Craft

Stuck at getting initial foothold… I found user (di****), pass, tok** as well as the vulnerable snippet of code (e***).

When I to create new alcohol or check my tok**, I kept getting invalid tok**.

I have tried using cu** and “authentication bear” to authenticate the tok**.

Am I missing out on something? Anyone can give me a prompt? Thanks all.

Type your comment> @WH145 said:

Stuck at getting initial foothold… I found user (di****), pass, tok** as well as the vulnerable snippet of code (e***).

When I to create new alcohol or check my tok**, I kept getting invalid tok**.

I have tried using cu** and “authentication bear” to authenticate the tok**.

Am I missing out on something? Anyone can give me a prompt? Thanks all.

WH145 if you have problem with cu** maybe take a look at the code you have access to and try to use it :slight_smile:

Type your comment> @pspdevel said:

Type your comment> @WH145 said:

Stuck at getting initial foothold… I found user (di****), pass, tok** as well as the vulnerable snippet of code (e***).

When I to create new alcohol or check my tok**, I kept getting invalid tok**.

I have tried using cu** and “authentication bear” to authenticate the tok**.

Am I missing out on something? Anyone can give me a prompt? Thanks all.

WH145 if you have problem with cu** maybe take a look at the code you have access to and try to use it :slight_smile:

Oh my… i totally overlooked it. Thank you for your help.

And finally:

root@craft:~# id

uid=0(root) gid=0(root) groups=0(root)

Thanks to @dirtyred , If you need help feel free to PM me :slight_smile:

I didn’t manage to even get user on this box. I just saw a writeup of craft on Reddit and what I was missing SHOULD have been on the homepage, which I didn’t see. I got a 404 error. So somebody must have deleted it to screw up other people. /angry

Type your comment> @lpha3ch0 said:

I didn’t manage to even get user on this box. I just saw a writeup of craft on Reddit and what I was missing SHOULD have been on the homepage, which I didn’t see. I got a 404 error. So somebody must have deleted it to screw up other people. /angry

no, you need to edit your hosts file and add some entries. The ip address of the machine does not give the same result as the domain name… pm me if you need more of a hint than that.

Type your comment> @6d6a6c said:

Type your comment> @lpha3ch0 said:

I didn’t manage to even get user on this box. I just saw a writeup of craft on Reddit and what I was missing SHOULD have been on the homepage, which I didn’t see. I got a 404 error. So somebody must have deleted it to screw up other people. /angry

no, you need to edit your hosts file and add some entries. The ip address of the machine does not give the same result as the domain name… pm me if you need more of a hint than that.

I DID add a hosts file entry. The first thing I did when starting on this box was an nmap scan, the second was the hosts file entry, then I started enumerating the site using the hostname. You shouldn’t just assume.

This is the 2nd time I’ve had something like this happen, and don’t tell me that I need to get VIP because I already have it. Having VIP doesn’t guarantee that you get a box all to yourself, only that there’s less people beating it up at the same time.

@6d6a6c said:
Type your comment> @lpha3ch0 said:

I didn’t manage to even get user on this box. I just saw a writeup of craft on Reddit and what I was missing SHOULD have been on the homepage, which I didn’t see. I got a 404 error. So somebody must have deleted it to screw up other people. /angry

no, you need to edit your hosts file and add some entries. The ip address of the machine does not give the same result as the domain name… pm me if you need more of a hint than that.

Another thing that I forgot to mention: I left that box running overnight and after reading the writeup online this morning, I reset the machine and the site finally showed the webpage that I should have seen to begin with. Some ■■■■ deleted it. I’ve been talking about this in another forum and other people have experienced similar stuff happening, although they may or may not have been in VIP.

Type your comment> @lpha3ch0 said:

@6d6a6c said:
Type your comment> @lpha3ch0 said:

I didn’t manage to even get user on this box. I just saw a writeup of craft on Reddit and what I was missing SHOULD have been on the homepage, which I didn’t see. I got a 404 error. So somebody must have deleted it to screw up other people. /angry

no, you need to edit your hosts file and add some entries. The ip address of the machine does not give the same result as the domain name… pm me if you need more of a hint than that.

Another thing that I forgot to mention: I left that box running overnight and after reading the writeup online this morning, I reset the machine and the site finally showed the webpage that I should have seen to begin with. Some ■■■■ deleted it. I’ve been talking about this in another forum and other people have experienced similar stuff happening, although they may or may not have been in VIP.

if you had the hosts file entry, the technical term for the cause of your problem is a–holes I believe! I subscribed to vip because of similar problems.

Just released write-up, it is first for me :slight_smile:

“Craft — hackthebox” by Aleksi Kistauri Craft — HackTheBox. This is a write-up on how I solved… | by Aleksi Kistauri | Medium

Could anyone try, please, if it is still possible to get a foothold to the machine? Nothing works for me somehow.

Hi! Did someone did this box lately? I think the privilege-escalation is broken as I get “* Vault is sealed”, when I try to login… After some time I looked up the write-ups, and they are doing exactly what I tried, but for me it just isn’t working. I already have reset the box, but that doesn’t make any difference…

Type your comment> @ArtemisFY said:

Hi! Did someone did this box lately? I think the privilege-escalation is broken as I get “* Vault is sealed”, when I try to login… After some time I looked up the write-ups, and they are doing exactly what I tried, but for me it just isn’t working. I already have reset the box, but that doesn’t make any difference…

I got something else: “certificate has expired or is not yet valid”. Not sure how to fix this. Anyone can help?

Same here @zhe0ops … not sure what is going on.

I figured it out today… If the box is hosted not on 10.10.10.110 then the vault will remain unsealed.
Check Status here:
vault status -tls-skip-verify

Really interesting machine :slight_smile: But im having some trouble accessing the vault, when its asking for the password, i am doing the intended, but it gets stucked thinking for 15 seconds and ask for the password again, and i have seen 13 resets before i was going to request one, whats weird… Does someone have the same problem guyz? Thank you in advance!!

@L3pr3ch4un00
same xD

Yeah just switch your server to a non VIP+ one and your good. You can switch your server type in the new app under connection settings in the top right hand corner: https://app.hackthebox.eu

If you’re using this machine on VIP+, you’re gonna have a bad time.

Type your comment> @godylocks said:

Yeah just switch your server to a non VIP+ one and your good. You can switch your server type in the new app under connection settings in the top right hand corner: https://app.hackthebox.eu

oh thx I will try it