Traceback

@TazWake I know, it’s wild, it has been stumping me for quite some time.

Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn’t do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

@chicxulub said:

@TazWake I know, it’s wild, it has been stumping me for quite some time.

Yeah I will insert my nc one liner into the file, trigger it, pop a shell and it will be sysadmin again. It works every time using any of the four or five files that are there.

Ok, something isn’t working correctly.

But when I try to do the same thing like cp the flag to a different location or add my ssh to the root location, I receive that permission denied message. I am going to try and watch it, I thought about doing that earlier but didn’t do it. That may be the key. Maybe it is in fact working sometimes, I just am not realizing it.

The attack needs to be in the correct place and triggered in the correct way for it to work. It should be simple but as is so often the case, that just means lots of things can still go wrong.

@TazWake hmm… yes, the correct place, perhaps that is it. Another reason why I was wondering about the echoing instead of manual edit, but I figured it shouldn’t matter.

It is for sure some little thing that I am doing wrong that I haven’t realized yet, but I will eventually. One of those things you get and you’re like “god how did I miss that”. Thank you for your help!

After taking a break from HTB - it was nice to get back into with this machine.

Quick and easy one.
Thanks @Xh4H for this fun learning experience.

Rooted. PM for nudges.

Initial Foothold: OSINT using the information you find on the homepage for the web server. One of them will work. I suggest saving all their names to a text file and giving them to gobuster to do the heavy lifting. Need a password? How about you read the source code.

User: Took me way too f**king long because I was trying to be too clever about it. Don’t bother with a reverse shell for this stage, save that for once you actually get the user account. Start simple, with a shell. You’re gonna need to “learn” a new language to get this shell to work. Also, don’t be lazy… read the man page for sudo.

Root: What processes are running. You probably won’t be entirely too familiar with the process running, so do some Googling. Even 10 minutes is enough to get an idea of what you’re going to have to do. You’ll need two terminals. Don’t bother editing any files directly, just append to whatever you wanna edit via >> rather than trying to edit and save. You wont be fast enough.

Pretty fun box, and I actually enjoyed the CTF elements since they we’re done well.

Cheers @Xh4H

am stuck with root, I tried ssh thru web**mn but with no luck

I am getting this “load pubkey id_rsa : invalid format” error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

Type your comment> @N00p said:

am stuck with root, I tried ssh thru web**mn but with no luck

Finally Rooted

@anir08 said:
I am getting this “load pubkey id_rsa : invalid format” error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

Try it with different acc

Type your comment> @N00p said:

(Quote)
Try it with different acc

tried again and now the ssh says
Warning: Identity file id_rsa not accessible: No such file or directory

I even checked my public key when I escalated as sys***** abusing the said function.

Type your comment> @N00p said:

@anir08 said:
I am getting this “load pubkey id_rsa : invalid format” error while ssh ing to s****min account. I am quite sure I placed the pub key in the right way, why does this not work?

Try it with different acc

check perms of authorized_keys should be 600

@anir08 said:
Type your comment> @N00p said:

(Quote)
Try it with different acc

tried again and now the ssh says
Warning: Identity file id_rsa not accessible: No such file or directory

I even checked my public key when I escalated as sys***** abusing the said function.

check perms of authorized_keys should be 600

Rooted!
First box that took me less than a day, also the first that I didn’t have to message anyone for specific help about. Forum comments did help me though.
I thought this was a good box that linked together a few different techniques that had come up in other boxes. It took me a while to think through the steps but it all made sense in the end.
PM me if you need help!

All the hints for foothold are very cool, but!
Git repository where you’ll find the list of shells IS NOT THE AUTHOR’S
Cause he has just the same repo, but other shells, stuck on it for soooo long lol

after editing the a*********_***s and I try to login, it doesn’t accept it. I make sure that the the file is how I left it but nothing happens. Any hints? I also tried to run a lua script but didn’t work

@AgentWhite said:

after editing the a*********_***s and I try to login, it doesn’t accept it. I make sure that the the file is how I left it but nothing happens. Any hints

Chances are the file isn’t how you left it. A lot of people don’t understand the difference between > and >> so have a tendency to overwrite the existing files here.

Well, I didn’t realized I was putting the wrong key actually and I feel dumb about it.
Anyhow, I managed to get the flag but my question is, was this machine only to get root or is there user also?

@AgentWhite said:

Well, I didn’t realized I was putting the wrong key actually and I feel dumb about it.
Anyhow, I managed to get the flag but my question is, was this machine only to get root or is there user also?

All HTB boxes have both flags, this one is no exception.

The user account you need to be in to get root has access to the user.txt flag.

when trying to SSH to 10.10.10.181 I am getting a password prompt. I didn’t configure any password while regenerating the ssh keys . Does anyone getting the same message , for a password prompt ?