Obscurity

Rooted. A very, very fun box. If you’re familiar with debugging code, this should be a walk in the park. Every step along the path to root was pretty clear once you foothold.

It’s been stated here already, but I think this bears repeating. You really should set up a dev environment and try to get this to work on your machine before you attempt to foothold on the actual box. Setting up your own environment allows you to see exactly what is happening behind the scenes and you won’t mess anything up for other people while you are learning how this program works. I ran into some issues footholding that made me think my method was wrong. Turns out these issues were cause by other people attempting to foothold incorrectly. If you need any assistance setting up your own environment, feel free to ask.

my first medium box. still om my way to foothold. found the very secret py file. and I know what I have to do. if I execute it standalone it works. but when I execute it on the server (on my machine locally) it doesn’t work.
Anyone here, that wants to check my syntax or give me hints on what I’m doing wrong?

@theonemcp said:

my first medium box. still om my way to foothold. found the very secret py file. and I know what I have to do. if I execute it standalone it works. but when I execute it on the server (on my machine locally) it doesn’t work.
Anyone here, that wants to check my syntax or give me hints on what I’m doing wrong?

Might be worth double-checking how you are trying to inject it.

i have read the entry forum triyng to find the famous hidden directory without succes… can someone can give me a nudge ? thanks in advanced

Type your comment> @kalitkd said:

i have read the entry forum triyng to find the famous hidden directory without succes… can someone can give me a nudge ? thanks in advanced

You know the name of the file you are looking for. You just don’t know where it is. Just try to FUZZ the unknown part :wink:

fuzz stop every 30s , dirb found nothing

Type your comment> @kalitkd said:

fuzz stop every 30s , dirb found nothing

same here. used the medium list too

@TestUserx said:
Type your comment> @kalitkd said:

fuzz stop every 30s , dirb found nothing

same here. used the medium list too

You already know the filename. Add that info to the search. And stay common with the list

@kalitkd said:

fuzz stop every 30s , dirb found nothing

@TestUserx said:

same here. used the medium list too

Make sure you are fuzzing the right part of the URL.

Type your comment> @TazWake said:

@kalitkd said:

fuzz stop every 30s , dirb found nothing

@TestUserx said:

same here. used the medium list too

Make sure you are fuzzing the right part of the URL.

gobuster outputs a wonderful wall of text consisting of
Unsolicited response received on idle HTTP channel starting with “\n”; err=
and not even the -q flag makes it go away

@TestUserx said:

gobuster outputs a wonderful wall of text consisting of
Unsolicited response received on idle HTTP channel starting with “\n”; err=
and not even the -q flag makes it go away

Maybe gobuster is not the best tool to fuzz a web page path.

thanks to @4an7o and @TazWake I finally got a shell :smiley: I found another py. I guess I have to reverse that to get the password. That will be fun. :smiley:
despite getting the shell was a nightmare, I like the box so far. Again I learned something new

EDIT: Got USER. And it took me way longer than it should. At least it feels like it. At first this ■■■■ mu thing sent me on the completly wrong track and then I used the script parameters worng … learning process again :slight_smile:

Finally rooted the box, yay !
Finding the initial foothold script was easy-ish, but getting to get RCE properly did provide a lot of escape challenges ! Probably that curl was not the easiest tool :wink:
Getting User was not that hard, after writing a few lines of python to have the CPU do the job instead of my brain :smile: .
Getting root was “too” easy, not sure if the method I used was the intended one. I wonder how y’all did that ?
Anyway, thanks a lot @c1cada , that was fun !

Rooted

Type your comment> @GUDIX said:

I have problems running the python code locally, someone could help me, I understand the vulnerability, but when I sent the G** with the RS I receive a Bad Request

Did you already debug it? You need to find out whre exactly the problem occurs

EDIT: I finally ROOTED that thing. that very last part gave me more than a little headache. really have to learn to better watch out :wink:

Yeah I also rooted, my problem was a white space!!

I really enjoyed this box!
I’m relatively new here (this is my second box)
and I learned allot

thanks! @clubby789

My tips:

foothold:
fuzz what you don’t know, once you get it. you will see the window.
replicate the process to see where the rocks you throw land.
once you know, it’s just a matter of syntax

user:
with everything I have at home what can i deduce about this?
it’s not hard math, really it’s more similar to deducing that if
3 + 2 = 5 then 5 - 3 must equal 2

root:
if you say the magic word the only way you know
something random is going to happen somewhere very specific
might want to throw a net rather then trying to catch it by hand.

Rooted. Nice box, like the theme. :joy:

To all out there: pls don’t break the box. user → root does not require you to move or modify any files.

rooted ! pretty cool box. still new on htb but i am doing great. DM me for help. :slight_smile:

Rooted. Really cool box! PM me if you need help