Could need a nudge here, I can ping myself (a Wonder) but fail to execute any rev shell. Now everyone is talking about a website and login, I’m puzzled if I’m on the wrong box? Can see only 2 ports and non is http/s
This is going to sound annoying but it is hard to say anything here without too many spoilers.
Hopefully it’s cryptic enough to not be rated as a spoiler, but still helpful to find a starting point:
As @TazWake said, protocols matter on this machine. So, you have to take the pain of also scanning of the slow/non-confirming/non-rejecting protocol to discover where to proceed (it is advised to make it perform a simple service scan, to remove false-positives from the list). After you found something specific, research how this relates to the self-compiled tool (and why you most-likely will have to compile it yourself).
Well alright, I took my time for this one. Many many facets that might make you think where is the end, but with a couple of breaks we get there.
Thanks for creating this one!
Hey all,
I accessed the new fast protocol for some docs. Looking to use that information and thinking it’s to be used on :91 at l****.p, sound about right? Do I need info from client information? if so, does their contact info end in .htb? Thanks
My exploit to get a shell won’t work even though I have the vulnerability.
I can curl from remote to me, but nothing more.
And trust me I’ve tried so many things for hours.
I don’t know what I’m missing… Never been so much frustrated.
This one is really hard!
Edit :
Got user, I was using -o with wget instead of -O.
Not gonna tell how much time I’ve wasted ■■■■
Hello to you all. Strugling a little with user1.
Now inside the portal and knowing with vuln to leverage. I’m getting callbacks but any sort of reverse shell or file read.
Well it took me 2 days to privesc from user1 → user2 because I overlooked some simple things. Super cool trick to be done though. Each step of this box has beat me up pretty bad lol, but I am so glad I pursued through it.
Hey all, trying to go from what I assume is user1 → user2. I see how the seasoning is being done and I’m trying to replicate the process. I’ve used password.lst and rockyou.txt and verified the process with the creds I already have. I’m feeling it’s the right direction but do not know for certain. Should I be using another wordlist? Maybe something custom? Thanks!
Hey all, trying to go from what I assume is user1 → user2. I see how the seasoning is being done and I’m trying to replicate the process. I’ve used password.lst and rockyou.txt and verified the process with the creds I already have. I’m feeling it’s the right direction but do not know for certain. Should I be using another wordlist? Maybe something custom? Thanks!
rockyou will give you the right creds if you’re doing it correctly, but they won’t give you a shell as that user
Awesome box, thanks @MrR3boot! Learned a few things here.
Initial foothold took me the longest. Finding the rest of the intended path was easy, but each step kicked me in the nuts a few times before being able to proceed.
So with the hints here I managed to execute code but I still don’t know how I was supposed to figure out that I need to use the “new” stuff everyone talks about. I ran two nmap scans but the “other” nmap scan didn’t show me anything (like it usually does on htb).
Could someone please pm me if my scan was broken or if I missed some other information? I would really like to understand how I could’ve figured it out on my own.
Also small hint: docker can help when you need to run weird tools
As an absolute beginner when it comes to Python this box really offered me the chance to practice using requests and bsoup to automate up to user 1. Thank you @MrR3boot - Onto root!
ok… So I think I have tried everything to go from user1 → user2 . Been messing with the p***t j**s functionality and checking on server with s** user. Cannot for the life of me figure out how to escalate to s****m (I have his password). I think I know where the file is that I need to get in order to access new user but I cannot get it work with special functionality. Any nudges would be highly appreciated.
ok… So I think I have tried everything to go from user1 → user2 . Been messing with the p***t j**s functionality and checking on server with s** user. Cannot for the life of me figure out how to escalate to s****m (I have his password). I think I know where the file is that I need to get in order to access new user but I cannot get it work with special functionality. Any nudges would be highly appreciated.
Thanks!
If you already have the password and a shell, why don’t you just switch to that user?
NVM, seems like I mixed up 2 machines