Patents

1235

Comments

  • edited March 9

    Type your comment> @Ad0n said:

    Type your comment> @TazWake said:

    @Ad0n said:

    lol when a guy ranked omniscient and ranked 53 calls this a doozy, lol what chance do i have against this box. oh well, just reading the forums prior to digging in, hopefully this will be a struggle cuddle into a better understanding of something.

    Dont give up and dont fret too much about what other people do. I've been in the top 50 and I found this box very hard, largely because there are a lot of steps and a lot of blind attacks. But I also found Sauna hard...

    Hard / Easy boxes are very, very subjective.

    good talk coach, i'm ready to get back in there.

    Being that I am the original poster of the comment you referred to originally, I agree with what @TazWake said. Hang in there :)


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • 3 days later and i got user after a wicked amount of scraping the clues off the forum and a whole lot of trial and error, Thanks for the nudge of confidence guys feeling good about it. now onward and forwards.

  • Rooted! Very complicated and very interesting box. I had to turn my head on and start thinking outside the box. Respect for @gbyolo for this job.

  • Struggling with intiial X** (I can trigger it but I can't find usable payload to execute commands or exfiltrate files)... Any nudges? Tnx

  • edited March 21

    Rooted....

    Initial Foothold:
    I don't think anyone likes recursive fuzzing for a single file .... :neutral:
    Its all about the wordlist, row row row your boat, try the largest
    Inspect what you find closely. Do some google kung fu
    An XE* attack that works quite well. No need for automation on this. You learn more anyway if you don't.
    Sample DocX: https://file-examples.com/index.php/sample-documents-download/sample-doc-download/
    Your trying to find another file in the web client that provides you with capabilities for foothold

    User:
    Once on the box, use your essential automated enumeration scripts to get "user"

    Root:
    Go back to initial n*** scan and see what other ports are open
    ROP Emporium will help if you've never done these types of attacks
    Once you get a shell, your not done yet. You won't find it where you are
    There are files hidden that will help you with your RE :)

    Hit me up on discord (I don't respond to messages on the forums). Thanks!

    godylocks

    If you like my advice, please give me some respect! Thanks!
    Message me on discord: godylocks#5721

  • is fuzzing only to find the r*****e/U***********s ? or also to find LFI ?

  • edited April 4

    Type your comment> @bhsec said:

    is fuzzing only to find the r*****e/U***********s ? or also to find LFI ?

    yeap

    Can anyone help me with spy part?
    EDIT: got it, thanks @TazWake!

  • Found the file the author mentioned, but don't see how this helps in finding the "injection point" for X**. Tried basically all the files inside D**X and also several different things I found for O*T files. But nothing want to connect back to me.
    If anyone could give me a nudge, I'd really grateful :)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • The file loosely refers to where in a docx the X is enabled. Not all docx templates might have that location.

  • edited April 5

    Just to chip in regarding the final step of the box (getting the root flag) - previous hints on here were very misleading to me, as neither whale-riding is required for that, nor a "second RE/PWN", at least as of April 2020 - maybe they were unintended ways to get the flag earlier?

    Either way, the other hints and tips were solid, thanks a lot @seekorswim @TazWake and @godylocks ! =)

    Anyway, to actually get the root flag, you need to double-check the place where you usually find it - maybe it is indeed there, but something covers it. ;)

  • Type your comment> @Konstant said:

    Type your comment> @bhsec said:

    is fuzzing only to find the r*****e/U***********s ? or also to find LFI ?

    yeap

    Can anyone help me with spy part?
    EDIT: got it, thanks @TazWake!

    now im stuck in the spy part :)

  • I tried many wordlists, and got nothing except a LICENSE file.
    How can i got the changelog file? PM some hints.
    Thanks.

    image

  • Type your comment> @todzhang said:

    I tried many wordlists, and got nothing except a LICENSE file.
    How can i got the changelog file? PM some hints.
    Thanks.

