Registry

Got really stuck for the login page.
##DAAAAAMN

root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)

Hack The Box

USER :
Enumeration web application with the documentation of the API
download file from browser and enumerate what you get
get creed enumerate again get a connection

Feel Free to PM :smile:

Type your comment> @TeRMaN said:

Hey guys, i stucked d****.r*******.h**/v*. I researched re******/*.0 version i got how is it working ( not too much) but couldnt find right path. i tried “_ca*****” but nothing. Can someone help me for what he next step is?

Edit: Got User1 for now

Edit: Rooted. Thank you all.

Hardest box I’ve done so far. Lots of research is necessary for this one >.<

User1 (easy): brush up on c********s
User2 (medium): I spent longer than I’d like to admit looking for login creds… oops. Once authenticated, the rest is google-able. Just be quick, have some tabs open.
Root (difficult): One thing to remember… as others have mentioned here, everything should be done on the the box. You’ll save a lot of potentially wasted time. Try testing locally first. Check out what permissions you have as user2. The rest is trial + error.

I immediately got to the b… user before getting an initial foothold, and found the user.txt. Seems like I need to get to some l… page to get a f… up… Any nudges on where to find this page where I need to enter something I found?

hi, I am working on the initial user, I got all the files downloaded, but can’t find the creds?

E: I think I got the hash but can’t find the a way to decrypt the hash, tried john and hashcat. any nudges?

Rooted!

Whew this was such a hard and interesting box. I certainly learned a lot! Well- Here come some hints… Bear with me because this is the first time I give out hints.

User1: A certain service on this box will allow you to look into the past, some say that it recorded the forging of the key to open the door!

User2: After a lot of enumeration on User1, you should have found some information that you can use, a certain cat we know may want to play with that - but your journey for User2 does not end here. You will need to be really quick if you want to access what is underneath.

Root: One User can do what the other cannot. When you find a certain file you will realize what it is that you are supposed to do. Tunnel vision is sometimes needed!

PM me if you need any nudges! Thanks @thek for this amazing box!

Finally rooted this one, took me a while to figure out how to get all the file permissions right.

Feel free to PM me for hints

I found the /sealed key/ in d***** i**** but cannot crack it with j***, though I ran the converter script. Any idea what might have gone wrong?

EDIT: tried on my host (win) machine, same result - nothing. What the ■■■■ is going on ?! :frowning:

EDIT v2: NVM, got it. VERY sneaky! I like it.

I would really appreciate some nudges how to get w**-a from b. Thanks!

Not like this box is hard or easy or whatever, but most of the things I’ve found through the initial foothold has led me nowhere or to what looks to be a deadend, and…I’m confused to be quite honest. Can someone help out? If so, PM me.

@Dzsanosz said:

I would really appreciate some nudges how to get w**-a from b. Thanks!

There is an enumeration script which gives you some useful information. Then you may need to take a step back and dig deeper with your web enumeration fu to find a place to use it.

Once you’ve used it, fairly typical attack gets you a shell.

Type your comment> @JSONSec said:

Help!

I’m stuck on the last step and it’s so frustrating. I have a w**-*** * shell. I can’t figure out how I am supposed to use the r***** command :frowning:

I am also stuck at the same place. I know what i need to do, but dont know how to do it. Can anyone help me on this?

EDIT:
Got the root (file I mean). Thanks to @CodingKoala for providing hint towards root.
Overall - User seemed quite easy than root. Restrictions on box made it difficult.

My Hints:
User 1: Find what software/tool you are working on and enumerate. There is a good article which shows step by step approach to enumerate. Explore the things which you have got. You will find useful data within to get user1
User 2: This is bit tricky. Find login page. Creds can again found in the data you got from User 1. Upload things and get the shell. (Method I used is I think different from others. I did not face issue to make things work fast. My uploaded data (file) were there for long time.)
Root: Again tricky as I did not know methods to bypass/forward things. You can easily find what you need to exploit, but exploiting it is difficult.

If required any help, PM me.
If I have spoiled anything, please report

Type your comment> @grav3m1ndbyte said:

Not like this box is hard or easy or whatever, but most of the things I’ve found through the initial foothold has led me nowhere or to what looks to be a deadend, and…I’m confused to be quite honest. Can someone help out? If so, PM me.

I was able to get the user flag yesterday, but need direction on what needs to be done after. If anyone wants to help, PM me.

Need help for w**-d***, can’t get code execution. If anyone wants to help I’ll appreciate it :smile:

Edit: Rooted! Thanks @CodingKoala for the nudge.

bolt
uid=0(root) gid=0(root) groups=0(root)
Wed Mar 11 01:58:17 UTC 2020

Feel free to pm for help!

can someone give me a nudge on initial foothold? I found a couple files in i****** directory. Found a login page for b***. Not sure what direction to go. Wasted a ton of time researching d*****, still not sure if that is the correct path

I’m still fighting with the second user, but I’ll ave a question for the seasoned pentesters. I have created a setuid.c file (I compiled it), which sets the suid and guid to w**-d***, I managed to upload this file through the webapp (via webshell), so the owner of the file is w**-d****, I set the suid bit, I ran the file with user b***, and I could not escalate to w**-d***. Why is that? I checked the fs, and should not be there a nosuid mount. Any Ideas?

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

I think I got user the not intended way, I was able to ssh in with what I pulled from the blobs, then reseted the box because it was giving me issues and now I can’t ssh :neutral:

EDIT: Disregard - it was the intended way, I had a typo :blush:

Type your comment> @nando740 said:

An “x509: certificate signed by unknown authority” error indicates I’m on the right track?

The certificate will give you a clue about what website to visit