Registry

I’m now in the container place after some basic enumeration d*****.re******.h**/v*/ . It asks username and password to authenticate. Can anyone give me a nudge on it? Thanks in Advance.

I’ve come to a stopping point for access to w**-*a shell. I have access to C and as seen in the forum, the obvious fu vulns don’t work. I’ve tried with a java shell as this is a supported file type and still no joy. Any DM’s to get me from user1 to user2 would be appreciated.

I have shell access with user 1 also.

Root took me more then i expected. Thanks for this great box.

stuck getting initial shell… found the /i****** directory and extracted the c*** . Also found the d***** web app and the name of the repository in it b***-i**** having trouble using d***** p*** command due to the self signed cert

well this machine its really interesting.

enumeration was really easy, lucky me, in past days a was reading about vulnerabilities in d***** so, obtain access to shell was easy after found the first 3 files, user 2 ■■■, really good challenge, i used a backdoor through my first con, and finally root, Good Lord, after read the manual and view the command was not sure if DIY apply so I ask to other users but the answer not was really usefull.

well this is my hints.

Start → the challenge is make technology your friend, this is friendly if you ask.
User1 → The funny thing is with the enum you obtain this access just puth J*** to work.
User2 → Now i can see other ways, but in fact, for my i took the easy to backdooring my connection, think about it, if front is bloked so…

root → I like when challenge its really about how you can manipulate the instruccion, its easy, think in what do you need to make work this stuff…

as always, thanks to @backslasht for the machine, and thanks to everyone for the hints.

If this result in spoiler, please delete it.

guys iam stuck at inital steps
found a login page at /v2/ is that the way?

Enjoying the box so far… Got user and have access to b***/b*** in order to gain access to w**-****, any nudges would be appreciated. Thanks.

Hello,
I’m stuck. Can’t login with s** on the machine. I founded the private document with the password, impossible to use it for ssh.
Anybody have an hint ?
Thx !

Lots of hints already on here so I’m not gonna troll by reiterating whats already here. What I would say is that, after a few weeks of mulling it over, this is absolutely one of my favorite ever boxes. The entire thing, imo, was epic from start to finish. Happy to provide nudges on via DM / Discord (5ysk3y#6172) for those who are stuck.

Very cool box, being a borgbackup guy myself, it was fun to play with r***.
Another hint that cost me some time: There’s something in the way going outbound from the box, but you already have SSH. Always remember your options…

Stuck at b*** user, found b*** cms files and r***** cli app but got no clues on how to proceed. Can’t find a way to login into the cms, can’t upload a file, just the index.php page. Can someone give a nudge? Thanks!

Edit: Found a hash on b***.d*, cracked it, but don’t know where to input it…

Very cool box so far, I’m just struggling with the last root step.
I keep getting the following error

! EOF ReadFull main.read Password - unable to read password||

Received nudges from multiple other users so far that have all told me I’m doing the right thing yet I still get the error shown above. Weird stuff. Gotta try harder :smiley:

Edit :
And as it always goes, I cracked it 30 minutes later. :slight_smile: Great box!

Rooted. I have learnt and enjoyed a lot during doing this box. Thanks so much @Rolesa and @noi for helping me!

I’m so close, and so annoyed. Can’t root via d***** , as I’m 32 and not 64. 2 days of my life I wish I’d spent elsewhere! :slight_smile: If anyone knows an unintended method, I’d appreciate a nudge over PM as I can’t do it the intended way(unless I’m missing something?)

Edit - Now done. Definitely don’t look at this if you running the Kali OSCP exam VM as your base.

Rooted ! Fun box

Great box, really, learned a lot from this, thanks to all for the precious hints

root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)
root@bolt:~# wc root.txt
1 1 33 root.txt
root@bolt:~#

nice Box thank u ! mp for help

Need someone to kindly give me a nudge, I’m running the d***** im*** and I can see that I can ssh to the remote box but I can’t seem to crack the passphrase for the ssh key?

edit1: Never mind, thanks @3l0nMu5k for the nudge

edit2: rooted, but i think someone had borked the box a bit, had to reset it before i could do my exploit to pivot to second user, that was a really fun box :slight_smile:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

@SaMuTa said:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

Looking at the port, can you confirm you’ve added the address to your hosts file?