ServMon

got user really easy. PM is need a hint

going into root now

The user is easy, but I can’t move forward with rev shell for got root

Got root this a great box. The @Everlastdg tip was excelent!!

Hi all,

Hopefully not a spoiler, just trying to get my head around something. Not necessarily specific to the box, just looking to understand the behaviour.

When using firefox, wget or even python to run http request containing …/
All instances of …/ get removed from the actual request being sent to the host - I can see that in wireshark, so in this particular case things work fine with just a telnet request or using burp to get the necessary stuff from the box.

I’ve searched around, but cannot seem to find an explanation for the behaviour or way to turn it off. I’d be interested how to address this particularly in python requests library.

Thanks in advance!

Jesus, what a tricky machine. Well, user was pretty easy, but rooting was a total pain in the ■■■. (Not because of hard ways to root or smth like that but because of that “user-friendly service”)

PM for nudge

Hey All

this is my first try on the box.

I am trying to get the user flag, i was able to get the P********.txt but none of them is working on the port 80, SMB. I dont have any users so i am trying the normal users…

Any guidance is appreciated.

Thanks

Looking for a hint for Initial foot hold. Feel like I am running in a circle here

@egorchel said:

Hi all,

Hopefully not a spoiler, just trying to get my head around something. Not necessarily specific to the box, just looking to understand the behaviour.

This might help https://forum.hackthebox.eu/discussion/comment/72042/#Comment_72042

I need some help: I did the s*h technique that’d allow you to access the forbidden page, still can’t access. I mean, it works because I get the reset error even when using localhost:serviceport in browser. But I think I shouldn’t be having the error at this point. I doubt I have to do something server-side. Maybe it has to do with my virtual machine network configuration? UFW is down, I’m not using bridge network adapter right now, instead using NAT.

Update: in fact, ++ port right now seems to be closed, I swear it.

Anyone can guide me on how to escalate the privilege in Windows?

Biggest tip for root, is not to use the GUI. Spent so much wasted time there. There is another stable way where you can upload your script and then execute. Happy to PM for hints.

Type your comment> @BarnY said:

Biggest tip for root, is not to use the GUI. Spent so much wasted time there. There is another stable way where you can upload your script and then execute. Happy to PM for hints.

I finally did it, man! Your hint really helped me, turns out I was being a little lazy when reading the documentation. Machine was bugged though, and I wasn’t being allowed to connect because certain port was closed. After resetting, everything worked as expected.

It took a bit of struggle, but got root after fighting with resets. Some what fun box and I learned some new tricks. That is what it is all about.

C:\Users\Administrator>whoami
whoami
nt authority\system

whoever is resetting the machine every 10 mins stop doing it

Can someone please help me with user? I already abused the vuln and have the creds. I tried all possible ports to login to, which nmap found. I thibk the right one is missing.

EDIT: Got it - never mind.

Type your comment> @Luemmel said:

Can someone please help me with user? I already abused the vuln and have the creds. I tried all possible ports to login to, which nmap found. I thibk the right one is missing.

Did you try all the users that you can login as?

User: Simple enumeration and chaining of vulnerabilities found to find interesting files will work well. That will lead you to gain access as a user on the box.

Root: This kind of sucked for a while. Enumerate interesting things on the box. Some things aren’t available to everyone so figure out how to access it. I ended up using a combination of the API and the GUI to run the script as I couldn’t get the API to execute the script on its own (if someone would PM me how they did this I’d appreciate it).

No, you don’t need to follow the exploit on ExploitDB and you don’t have to do the cron it tells you to do.

PM me if you’re stuck.

Awesome box! Thanks @dmw0ng for a great learning experience. If I can be of any help, just shoot me a DM. Thanks.

machine rooted!

@nyckelharpa Thanks for the advice.

All i can say is API documentation is necessary for rooting.

Capped user.txt. I believe I see the path to root, but will have to wait till tomorrow. Too many resets gotta be quicker I guess lol.

UPDATE : just submitted root flag :slight_smile: that was fun!!!

User: utilize scripts when enumerating, they can show low hanging fruit quickly.

Root: first, wait for the daily reset limit to be reached, it will happen people are resetting this box like crazy. Once you’re able to feel around check out the software. You can manipulate features of software sometimes and it runs with privileges.