Obscurity

Hey guys, I used the common wordlist with ZAP, but still nothing. Any hints? Also, its suspicious that its looking for a document when any 404 arises…

Type your comment> @idomino said:

:slight_smile:

uid=0(root) gid=0(root) groups=0(root)

I enjoyed this very much, thank you @clubby789! But I think misclassified, it’s one of the easiest ones currently available.

This has made me give in “One of the easiest around” … as I saunter back to my day job lol

Any hint for getting the directory? tried big wordlist on it :confused:
tried ffuf too

Rooted, nice box… I just needed to update my Python skills…

Rooted , here are my hints :

User : - read carefully the webpage. The next step should be obvious

  • enumerate a little to get user.txt

Root : -don’t overthink , it’s very simple , some basics Linux privesc…

You’ll need basics python understanding!

Good luck

R00ted!!! @clubby789 - Excellent job! Fun box.

I hope these tips are ok and do not veer off into the spoiler realm. I tried to keep them as general as possible, and really these “tips” are just good advice any pentest 101 class will teach, I am just kinda focusing the general advice a bit.

Foothold - pay attention to how things are working, enumerate. Once you find what you are looking for; It pays to figure out what the code is doing, I went as far as to get things running on my attack box, that way I could dump variables and test locally, once you do that the path forward is super obvious.

User - A bit tricky, but if you enumerate and find all the files you have access to (again just good basic sense that should be tried every time); you can find some interesting things (not much of a spoiler as the whole point of good enumeration is to find interesting things). You will have to manipulate some of the finds (custom scripts help a lot); if done right… boom you are in.

Root - pay attention what you have access too, again learn how things are working, and it becomes super obvious… for me root was 100x easier than user (not saying user was super hard, but by comparison)… so if you can pop a user shell; you’re almost there.

I hope this helps, and if you get stuck “try harder”. Feel free to PM me. I apologize if I do not get back with you super quick; my life is hectic and between that and popping my own boxes, sometimes the PMs slip pass me. Cheers.

Based on the reactions I’m getting maybe I was too harsh when I said “one of the easiest ones currently available”, maybe it was just easy for me, as all stages are simply solved by a few lines of python, but I guess I can understand why people are struggling with stock tools.

first of all, stop busting, go “path’ing” yourself…

Rooted.
Nice box @clubby789 , make more pls :D.

If you guys need any help, PM me with your progress

Type your comment> @idomino said:

Based on the reactions I’m getting maybe I was too harsh when I said “one of the easiest ones currently available”, maybe it was just easy for me, as all stages are simply solved by a few lines of python, but I guess I can understand why people are struggling with stock tools.

Well, I can actually agree user was easy. Definitely not a hard one. Everything turns around the snake.

edit: root is super easy, but nevertheless a good reminder. Wonder if perms are intended way.
edit: rooted the intended way.

Thanks @clubby789 for time spent on creation!

Type your comment> @v01t4ic said:

Type your comment> @idomino said:

Based on the reactions I’m getting maybe I was too harsh when I said “one of the easiest ones currently available”, maybe it was just easy for me, as all stages are simply solved by a few lines of python, but I guess I can understand why people are struggling with stock tools.

Well, I can actually agree user was easy. Definitely not a hard one. Everything turns around the snake.

yeah, speaking parseltongue is needed for this one

@idomino said:

Based on the reactions I’m getting maybe I was too harsh when I said “one of the easiest ones currently available”, maybe it was just easy for me, as all stages are simply solved by a few lines of python, but I guess I can understand why people are struggling with stock tools.

To be honest, I don’t give credibility to any comment in HTB regarding the difficulty of a machine, and I might suggest the same to anybody who joined HTB recently. What seems easy now, might not have seemed easy in the past.

Type your comment> @idomino said:

Type your comment> @v01t4ic said:

Type your comment> @idomino said:

Based on the reactions I’m getting maybe I was too harsh when I said “one of the easiest ones currently available”, maybe it was just easy for me, as all stages are simply solved by a few lines of python, but I guess I can understand why people are struggling with stock tools.

Well, I can actually agree user was easy. Definitely not a hard one. Everything turns around the snake.

yeah, speaking parseltongue is needed for this one

Harry Potter finds this box easy

@clubby789 Great box! Solving it was fun and pleasant experience. Appreciated especially the fact that it required no guesswork.

Stuck on fuzzing for the py file, any hints?

Any hints to find the .py file?
EDIT:found :slight_smile:

rockyou 30

This is the most useless box created to be honest; usually I learn a thing or two from at least an easy box, but this…!

I’m trying with various lists, through the apparent remote h***-****y and directly to the upper port, but nothing :that script can’t be found… any hint?

Type your comment> @BadRain said:

I’m trying with various lists, through the apparent remote h***-****y and directly to the upper port, but nothing :that script can’t be found… any hint?

Same…just…nothing :frowning: