Multimaster

13567

Comments

  • Type your comment> @init5 said:

    @clubby789 said:
    @init5 said:

    I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. 😣

    It's crackable, just not the first thing you see

    I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
    I am guessing I'm moving in the wrong direction.

    Same point, been stuck for hours. A nudge would be welcome :)

  • Type your comment> @syn4ps said:

    Type your comment> @init5 said:

    @clubby789 said:
    @init5 said:

    I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. 😣

    It's crackable, just not the first thing you see

    I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
    I am guessing I'm moving in the wrong direction.

    Same point, been stuck for hours. A nudge would be welcome :)

    Same here :neutral:

  • I feel stupid, but I just can't get past the WAF. A nudge would be greatly appreciated

    Anuragd

  • edited March 2020

    Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?

    Hack The Box

  • edited March 2020

    Type your comment> @moszkva said:

    Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?

    You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :/

    EDIT: Slow down the queries to get a full list of Domain users... I was greping my script and did not notice the 403s... User owned!

  • edited March 2020

    Type your comment> @syn4ps said:

    Type your comment> @moszkva said:

    Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don't seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don't have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc...?

    You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :/

    Yes. This is where I am right now. I got new domain users but the cracked passwords are not valid to them.

    I tried to login with them into other services and to mutate them based on frequently used rulesets. But nothing :-(

    I thought these are just default passwords which have been changed by the users and this is the reasony why they are not valid.

    I also thought that somehow I should reset the users as these are their default passwords but I could not find a way so far to perform this.

    Hack The Box

  • just got the user flag. the cred is still valid, so keep try harder
    onto root now

  • edited March 2020

    Spoiler Removed

  • I'm stuck trying to crack the hashes, could anyone give me a hint ? :smile:

  • Type your comment> @MrBlu3 said:

    I'm stuck trying to crack the hashes, could anyone give me a hint ? :smile:

    With the good hash function and rocks, you can crack them under 5 seconds :)

  • I just got user .

    Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .

    For the initial users yes i can give a good article which can help for the overall exploit .
    But finding the real user was insane and beautiful : )
    I struggled so much but when i found it was super proud of me . Was so so cool ...

    Now onto root .....Lets see if i will struggle again :D most probably yes : )

    BIG THANKS @egre55 and @MinatoTW for this amazing box .

  • edited March 2020

    If you have trouble smelling what the Rock is cooking, you can try to Google for "hash brown analysis online". It's not what you think it is.

    limbernie
    Write-ups | Discord - limbernie#0386

  • To correct myself so that i dont sound so bad b**** :)
    For the next user i can also provide reading material

    mariab

  • ROOTED i found root way easier than initial foothold. Of course there was a bit hopping thru users here as well : )

  • EDIT : seemed i skipped a step thru lateral movement
    ) but will go back and try to do as intended
  • I guess I need a nudge for root :/ anyone willing to throw a nugget?

  • edited March 2020

    The path to user was one of the most awesome ones I have seen among the machines published.
    Thanks @egre55 and @MinatoTW for creating the amazing challenge.

    Stuck on root now for 2-3 days, went deep into 2 possible scenario's but couldn't quite get them working.

    If anyone is willing to provide me a small nudge, I would highly appreciate it :)

  • quick sanity check...got 4 unique hashes but can only crack 3 of them. Should I be able to get all 4?

  • No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )

  • @velocicat

    No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )
    also for that user you need to go back and search again

  • Finally rooted and I want to once again say:

    This was the best machine I've ever done on this site, massive props to the creators!

  • Finally got user! On to root...Great box so far! Thanks to everyone for the nudges and the hints on the forum.

  • This has been a very hard box for me. Feeling pretty hard-stuck as I finally got nudges to get me close to finding certain types of accounts, but the responses I'm getting back are not being encoded/decoded cleanly. Not sure how to handle.

  • Type your comment> @MariaB said:

    No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )

    indeed, I was struggling on this part as well, but very worthed it :smiley:

  • Type your comment> @MariaB said:

    I just got user .

    Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .

    For the initial users yes i can give a good article which can help for the overall exploit .
    But finding the real user was insane and beautiful : )
    I struggled so much but when i found it was super proud of me . Was so so cool ...

    Now onto root .....Lets see if i will struggle again :D most probably yes : )

    BIG THANKS @egre55 and @MinatoTW for this amazing box .

    Could I request this reading material please? :)

  • May I ask someone a couple of questions regarding this box?

    I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn't lead anywhere, but that could be my lack of knowledge about these systems.

  • @metuldann said:

    Could I request this reading material please? :)

    Same.. :smile:

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I've tried tweaking the tamper script but still failing hard.

    I may need to give up on this and find the reading material @MariaB hinted at.

    I don't need hints yet, just ranting more than anything else :smile:

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @TazWake said:

    So far I have got a list of the users, and what I feel should be a POST request vuln to s*** using a tamper script. I've tried tweaking the tamper script but still failing hard.

    I may need to give up on this and find the reading material @MariaB hinted at.

    I don't need hints yet, just ranting more than anything else :smile:

    I doubt that the typical automation tools will get you there (even with according tamper scripts). I'd rather recommend writing a small script to exploit it. And then search for/find said reading material ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • Type your comment> @SgtSIGSEGV said:

    May I ask someone a couple of questions regarding this box?

    I have got user, but I am rather stuck on moving on to the next paths. I believe I have been down several rabbit holes which doesn't lead anywhere, but that could be my lack of knowledge about these systems.

    I'm in the same boat... I think I see that path to root this box, but must be missing a piece to this puzzle.

Sign In to comment.