Bounty

“Exploit failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: Access is denied”

What is the solution to this problem? Can u help me. i could not found anywhere.

Edit: I got root. and i hate this machine.

Hi,
can someone pm me a little hint, I tried zap, dirb but still couldnt enumarate the website :confused:
Thank u

@pnrsd said:
Hi,
can someone pm me a little hint, I tried zap, dirb but still couldnt enumarate the website :confused:
Thank u

You need to adjust the parameters of dirb to use the correct extension :wink:

Got the user.txt Now looking for priv esc…

Anybody here has been able to replicate the same privesc than the ippsec’s video of Jeeves on this machine? I have tried the same steps and everything looks identical… except that the ro***** po*****o dosn’t return anything :confused:

EDIT: nevermind, I finally got root.

swear the user flag has been deleted from the desktop :anguished: :

got it

able to upload the w**.cg file. But not able to see that or get the shell back. Getting error while searching in UF*** folder. Any hints here? Thanks.

N/M

Got the user.txt. Now hunt for root.txt.
Looks this machine getting retired this week.

Finally rooted this little demon! One of the most exasperating boxes I’ve done till the moment >.<

I’m open to PMs if you get stucked (only specific questions!)

FINALLY ROOT this box.

First of all, I have to thank everybody that helps me in PM
absentminded
bryterlyter
nofunofunofun (é nois BR, caceta!! XD - HueHue)
kimbilirkim

I could’nt finish this one without you guys! (Sorry, dont know if is possible tag you guys here, so I’ll thank you in PM)

And second, but absolutely not least important, I have to thank all the posts before mine, I read them two times! :slight_smile: And in their own way they teach me a lot too.


For those ones who are stuck on this machine (today is 10/25/2018, and I think this machine will get retired soon) I’ll be open FOREVER (till retired XD) to help you guys, because this machine really have his particularities!

And believe me, it dont need to be reseted the amount of times we do!! hahahah

Thanks mrb3n for the machine!!

Hi, i got the user.txt from merlin desktop but saying wrong hash when i submit it can someone pm me so we can compare some caracter of the flag

Little confused on the enumeration point…not sure if I’m using the correct extension and if i’m enumerating the correct path. Some Q&A privately would be awesome. Please private message me.

Okay disregard that…figured that part out, now to see if I can upload the right file.

Finally got It but no points :frowning:

@Joss said:
Finally got It but no points :frowning:

Yeah this Box just got retired about an hour ago. always check Login :: Hack The Box :: Penetration Testing Labs it shows what is about to be retired for the new box to come live

Check the syntax of the payloads from 0dom and Ssh carefully, esp. since they need to be modified to suit. I was having difficulty with the payload only to find out a “w” should’ve been a “t” which caused several days of self-inflicted pain.

post retracted

Sorry, maybe somebody can confirm problem. I can’t load file with right extension. I check special upload directory but nothing changes after I upload load successfully my shell.

In which directory you are looking for downloaded files.
I found how to upload.
But I can’t find where they are uploaded.
I have to see my text file, which was uploaded successfully as a picture to the folder (uploaded files)???
Maybe I didn’t understand where to look for it or the server renames it.

I feel like I’m going mad with this box!! I have managed to get an initial foothold, so now working on uploading either an msfvenom payload for a meterpreter shell (.exe file) or another Powershell script (.ps1 file) for exploit enumeration. I am using the iex(new-object net.webclient).downloadstring to try to upload, and I can see the 200 OK response on my Python HTTP server, so I know the files are being retrieved, and the command line on Bounty returns no error codes, so all looks fine, but when I check the contents of the directory I’m running the command from there is nothing to be seen! File locations I’ve tried:
C:\Temp (after creating it);
C:\Users\Merlin\Desktop;
C:\Users\Merlin\appdata\local\temp.
I have also tried using gci -force on all locations that I’ve saved the file to and nothing shows. I have confirmed I have permissions on the directories I’ve been using with icacls. I have also tried resetting the box, but nothing has changed.
I really feel like I’m missing something REALLY obvious here - can anyone provide some guidance?