Quick

Just got user. This box is thoroughly melting my brain, which is awesome! Amazing box so far. Now to tackle next stage of privesc

■■■ I cannot for the life of me figure out the username for this. I have a password. But grasping now. Any nudge would be appreciated.

Ok I was dumb sometimes these things can be a real buzz killington.

Hey all,
I accessed the new fast protocol for some docs. Looking to use that information and thinking it’s to be used on :91 at l****.p, sound about right? Do I need info from client information? if so, does their contact info end in .htb? Thanks

**ugh, nevermind.

My exploit to get a shell won’t work even though I have the vulnerability.
I can curl from remote to me, but nothing more.
And trust me I’ve tried so many things for hours.
I don’t know what I’m missing… Never been so much frustrated.
This one is really hard!

Edit :
Got user, I was using -o with wget instead of -O.
Not gonna tell how much time I’ve wasted ■■■■

Hello to you all. Strugling a little with user1.
Now inside the portal and knowing with vuln to leverage. I’m getting callbacks but any sort of reverse shell or file read.

PM Nudges appreciated.
Thank you very much.

Well it took me 2 days to privesc from user1 → user2 because I overlooked some simple things. Super cool trick to be done though. Each step of this box has beat me up pretty bad lol, but I am so glad I pursued through it.

Edit: Rooted. Really hard and really fun

Hey all, trying to go from what I assume is user1 → user2. I see how the seasoning is being done and I’m trying to replicate the process. I’ve used password.lst and rockyou.txt and verified the process with the creds I already have. I’m feeling it’s the right direction but do not know for certain. Should I be using another wordlist? Maybe something custom? Thanks!

Type your comment> @cpl said:

Hey all, trying to go from what I assume is user1 → user2. I see how the seasoning is being done and I’m trying to replicate the process. I’ve used password.lst and rockyou.txt and verified the process with the creds I already have. I’m feeling it’s the right direction but do not know for certain. Should I be using another wordlist? Maybe something custom? Thanks!

rockyou will give you the right creds if you’re doing it correctly, but they won’t give you a shell as that user

THIS BOX REQUIRES NO BRUTEFORCE! Well done on the design of the userflag btw, initialfoothold was frustrating asf

root@quick:~# id;whoami;hostname
uid=0(root) gid=0(root) groups=0(root)
root
quick

Awesome box, thanks @MrR3boot! Learned a few things here.

Initial foothold took me the longest. Finding the rest of the intended path was easy, but each step kicked me in the nuts a few times before being able to proceed.

Very long box, what a journey… very happy as it’s the first hard box i did with almost no relying on the hints, except for the very first step.

So with the hints here I managed to execute code but I still don’t know how I was supposed to figure out that I need to use the “new” stuff everyone talks about. I ran two nmap scans but the “other” nmap scan didn’t show me anything (like it usually does on htb).
Could someone please pm me if my scan was broken or if I missed some other information? I would really like to understand how I could’ve figured it out on my own.

Also small hint: docker can help when you need to run weird tools :slight_smile:

As an absolute beginner when it comes to Python this box really offered me the chance to practice using requests and bsoup to automate up to user 1. Thank you @MrR3boot - Onto root! :slight_smile:

ok… So I think I have tried everything to go from user1 → user2 . Been messing with the p***t j**s functionality and checking on server with s** user. Cannot for the life of me figure out how to escalate to s****m (I have his password). I think I know where the file is that I need to get in order to access new user but I cannot get it work with special functionality. Any nudges would be highly appreciated.

Thanks!

@tiltedtimmy said:

ok… So I think I have tried everything to go from user1 → user2 . Been messing with the p***t j**s functionality and checking on server with s** user. Cannot for the life of me figure out how to escalate to s****m (I have his password). I think I know where the file is that I need to get in order to access new user but I cannot get it work with special functionality. Any nudges would be highly appreciated.

Thanks!

If you already have the password and a shell, why don’t you just switch to that user? :wink:
NVM, seems like I mixed up 2 machines :smiley:

Would love a sanity check on the process of cracking a certain users password. I’ve written a script that works fine for the first username we have, but isn’t finding the second users passwords after reverse engineering the algorithm. Is it definitely in rockyou?

If you’re cracking passwords remember to strip your lines before comparing any values… :tired_face:

@skunk said:

Would love a sanity check on the process of cracking a certain users password. I’ve written a script that works fine for the first username we have, but isn’t finding the second users passwords after reverse engineering the algorithm. Is it definitely in rockyou?

Feel free to drop me a message.

Chances are you’ve missed a bit of seasoning it uses but if not, I am happy to have a look at what you’ve tried and see if I can help.

Awesome box learned a TON. Feel free to chime in if needed. :slight_smile:

Seems I am idiot . Rooted…

my first “hard” box. Whew, quite a journey but I enjoyed it a lot. I needed a couple of tips for initial foothold but escalating from that it was straightforward digging.

Thank you @MrR3boot for the interesting box.

ping for tips, if needed