Quick

Got root! hardest box i’ve ever done, shaken me to my very core and nearly quit hacking. But it was very well written and worth the own! Very eye opening -

PM me when the pain is too much and you’ve tried everything lol

Rooted:
root@quick:~# hostname && id
quick
uid=0(root) gid=0(root) groups=0(root)

Thanks @MrR3boot that was a nice learning experience!!!
Feel free to drop me a message if u need help

You need to do two tasks for each step. I try to give you some hints although it is really hard to give hints without spoiling the box.

Edit or delete the comment if it spoils the box.

Initial foothold:
Nmap supports different protocols for scanning. You can find some port numbers which works on different protocols. Find it and google for the appropriate tool.

Pick your smartphone up and look at your gmail inbox, you haven’t recieved all emails from gmail users, right?

User1:
Always know what you request and what you get in return. Burpsuite is always your friend.

User2:
Oh ■■■■! its really amazing, just read, and think out of the box. If you are not good at programming, hmmmm it’s ok, you can find another way to get into the page. just Think Out Of The Box.
If you are not good at PHP, hmmm you would be in pain :slight_smile:

Root:
There is nothing to say, just stay at home and read everything you see.

Why won’t htb let me reply to more than two inbox messages?

@CRYP70 They have a protection in place that won’t let you send a certain number of messages within a certain time frame (30 seconds, I think).

I’m user 1 and found the p****** files, but I don’t understand how to access the pages. Do I need to set this thing up myself?

I struggled hard with this box but in reply to all the messages here’s my two cents of hints:

  • Foothole: yes, youre on the right track. It’s meant to be like that.
  • User: Not sure how to hint this one without giving too much away, previous forum posts have mentioned this plenty of time. lmk if you need sanity checking…Amazing user flag so you’ll feel better if you get this on your own.
  • Second user: I figured this out the hard way. Don’t bother wasting time experimenting and testing…just actually exploit it, but don’t go too far. Thank me later. Thanks to @nicoswd for that one.
  • Root: Standard enumeration - with all the terrible things happening in the news, its safer to just stay and home and hack ■■■■.

if(‘spoiler’ == true){
remove_post();
}

peace everyone, hope ya’ll had a good weekend!

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

Rooted!

Props to @MrR3boot

Oh, and the wonderful @TazWake for the nudge again. Always dropping those useful hints!

Rooted!!
Great box!

I have access to the login creds and t******.php, but I need help with my payload. I can get commands to execute (from what I can tell), but I can’t get anything useful to run successfully.

Edit: nvm I figured it out.

@TazWake said:
@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

@chonmayo said:

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

Sadly, I cant think of any way to say more without it getting removed as a spoiler.

All I can say is you probably need to try more combinations. The information is on the site.

Finally rooted. This was quite a ride for me, but I’m happy I stuck with it. Here are my hints:

Foothold: The latest tech will save you.

User 1: If you can’t do it in one step, do it in three steps.

User 2: Writing can be so much more fun than reading.

Root: Once you find it, just try it out! Do NOT overcomplicate this last step or you’ll find yourself in a world of pain.

PM for nuggets.

Whew, user finally pwned… so many new techniques and ways to try harder.

Awesome box so far! On to root…

edit: User2 pwned, awesome privesc method :slight_smile:

edit: rooted!

Finally got user flag ! The foothold was quite frustrating!
I’m trying to spawn the reverse shell but I’m stuck! A nudge would be very welcome :slight_smile:
Now I am trying to decrypt a hash, the password doesn’t seems in rock***.
Edit: Rooted PM me for nudges

Type your comment> @chonmayo said:

@TazWake said:
@user29 said:

Feel like I am missing something easy and could use a nudge, I have the first password and I feel like im just sitting here playing guess the email, what am I missing. I have tried generating a bunch of potential things based on clues in other pages.

It is a bit of “guess the email” but this is pretty much the crux of enumeration. There is enough information available on the various bits you have access to, so that you can “guess” the email you need.

However, it might be better to use the information to create a wordlist then try a password spray attack.

I’m still stuck guessing a valid username after taking these steps. I tried a lot of combinations. Any more hints?

I had to try about 20k combinations before getting it, for what it’s worth

Would someone mind taking a look at my e-mail creating script and help point me to what I’m doing wrong?

EDIT: Got it, thanks to the nudge from @jhnhnck. On to user!