ForwardSlash

rooted!!! only took about a week :tired_face:

I have learned so much with this box.

Stuck on c****o part have done the decryption, but get No key avaliable…? any hints on where I’m going wrong?

Reset fixed the issue… rooted :slight_smile:

This machine was hard and cool, specially the part from user a to user b.
In truth the binary it’s easy to exploit. But to make it read what you want you need to be really smart and also in the right dir.

For the c****o part :
I’ve chosen the rock bruteforce approach, no need to remove anything before or after decryption if you choose a “smart” validation function.
Don’t overthink, it really simple. One short line of python code.

If you do it in this way root will be trivial.
PM for hints.
NOTE THAT:
I wont help no more people asking directly for solutions.
Share what you have done and what you would like to do.

Finally, I would like to discuss the c****o part, I failed to break the algorithm. Even if I tried. A lot. Can someone pm me please?
Also I’m working on second way to root. I think I know what should I do but I don’t know how to do it. Again, if someone will PM me I would be really happy to share my thoughts

hi, friends…

Can I request some help with user, please? I’m on the box with the first set of creds you can usefully use. I’ve found something I can run, which produces an error but tells me what I can do. I’ve figured out what the error equates to, but I’m stuck on the next step.

(i’d prefer to articulate what that step is via PM, because trying to do it here was too spoiler-y)

This box has kicked my ■■■. Stuck on python.
If someone could red pen what i’ve put together in exchange for a +1 that would be very much appreciated!!

Either on here or discord (ByteM3#0425)

Got root! Good box. All the hints are already on the forum.

Can anybody help me with user 1 → user 2 . I’ve never done any manipulation with binary and I have no idea what I am supposed to do with it, I checked ltrace and it gave me some basic idea what it does but I can’t find a way to exploit it. Any suggestions are very welcomed!

Got root! Great box overall!

Thanks to @InfoSecJack & @chivato for it and thanks to @davihack for the little nudge i needed with the crypto part!

Hallo guys,

that is my first Post in HTB.
I managed to get the first user c**v, and I found an interesting file. I tried many things to upload an enumeration script like Psyy, LinE** or LinP*** to the box, but for some reason I can’t.
have you encountered the same problem?

Type your comment> @nourmuj said:

Hallo guys,

I managed to get the first user c**v, and I found an interesting file.

Did you try scp for it? Did you use password or public key authorization?
I didn’t try second but first works as for me.

I’ve just rooted this box. It’s very interesting experience.
And I want say thanks @InfoSecJack & @chivato for box.
And thanks @PrivacyMonk3y for he put my separated knowledge about XXE together and his very valuable tips :slight_smile:

What a ride! I can describe that box as a literal FUN!!! Thanks a lot to @InfoSecJack and @chivato.

Here are some hints.

Foothold:

  • As always, enumeration is the key.
  • Don’t bound yourself to a specific file type.
  • Read everything you find.
  • If a feature is disabled, bypass it :wink:

User:

  • With some basic enumeration you’ll find something interesting, it might look hard to use but it actually does a simple thing.
  • You don’t have to RE.
  • There are tools on the OS that can show you what actually happens.
  • Basic bash skills should give you what you need.

Root:

  • If you got here, with the previous enumeration you should have all the details.
  • Now you need to understand the script.
  • It’s can be brute forced.

If someone gained root without brute force, please ping me with some details :slight_smile:

I have never noticed but looping through each line of rockyou in Python gives me issues, i have to ignore several entries, it cannot properly decode some lines…

root@forwardslash:~# id
uid=0(root) gid=0(root) groups=0(root)

Awesome box! Drove me crazy at times, but learned a few things!

@lebutter said:
I have never noticed but looping through each line of rockyou in Python gives me issues, i have to ignore several entries, it cannot properly decode some lines…

Happened to me too. It works without decoding them too, though.

Type your comment> @fr0ster said:

Type your comment> @nourmuj said:

Hallo guys,

I managed to get the first user c**v, and I found an interesting file.

Did you try scp for it? Did you use password or public key authorization?
I didn’t try second but first works as for me.

scp, nc, python3 server, base64, zip not working; id do not know why :frowning:

@nourmuj said:
Type your comment> @fr0ster said:

Type your comment> @nourmuj said:

Hallo guys,

I managed to get the first user c**v, and I found an interesting file.

Did you try scp for it? Did you use password or public key authorization?
I didn’t try second but first works as for me.

scp, nc, python3 server, base64, zip not working; id do not know why :frowning:
file size after scp 0

Been trying to escalate from “C” to “P” the whole day
cant find a way
please pm me if you can help

EDIT : DONE

And there’s root.

root@forwardslash:~# id && hostname && ifconfig | grep 10.10.10.183 && date
uid=0(root) gid=0(root) groups=0(root)
forwardslash
inet 10.10.10.183  netmask 255.255.255.0  broadcast 10.10.10.255
Mon May 11 15:30:35 UTC 2020

Many thanks to @beorn for a quick assist early on.

Type your comment> @fr0ster said:

I’ve just rooted this box. It’s very interesting experience.
And I want say thanks @InfoSecJack & @chivato for box.
And thanks @PrivacyMonk3y for he put my separated knowledge about XXE together and his very valuable tips :slight_smile:

:wink: congrats and no worries

Type your comment> @SohaibSEG said:

Been trying to escalate from “C” to “P” the whole day
cant find a way
please pm me if you can help

EDIT : DONE
Banged successfully
honestly i really don’t know how my brute-force script worked lol