ServMon

Type your comment> @davihack said:

What !? Only 2 stars?
It deserves more!!
Yes ok, user was easy (but that’s not a reason to give a bad rating).
Also, if you are bad at pentesting like me you could waste a lot time on other services.
There was a lot of stuff to look at!!
Root in my honest opinion was pretty good.
Easy to detect the vulnerability, but the exploit not trivial at all.

Good job @dmw0ng ! Thanks a lot, keep going with the good work :smile:

PS → Feel free to PM for hints.

whoami
nt authority\system

It deserves 1 star.

@VbScrub said:

However, I have seen other people in this thread saying even on VIP they had issues with this box in particular. So maybe I just got lucky with this one? The last box I did on VIP was great as well though.

Just to muddy the water, I switched to EU Free this evening and had a go at the box. I didn’t encounter any issues or resets (however, it was faster than normal because I already knew what to do) but there were quite a few people leaving ■■■■ around.

I think if people use “evil.bat” type filenames on the free servers, the chances are someone else will overwrite it faster than you can exploit the box. Other than that, its hard to think what people might be doing to break this box.

@NoName21 said:
It deserves 1 star.

Brutal :lol:

I don’t think you can blame the machine author for most of the issues people have had (and personally I didn’t have any issues at all).

As someone who has made a couple of machines for HTB myself, I will say its very hard to know how they will perform. When you make it you’re testing it just on your own VM with only you accessing it. Nothing like when it actually goes live on HTB with hundreds of people attacking it simultaneously, being hammered by brute force attacks and resets, whilst being constrained to minimal memory and CPU requirements (1 core and max of 2 GB RAM I think are the recommendations from HTB)

I am wondering if someone could give me a nudge for root. i understand what needs to happen but when i try to do anything it is unsuccessful.

@usmcjoker said:

I am wondering if someone could give me a nudge for root. i understand what needs to happen but when i try to do anything it is unsuccessful.

I think it depends on what is unsuccessful.

For example - some nudges include : use the API; issue commands from the server; plan the attack to keep it quick.

After struggling a lot to get root, I finally got it, but it definitely wasn’t a “straight forward” box and very unstable.

c:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

Hey guys,

I have user and I’m pretty sure I know what to do to get root. But I think I’m having issues with making a connection from the victim machine to my machine. I can’t seem to get a reverse shell to work with NC or set up ‘tunnel vision’. To do a simpler test of my networking I: (i) turned off the firewall on my host machine (running Kali on a VM with NAT); (ii) used python to host a simple http server on 4445 on the attacking machine; (iii) checked my IP address with ifconfig; (iv) tried to curl the http server on 4445 from the n****e account on the victim machine. But I get a failed to connect message. The http server works fine if curling it from my own machine. Any ideas?

@LexRespec said:

Hey guys,

I have user and I’m pretty sure I know what to do to get root. But I think I’m having issues with making a connection from the victim machine to my machine. I can’t seem to get a reverse shell to work with NC or set up ‘tunnel vision’. To do a simpler test of my networking I: (i) turned off the firewall on my host machine (running Kali on a VM with NAT); (ii) used python to host a simple http server on 4445 on the attacking machine; (iii) checked my IP address with ifconfig; (iv) tried to curl the http server on 4445 from the n****e account on the victim machine. But I get a failed to connect message. The http server works fine if curling it from my own machine. Any ideas?

You have a couple of choices - for example SSH Port Forwarding might be an option.

You can also just issue the curl commands from the server instead of your endpoint.

Hey! I’ve found some creds based on the instructions in the files gathered from the users which should be used for something one might think. problem is that none of the pws work? Is someone changing the password to make me pull my hair out or am I jumping down a rabbit hole (would surprise me on this machine though) …:slight_smile:

this box is unstable asf, had to reset in order to knock on the next door neighbours door…Whole time i thought I was doing it wrong

Rooted.

All the hints you need are in this thread; just be aware the box can be a little sluggish/unstable, depending on how many other people are going for root.

Some of the reviews are quite harsh; I enjoyed this box, despite the performance issues. It’s always good fun to learn new techniques, and this box provided that opportunity for me.

Which tools did you all use for exploiting the vulnerability found in the low port?
With a well known tool I can get a PoC working, but when I try to use it with different parameters it fails miserably.

Finally got Root shell… very unstable machine but it was nice experience.
Thanx to @RedDevil09 for helping.

User: check for lower ports and some information will give you user access.

Root: use of c**l command on some installed software. port forwarding not required.

For freshers this box is very good to learn new things.

@vertering said:

Which tools did you all use for exploiting the vulnerability found in the low port?
With a well known tool I can get a PoC working, but when I try to use it with different parameters it fails miserably.

Not sure what you mean here. If you mean the lowest port, then the built-in client on any Linux machine will work.

If you mean the highest two-digit port, then the exploit is just through a request - you can use any tool.

Servmon, I really broke my feet! between the rest!
the user is good, the root is **** up

What an ordeal! I finally got root, but not after a BUNCH of frustration and dealing with an unstable box.

User Hints: Enumerate. Find an exploit that will let you see things that should be hidden. You’ll find seven keys. There’s a way in, but you might have to try a few keys in a couple doors before you find it. Have patience, you’ll get in.

Root Hints:

  • You should already know the exploit from your previous enumeration. However, the steps outlined in the exploit documentation are straight-up trash. You should know what these steps aim to accomplish, but you should not attempt to follow these steps to the letter. If you do, you’ll just make yourself (and everyone else trying to root the box at the same time) miserable.
  • You won’t be able to reach your goal without a little redirection. Consider the door through which you entered, and the special features of the door that might enable you to open other doors.
  • Read the documentation for the service. There’s a way to interact with it that doesn’t require a browser. You can run two commands from the Kali command line, and that’s all it takes.
  • Whatever you do, don’t try to reload the service. It will crash. You will pull out your hair, rip your clothes, gnash your teeth, and curse the Creator.

@dmw0ng – This was perhaps the most frustrating box I’ve rooted. It tested my patience and perseverance. It forced me to read an instruction manual for a product I hope to never, ever encounter for the rest of my days. It drove me to the brink of insanity.

But it challenged me, and I persevered. Thank you for that.

got user easily but stuck on getting root where to look, please pm.

Finally root this box!

I think enough hint has been given but here’s a tip.

Use the Api. exploitation is even simpler I think. If you’re struggling I’m here for advice.

Special thanks for a final hint that allowed me to root the machine at @pHuR1u5.

I’m really sorry for @dmw0ng which receives bad notes on its box because the others don’t follow the good way and try without thinking the first exploitation which finds. This box was really nice! I hope you’ll make another one!

rooted… this box is … the worst…

but kinda cool

Type your comment> @GeorgieH10 said:

Hey! I’ve found some creds based on the instructions in the files gathered from the users which should be used for something one might think. problem is that none of the pws work? Is someone changing the password to make me pull my hair out or am I jumping down a rabbit hole (would surprise me on this machine though) …:slight_smile:

Sure enough the same creds worked after a couple of hours… Rooted, fun box and I learned a lot even though my hair is absolutely somewhat thinner than it was before this box