Nest

my brain is hurting a lot XD

Rooted, fun box. A bit hard for me, considering that it is listed as easy.
Thanks @VbScrub

Anyone open to PM to point me in the right direction? I will share everything I have gathered so far. Thanks

removed

Wow, what a challenge @VbScrub. Thank you for this box! :smiley:

Finally root’ed as well and for me far from “easy” as mentioned before.

Mainly as I have limited windows filesystem knowledge and would never have found the key to the 0 byte file without the hints here in the forum. Bit everything is in the pages here before. I didn’t had to ask somebody by PM and I see this as a personal progress.

Even after reading a lot about the “trick” behind it, as I’m working on a pure Linux machine, I was afraid that I wouldn’t be able to get to the juice.
But as a hint: you can do almost everything on the box itself. No need to spin up a Win-VM. It’s all about knowing and understanding the commands you can use there. And here I learned a lot as well, so thank you again.

Ah, and if you are thinking about how to disassamble windows executables, you may have a look at GitHub - icsharpcode/AvaloniaILSpy: Avalonia-based .NET Decompiler (port of ILSpy)
Worked very well for me.

If you need an little nudge anyway, you are welcome to send me PM with what you have tried so far

As said here what a fun and challenging box!

User - Enumeration is key. Look at what you can do on the open ports. Here may lie some interesting files.

Root - Again enumeration is key, maybe use some of the same methods as user (with some slight changes perhaps).

Thanks @VbScrub for the box. Also thank you to @salt for the invaluable hints.

root dance - I did try to reverse the programs but I still need to learn. Thank you to someone in the forum for about a comment about streams, learn something new. My clue to help anyone along - if you have a break at the right place everything become clear so you don’t need to add any lines (hope that makes sense to someone it is 0300hrs)

So i got to the user flag but when i put it in it says error. Is there an additional step or ADS that I am missing here?

root…FINALLY…Holy ■■■■, what a ride!

Learned a ■■■■ ton, thanks @Vbscrub for the challenge, and to @ZloyObezyan, @chvancooten and @bigb0ss for the tips that helped me get there!

I got a encrypted root password, but the code which I’d used to decrypt the C.XXXXh password didn’t work (it returned an error.).

I think I should do something with HXXXXX.exe, but I have no experience of reverse engineering and it looks very difficult for me to reverse it and get a code from it.
Did everyone get a code for decryption through reverse engineering .exe?

stXXXXs command showed me some pieces of information but there was no usefil information…

Type your comment> @whitelily said:

I got a encrypted root password, but the code which I’d used to decrypt the C.XXXXh password didn’t work (it returned an error.).

I think I should do something with HXXXXX.exe, but I have no experience of reverse engineering and it looks very difficult for me to reverse it and get a code from it.
Did everyone get a code for decryption through reverse engineering .exe?

stXXXXs command showed me some pieces of information but there was no usefil information…

Decompile the exe, google decompilers you’ll find plenty of them.

After hours of searching for the project I have find the project. From my perspective, I can give you a little push: If you don’t have access to displaying the folders in a specific location; don’t assume you can’t do other things from this location, even though this location seems very secure…

@VbScrub, I already like this box even though I don’t have user and root yet. This is a really cool CTF box!

@Meise said:

can someone give me an hunt for the foothold? i have enumerated ports, services, i’ve got an interesting service, but it seems i can’t do nothing with it

If you are on Kali, there is a built-in client to connect to one of the ports you have found.

@baitin said:

So i got to the user flag but when i put it in it says error. Is there an additional step or ADS that I am missing here?

If you have user.txt, then it should be the flag - no additional trickery as far as I can remember.

If you have found something that looks like a flag, it might be a flag.

Alternatively, some clown has decided to mess with the box and it needs a reset.

Thanks for an amazing box @VbScrub. Had a lot of fun rooting this box!

Type your comment> @sparkla said:

Got any issue, all help highly appreciated:

RE H****Ld.e and the empty file - I get

(Spoiler)
I’ve been searchin around but no avail, it seems all correct, buffer lenght etc. May my RE software (JB .p**k) translated it wrong?

The password you got from the empty file does not need decrypting. You just use that in the other service that is running on a higher port

Cool, got user now. I liked the VB script. Thumbs up for @VbScrub!

Without a shadow of a doubt, this has been the weirdest box I’ve done so far on HtB. Psexec would have made it easy like Jerry and Blue, but it wasn’t. Learned a lot though! Thank you for twisting my brain @VbScrub Next time please be more gentle :stuck_out_tongue_winking_eye:

@sx02089 said:
Without a shadow of a doubt, this has been the weirdest box I’ve done so far on HtB. Psexec would have made it easy like Jerry and Blue, but it wasn’t. Learned a lot though! Thank you for twisting my brain @VbScrub Next time please be more gentle :stuck_out_tongue_winking_eye:

haha that’s probably because I made it about 7 months ago when I was pretty new to HTB. Turns out it takes quite a long time to go through the approval process and for all the old machines to be retired before yours goes live.

Just submitted another one yesterday, so you can look forward to that in 6 months time lol

Type your comment> @baitin said:

So i got to the user flag but when i put it in it says error. Is there an additional step or ADS that I am missing here?

I had a same problem it costed me lots of time :stuck_out_tongue: Don’t waste time with linux in this step like me, just use windows os…