    Try more wordlists.
    https://forum.hackthebox.eu/discussion/comment/65539/#Comment_65539

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @todzhang said:
    I tried many wordlists, and got nothing except a LICENSE file.
    How can i got the changelog file? PM some hints.
    Thanks.

    Yeah its a real large one :smile:

  • Hi, I am stuck with X**. Tried many permutations adopted from different sources. Anybody would like to guide me? If yes, I will show what I have done so far. My discord: Ric0#7152

  • Type your comment> @Ric0 said:

    Hi, I am stuck with X**. Tried many permutations adopted from different sources. Anybody would like to guide me? If yes, I will show what I have done so far. My discord: Ric0#7152

    Thanks to @EvilT0r13 for pushing me on the right track.

  • edited April 19

    Hi, I retrieved the user flag and now I want to exploit the L** thing, but where do I get the binary from?

    Edit: Found it 5 minutes later; I had a typo in my find command.

    doxxos

  • Finally rooted this monster! That was the hardest box I've seen yet; took me about two weeks and a lot of coaching to get through this, but I learned so much! Really, it's incredible. Almost nothing required to beat this thing was really in my book of tricks, so I had to dig around for a lot of things.
    But when things finally work, the satisfaction is incredible!

    Thanks for the box @gbyolo, this has been one hell of a ride!

  • Got root! It really hard and very interesting box. One of the best box I've completed. Big thanks @gbyolo!
    P.S. Why does this box have such a low rating!?

  • @pinnn said:

    ...
    P.S. Why does this box have such a low rating!?

    I have no idea. So far, I really like this machine, even though I still haven't managed to root it.
    Currently, my exploit works locally, but for remote I need yet another info leak, since I don't get a vital gadget from libc. Unfortunately, I can't use the same technique for leaking the other lib's information :(
    But maybe I'll just take another exploitation approach that doesn't require r14 ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited April 24

    .

  • Using several different techniques, I can pop shells on my local service, but can't seem to get anything run, when attacking the "real" service :/
    Anyone willing to to push me in the right direction via PM?


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited May 3

    Rooted.
    For who tries this machine as "first hard machine": go away, try other machines first.

    • user: hints in the forum are enough.
    • pwn: For the binary you have the source code and 2 versions of the binary(yes, 2 versions: one is easier to read :) ), use all you have. I suggest to use ghidra which is very powerful in this situation where you have a lot of original function signatures. After exploit it locally go to use one_gadget.
    • end: linux standard enumeration is sufficient.

    It is a fu**ing odyssey full of very hard steps.
    gand3lf

  • Finally rooted. Awesome machine, even with all the frustration and head-desk moments it caused in between :D

    One hint I should have remembered more often: If something doesn't work, though it theoretically should, try resetting the machine. Should it still not work afterwards, try to find another way to achieve the same goal.


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited April 29

    Just got user, as mentioned above from @homesen if you feel that it doesn't work but it should, give it a reset.

    If someone needs a hint or assistance for user i'm always happy to do so. For root my quest starts now :)

    --

    And rooted, a small frustration at least on my end the exploit is not reliable so i kind have to bruteforce the entry and be quick about it.

    Overall nice experience if it was more solid and did not require few restarts to work as intended it was going to be much better.

  • edited April 30

    ...

  • edited May 7

    Can someone PM me and explain what I'm supposed to get out of the 'special' file on the webserver? i bruted for hours and finally found something that seems like the "you were definitely meant to find this", but I'm stumped with interpreting why its useful.

    *Edit: Figured it and and got user.txt. Eventually, onto root!

  • edited May 1

    Stuck looking for the l**s****r binary.

    Edit: Found it.

  • edited May 2

    Can someone give me a nudge on RE please? I think I know what I have to exploit, but can't fully figure out..

    I can PM what I've found so far and where my thinking is headed..

  • Finally rooted.

    Had a really frustrating experience with this box, but learnt a lot through the many hints and nudges along the way. Thanks @dinosn @doxxos and @applepyguy for helping me!

Sign In to comment.