AI

Finally rooted.

I have nothing left to say about this box.

Rooted.

Well… both user and root were not so hard as I thought from the beginning.

Thanks to @mRr3b00t for one more enjoyable box :slight_smile:
Many thanks to @bumika for initial foothold nudge due I totally missed the hint

For user:
If you know the way but can not pass through some specific symbols - make sure that you fully read the page with the reference table. What if you will be able to find missed parts somewhere outside the box?

For root:
Enumerate. Check if you understand what every unusual executable\service doing, check every parameter to know how it works exactly and you will find something interesting.

Box is exploitable and as was written above - you don’t need to wait to trigger it, so continue to check if you found yourself waiting things to be done.

The only this I will say is monty likes md5(process)

Thanks @bumika and @n3b0r for such good hints!

Got user…thanks @g3of0xx

Type your comment> @bergi said:

Can anyone please dm me a decent TTS tool?

This machine is a real pain in … .
I got the idea. I found internal reference. I found external reference.
I have managed to generate output proving existence of the vulnerability, but still cannot proceed further.
I understand that I need to perform full blown manual exploitation of the vulnerability but there are still too many unknowns. For instance how to make it to generate a number (I mean numeral number not the word)? Internal reference is lacking info, external does not work. Really frustrating.

Edit:
Got user, many thanx to @bumika !
Sorry to say, but this was really insane. Even knowing what to do, finding the voice …
Not a great fan to be honest.

Just rooted. Regarding user I already wrote everything in my previous post. Amount of time I spent on finding the voice … well Im still very angry. It was very CTFish and Im not fan of that.

Root part was nice. Classified as difficult (by users), but for someone who knows this particular solution very long, finding the right “thing” to exploit takes only a short while. Just a quick look and you see that there is something what basically should not be there.

Author of the box has of course viciously eliminated possibility to connect and use default set of exploit parameters to complete the machine, but finding an alternative should not take more than a few minutes. Overal the root part very enjoyable. Well done @MrR3boot !!!

query part done.
Fast and not annoying at all :

'narration(10).mp3' 'narration(18).wav' 'narration(6).mp3' 'speech(16).wav' 'speech(31).wav' 'speech(47).wav' 'narration(10).wav' 'narration(19).mp3' 'narration(6).wav' 'speech(17).wav' 'speech(32).wav' 'speech(48).wav' 'narration(11).mp3' 'narration(19).wav' 'narration(7).mp3' 'speech(18).wav' 'speech(33).wav' 'speech(49).wav' 'narration(11).wav' 'narration(1).mp3' 'narration(7).wav' 'speech(19).wav' 'speech(34).wav' 'speech(4).wav' 'narration(12).mp3' 'narration(1).wav' 'narration(8).mp3' 'speech(1).wav' 'speech(35).wav' 'speech(50).wav' 'narration(12).wav' 'narration(20).mp3' 'narration(8).wav' 'speech(20).wav' 'speech(36).wav' 'speech(51).wav' 'narration(13).mp3' 'narration(20).wav' 'narration(9).mp3' 'speech(21).wav' 'speech(37).wav' 'speech(52).wav' 'narration(13).wav' 'narration(21).mp3' 'narration(9).wav' 'speech(22).wav' 'speech(38).wav' 'speech(53).wav' 'narration(14).mp3' 'narration(21).wav' narration.mp3 'speech(23).wav' 'speech(39).wav' 'speech(54).wav' 'narration(14).wav' 'narration(2).mp3' narration.wav 'speech(24).wav' 'speech(3).wav' 'speech(55).wav' 'narration(15).mp3' 'narration(2).wav' 'speech(25).wav' 'speech(40).wav' 'speech(5).wav' 'narration(15).wav' 'narration(3).mp3' 'speech(10).wav' 'speech(26).wav' 'speech(41).wav' 'speech(6).wav' 'narration(16).mp3' 'narration(3).wav' 'speech(11).wav' 'speech(27).wav' 'speech(42).wav' 'speech(7).wav' 'narration(16).wav' 'narration(4).mp3' 'speech(12).wav' 'speech(28).wav' 'speech(43).wav' 'speech(8).wav' 'narration(17).mp3' 'narration(4).wav' 'speech(13).wav' 'speech(29).wav' 'speech(44).wav' 'speech(9).wav' 'narration(17).wav' 'narration(5).mp3' 'speech(14).wav' 'speech(2).wav' 'speech(45).wav' speech.wav 'narration(18).mp3' 'narration(5).wav' 'speech(15).wav' 'speech(30).wav' 'speech(46).wav'

Hack The Box

Type your comment> @davihack said:

query part done.
Fast and not annoying at all :

