step backwards =) You have to be fast and think outside the box. You can't outrun it, but you can outsmart it. The more creative you get, the better.

    Root: Tunneling and Enumeration. Luckly my first enumeration command had what I needed. Then the hardest part of this machine: Exploiting the thing. I had to do a million tests and troubleshoots before it worked, but it worked. I didn't think I needed a root shell, so I didn't try, but I think it's possible.

  • Rooted.

    Fun box!!

    Very easy for User but what a day for root.
    PM me if you're stuck, you'll need patience for root.

    Hack The Box

  • Got rootflag, finally! One of my favourite boxes so far, awesome learning experience.

    Feel free to PM me if you need any tips!

  • edited November 2019
    @bumika said:
    > Since I knew the result of the earlier "reverse" nmap scan, I realized that I needed to apply "Server" method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.
    >
    > I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.

    Did you use r***-*****r or r****e?
    I tried the first one, but with no luck!>

    BadRain

  • edited November 2019

    Type your comment> @BadRain said:

    Since I knew the result of the earlier "reverse" nmap scan, I realized that I needed to apply "Server" method locally. The only problem was scarcity of a proper server. At that time I found an important word (p******e) in a message on this topic (thank mate), and hit my head gently. The solution is very simple.

    I needed reading some pages from a tutorial of the application and readme of the server and constructed the finish which contained 5-10 elementary steps. It was a joy to see that my commands ran without any error.

    Did you use r***-*****r or r****e?
    I tried the first one, but with no luck!

    [Edited]: I chose the first option.

    bumika

Sign In to comment.