Magic

root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)

Got root, but the hash in root.txt appears to be wrong? Wtffff

@nicoswd said:

Got root, but the hash in root.txt appears to be wrong? Wtffff

Type your comment> @TazWake said:

@nicoswd said:

Got root, but the hash in root.txt appears to be wrong? Wtffff

Magic - #422 by TazWake - Machines - Hack The Box :: Forums

Thank you! I’ll try that ?

EDIT: That did it, thanks!

Type your comment> @TazWake said:

@shinjikun said:

rooted the box! but root.txt doesn’t seem to have the right Hash.
Did somebody experience the same Thing ?

Its a dynamic hash so chances are:

  1. the box reset between you getting the hash and submitting it.
  2. the hash you have was submitted before was recognised (I have no idea how the dynamic hashes work)
  3. somehow you ended with an old hash.

Its never happened to me so I have no idea what the solutions are but people have suggested resetting the box and re-rooting it so you know you have the right hash or wait a bit and try again.

At the very least this should be reported to HTB via Jira Jira Service Management - they cant fix the process if they don’t know it is broken.

Thanks you! Worked great!

id

uid=0(root) gid=0(root) groups=0(root),100(users)
Nice box!

every time a upload an image it says

what are you trying to do there

i tried png and jpg with and without a shell
any idea

Type your comment> @AhmedSaedAbdo said:

every time a upload an image it says

what are you trying to do there

I was getting this as well and it was quite annoying. I haven’t looked too deeply into why this is happening, but maybe it’s session related. At some point, the same request that was being blocked before would suddenly start working again.

I’ve lost a lot of time on this because I discarded methods that turned out to work later.

Any hints or guides on getting root. Please send. I’m using suid3num.py and pspy but not sure what i should be looking for or exploiting.

Type your comment> @unethicalnoob said:

Type your comment> @schizo said:

is it normal to have
theseus@10.10.10.185: Permission denied (publickey). ???
stuck in www-data

got a USER !!!
Hint: use alternative way

Can you DM me the alternative way? can’t get past it

Whatever you find, keep it, and use it. (:

Type your comment> @unethicalnoob said:

Type your comment> @a3n3a said:

Type your comment> @unethicalnoob said:

Type your comment> @schizo said:

is it normal to have
theseus@10.10.10.185: Permission denied (publickey). ???
stuck in www-data

got a USER !!!
Hint: use alternative way

Can you DM me the alternative way? can’t get past it

Whatever you find, keep it, and use it. (:

got user but root seems difficult.
linpeas,pspy got me nothing

In same position pretty much

Rooted, fun and pretty straightforward box. I’m ashamed that rooting took me so long. It should be 5 minutes. But well :slight_smile:
Thank you for nice box!

Type your comment> @Faelian said:

Obviously, I find what I am looking just after asking for help ?.
Search for OWASP documentation about file upload. There are some strange configuration about what get to be executed on a server.

■■■ that is literally the dumbest thing I’ve ever seen. Wasted like 2 hours on this one :confused:

So i know the username and have tried adding my key to the authorized_keys file, also tried known_hosts but I still get the Permission Denied (publickey) error. Any thoughts?> @a3n3a said:

Type your comment> @unethicalnoob said:

Type your comment> @schizo said:

is it normal to have
theseus@10.10.10.185: Permission denied (publickey). ???
stuck in www-data

got a USER !!!
Hint: use alternative way

Can you DM me the alternative way? can’t get past it

Whatever you find, keep it, and use it. (:

So i know the username and have tried adding my key to the authorized_keys file, also tried known_hosts, but I still get the Permission Denied (publickey) error. Alternatively tried using locate .pub to identify any accessible keys from RCE and tried these as my own as well. Any thoughts? PM?

Type your comment> @unethicalnoob said:

Stuck with Root…found the interesting binary s*****o but unable to figure it out…Can somebody please help?

Understand what all commands it execute

Type your comment> @c1black8 said:

Hi All. Working on root. When trying to upgrade the shell, it seems I am now getting an error that won’t allow /bin/sh commands. Anyone having that problem or know how I might be able to get around? This was not an issue for the last few days.

I’m having the same problem. And when I try to execute any commands using the shell type i get cannot open xyz binary:

root@ubuntu:/# /bin/sh echo hello
/bin/sh: 0: Can’t open echo

Got both the user and root flags but getting Error when I try and enter each one which is annoying after burning the midnight oil to get this box finished. I know I am not the first person to suffer this problem, I am on VIP so does that make any difference?

@flymomike said:
Got both the user and root flags but getting Error when I try and enter each one which is annoying after burning the midnight oil to get this box finished. I know I am not the first person to suffer this problem, I am on VIP so does that make any difference?

NVM accepted both flags when I tried a different way to enter them

Type your comment> @flymomike said:

@flymomike said:
Got both the user and root flags but getting Error when I try and enter each one which is annoying after burning the midnight oil to get this box finished. I know I am not the first person to suffer this problem, I am on VIP so does that make any difference?

NVM accepted both flags when I tried a different way to enter them

Just out of curiousity, would somebody mind giving me a nudge how you would get round the login page at the start without using some of the more common OWASP top 10 gotcha’s, which I obviously used.

huh, the first part was hard, but also it was a great machine, I learned a few things, also thanks for the great hint @choupit0 and thanks @TRX for this box. :slight_smile:

Thanks @TRX for the exciting box. Definitely made me feel dumb at some points, but in the end it was a lot of fun.

Thanks to @helichopper @akshanshshri for the hints

PM me if you need a hint!