'narration(10).mp3' 'narration(18).wav' 'narration(6).mp3' 'speech(16).wav' 'speech(31).wav' 'speech(47).wav' 'narration(10).wav' 'narration(19).mp3' 'narration(6).wav' 'speech(17).wav' 'speech(32).wav' 'speech(48).wav' 'narration(11).mp3' 'narration(19).wav' 'narration(7).mp3' 'speech(18).wav' 'speech(33).wav' 'speech(49).wav' 'narration(11).wav' 'narration(1).mp3' 'narration(7).wav' 'speech(19).wav' 'speech(34).wav' 'speech(4).wav' 'narration(12).mp3' 'narration(1).wav' 'narration(8).mp3' 'speech(1).wav' 'speech(35).wav' 'speech(50).wav' 'narration(12).wav' 'narration(20).mp3' 'narration(8).wav' 'speech(20).wav' 'speech(36).wav' 'speech(51).wav' 'narration(13).mp3' 'narration(20).wav' 'narration(9).mp3' 'speech(21).wav' 'speech(37).wav' 'speech(52).wav' 'narration(13).wav' 'narration(21).mp3' 'narration(9).wav' 'speech(22).wav' 'speech(38).wav' 'speech(53).wav' 'narration(14).mp3' 'narration(21).wav' narration.mp3 'speech(23).wav' 'speech(39).wav' 'speech(54).wav' 'narration(14).wav' 'narration(2).mp3' narration.wav 'speech(24).wav' 'speech(3).wav' 'speech(55).wav' 'narration(15).mp3' 'narration(2).wav' 'speech(25).wav' 'speech(40).wav' 'speech(5).wav' 'narration(15).wav' 'narration(3).mp3' 'speech(10).wav' 'speech(26).wav' 'speech(41).wav' 'speech(6).wav' 'narration(16).mp3' 'narration(3).wav' 'speech(11).wav' 'speech(27).wav' 'speech(42).wav' 'speech(7).wav' 'narration(16).wav' 'narration(4).mp3' 'speech(12).wav' 'speech(28).wav' 'speech(43).wav' 'speech(8).wav' 'narration(17).mp3' 'narration(4).wav' 'speech(13).wav' 'speech(29).wav' 'speech(44).wav' 'speech(9).wav' 'narration(17).wav' 'narration(5).mp3' 'speech(14).wav' 'speech(2).wav' 'speech(45).wav' speech.wav 'narration(18).mp3' 'narration(5).wav' 'speech(15).wav' 'speech(30).wav' 'speech(46).wav'

Hack The Box

My list was pretty much similar. Now its time for another beauty - Bankrobber -:slight_smile:

Finally got this one rooted. This box was a huge pain, even when you know what needs to be done. As others have said, don’t even bother with offline tts (I was not able to get the celebrated recommendation to be recognized properly). I ended up getting it to work with an online tts demo from a well known company. it’s elementary my dear :wink:

Root was very interesting and can be done manually, or via a script, but there are a few quirks about the process.

Thanks to @blaudoom and @MrR3boot for the sanity checks along the way.

Finally rooted!
It was a real pain in the a**.

I have mixed feelings for this box. I’m not sure if I love it, hate it to both @MrR3boot and the box it self.

Thanks to @MrR3boot for this challenge and @bumika and @rholas for all the help!

I just got root. Painful box, The only thing that I learnt that box is patient. Try again, try again, try again. Unstable exploits, a bit guessing, broken implementation. Painful ever box in HTB.

If need help, you can ask in pm.

Is the word inf*n being replaced by in4 ?
If so, does that mean we are supposed to do the ***i without the scheme ?

Just by guessing ?

for root which process/vuln to look into … from lin**p****.py got m__ld vuln is that the one ??

anyone getting connection refused error with jw**-*******.py ???

lol I legit have no idea how to even touch this box.
Played with the AI for a while. Got as much info as I could off the source.
/shrug brain bender

Thank you @MrR3boot for this unusual box.

It is an awesome idea to use a voice interface … but it drove me crazy. The steps to root we very interesting. I learned a lot about the cat and I enjoyed my research.

Thank you to @davihack and @m4rc1n for the nudge in the right direction.

this box is absolutely the worst box to get root on. Trash timing thing, and the breaking flag isn’t working either.

rooted now. The initial foothold was quite cool in my opinion. Sure it’s just CTF style but it was something new, and out of the box for sure. I liked that, and it’s well thought out in my opinion. Good job on that @MrR3boot .

but yeah, i got frustrated fighting with the timing. I think if the timing would have been more often, then i would have gotten less frustrated. It’s too long to sit and wait for my taste.

Whatever, I know it’s not easy to make a box [I wouldn’t even know where to start] so thanks for the box :slight_smile: