Registry

I’m so close, and so annoyed. Can’t root via d***** , as I’m 32 and not 64. 2 days of my life I wish I’d spent elsewhere! :slight_smile: If anyone knows an unintended method, I’d appreciate a nudge over PM as I can’t do it the intended way(unless I’m missing something?)

Edit - Now done. Definitely don’t look at this if you running the Kali OSCP exam VM as your base.

Rooted ! Fun box

Great box, really, learned a lot from this, thanks to all for the precious hints

root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)
root@bolt:~# wc root.txt
1 1 33 root.txt
root@bolt:~#

nice Box thank u ! mp for help

Need someone to kindly give me a nudge, I’m running the d***** im*** and I can see that I can ssh to the remote box but I can’t seem to crack the passphrase for the ssh key?

edit1: Never mind, thanks @3l0nMu5k for the nudge

edit2: rooted, but i think someone had borked the box a bit, had to reset it before i could do my exploit to pivot to second user, that was a really fun box :slight_smile:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

@SaMuTa said:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

Looking at the port, can you confirm you’ve added the address to your hosts file?

Type your comment> @TazWake said:

@SaMuTa said:

I’m stuck with this error

Error response from daemon: Get https://d*****.r*****.htb/v2/: dial tcp: lookup d*****.r*****.h on ..**.:53: no such host

any help ???

Looking at the port, can you confirm you’ve added the address to your hosts file?

tried lots of solutions same problem, I added the url as insecure registry in d****n.json still the same

Weeelll… got the root flag but no root shell.

This was my path: enum --(d****r-r*******y)--> user b***t --(b***t-C*S)--> user w**-***a --(r****c)--> root flag and more hashes

Now attempting to crack them hashes.

Is this the intended way?

Finally end of 3 days journey, Registry Rooted!!, struggled on user2 with unstable shell, thanks to @coopertim13 and @madseason for nudge

got user b**t ,cracked the hash, found the app, got stuck. any tip/hint is appreciated .

On user www-data but not sure how to reach my rest server. Any hints/nudges will be appreciated!

Done, not convinced that the ‘protection’ around user2 is that true to life. I think that most installs would instead use immutable data rather than overwrite. BUt that would make this even more difficult then :slight_smile:

Right… got the root shell. The way to it is not far from the root flag.

However is the user1 --(b***t-C*S)--> user2 the intended way? There is this lack luster protection in place, that was pretty easy to get around. Not sure if that was intentionally easy to get around of if that’s not the intended way.

This was incredibly hard for me. I spent lots of time reading and learning about the services this machine had. Do pm me if you need some help.

@targodan This is what i have done as well, so i guess it is the intended way.

not sure if this is on my end or not but I cannot get JTR to work. Keep getting zero guesses despite following the same process I follow every time.

Anything different about this key? shoot me a message if possible

@sicxnull said:

not sure if this is on my end or not but I cannot get JTR to work. Keep getting zero guesses despite following the same process I follow every time.

Anything different about this key? shoot me a message if possible

I might be mistaken but I dont think there is anything you need to run john against on this box.

Challenging box. Thanks to the creator.

PM for help ?

Type your comment> @TazWake said:

@sicxnull said:

not sure if this is on my end or not but I cannot get JTR to work. Keep getting zero guesses despite following the same process I follow every time.

Anything different about this key? shoot me a message if possible

I might be mistaken but I dont think there is anything you need to run john against on this box.

looked around some more. was right in front of me. ha

@sicxnull said:

looked around some more. was right in front of me. ha

Nice one - persistence pays off.