Magic

Done. Was really struggling with the root part for some hours because I misunderstood how that whole thing worked.

Very nice box!

@swagcat228 said:

Could not attach to process. If your uid matches the uid of the target
process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try
again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf
ptrace: Operation not permitted.

in my local solytion alredy found, but, as always, not in the server)

You might be overthinking this. You don’t need to RE anything for this box. Have a look at what its doing and see if you can meddle with it.

#Maybe an issue?
Hi, i’m stuck with the upload of image… i tried all way to upload my rev, but if i upload a clean image too, catch ever and ever the “alert” of png, jpg extension.

Anyone same issue??

Hi All. Working on root. When trying to upgrade the shell, it seems I am now getting an error that won’t allow /bin/sh commands. Anyone having that problem or know how I might be able to get around? This was not an issue for the last few days.

Root Dance - learned an interesting method regarding the uploading.

Hello,

Could I have an hint on the initial foothold ?
I can upload a file that contains PHP code, but I haven’t found a way to make it end with a executable extension. (Null bytes, double extension, content-type didn’t work).

I haven’t found any PHP file that does inclusion and would allow an RCE by including the image with php code.

I have also tried to include php instructions directly into the page since quotes aren’t filtered in the filename but it didn’t work either.

I am a bit lost about the direction I should take.

Obviously, I find what I am looking just after asking for help ?.
Search for OWASP documentation about file upload. There are some strange configuration about what get to be executed on a server.

stuck on www-root :confused:

And root! Great box from start to finish.

Happy to answer messages for hints.

I totally agree, I also enjoyed the box and had fun. Thanks.

Sanity check, someone please? I may be into a rabbit hole trying to root… DM if possible

ROOTED.

Learned alot on this one! Thanks @TRX

Incredibly satisfying box for me. Although the frustration at getting initial foothold was maddening, the moment you realize how to get it, will give satisfaction in awesome waves ;). Root was very routine I think. The user part was really great. Thank you for this box.

Great and funny box!

FOOTHOLD: Burp, exiftool and curl will help you. After, a strong reverse shell is necessary.
USER: An interesting service is running, not reachable before… And think easy way!
ROOT: suid3num, strings or pspy64, and find the right “path”!

rooted, nice and straighforward box

rooted the box! but root.txt doesn’t seem to have the right Hash.
Did somebody experience the same Thing ?

@shinjikun said:

rooted the box! but root.txt doesn’t seem to have the right Hash.
Did somebody experience the same Thing ?

Its a dynamic hash so chances are:

  1. the box reset between you getting the hash and submitting it.
  2. the hash you have was submitted before was recognised (I have no idea how the dynamic hashes work)
  3. somehow you ended with an old hash.

Its never happened to me so I have no idea what the solutions are but people have suggested resetting the box and re-rooting it so you know you have the right hash or wait a bit and try again.

At the very least this should be reported to HTB via Jira Jira Service Management - they cant fix the process if they don’t know it is broken.

any hints on root? got user

Nice box with good exploitation path.

User:

  • You don’t have to login in order to go further, but if you want to login, it’s a basic challenge.
  • Basic RCE, check what actions you can do there - lots of explanation about it. Just google.
  • Once you have a reverse shell, enumerate everything.

Root:

  • I assume there is a rabbit hole so if it’s not working, go on…
  • Again basic enumeration will give you all the details you need.
  • Pay attention to who you are and what you own.

Hope it’s not a spoiler.

Just got the root on Magic…thanks to Mty0x for a nudge on root…pm me if you are stuck