Admirer

1151618202123

Comments

  • Type your comment> @TazWake said:

    @sparrow1 said:

    I didn't mention that it is file leaking exploit, probably the rogue one to be used here. I just have problem that server is responding with malformed packet and not returning data. @xkcm seems to have the same problem.

    I might be massively missing something because I dont know what the rogue tool is, but the bit you are talking about can be manually exploited.

    Thanks. Indeed it can. Also my error was caused by getting file beyond my reach. Exploit works for nearby files.

    sparrow1

  • edited May 26

    Rooted! This is the first box I've had where user is way harder than the root. People having login problems should check their plugin values for the software they're using. Feel free to PM me for nudges!

    xkcm

  • Type your comment> @in3vitab13 said:

    how are you people getting to the login page?

    The way is already in plain sight just google it...and remember don't over complicated things!

  • Finally Rooted after getting headache for days
    Foothold is very new for me and hard too.

    s1lv3rst4r

  • edited May 27

    great one! Finally rooted with some help from T13nn3s
    If someone needs a nudge feel free to ask me (discord: nospa#4906)

  • rooted this one at least. this box was fun and I learned a few cool things on the way.

    thanks to the creators of this box, well played!

    If you need nudge, feel free to PM
  • Good afternoon.

    Cost but I got User and Root on this blessed machine.

    if I look at it in retrospect .. everything is achieved in 20/30 minutes .. it is an excessively easy machine .. of course I already have it resolved and look back ...

    Tips..

    Enumeration, Enumeration ... wFuzz and use different lists, if you can't find anything ... try again ...

    Login: It is hidden, but it is not difficult to find, start with the basics, and continue with the basics .. it does not require more than the basics .. and its exploitation is simple but you should read .. google is your friend ...

    User: List, and look for the basics ... everything is just you have to look carefully ...

    Root: This caught me off guard, the method I did not know but it is simple and effective ... if you listed well, you will find an interesting file ... do not be afraid of SNAKE ...

    I'm just a newbie and it took me 4 days ... and just because I didn't follow my own advice ...

  • So... many... creds...

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Rooted! Really cool and kind of a steep learning curve on the enumeration side of the job. Always when I'm finishing a box and feeling satisfied about my enumeration skills growing the next box even messes my head up more. But for the good side of things!

    A bunch of useful nudges have been giving already over here. Here is my sum-up:

    Foothold: use biggie and if you find something useful, use it again on what you found. Repeat it to the bone!

    User: Knowing basic SQL and google to find the right thing to do the job with should do it. It's useful to know how to set up a database locally, grant permissions to users and allow data to load in

    Root: I used veggies and the snake to get the job done. Look carefully where you are able to do things! I got stuck a while on that one....

    PM if you want to discuss your own situation. Please mention the box' name and what you did so far since I get many PM's lately about the boxes I owned. "Pls help can't get in" doesnt do it for me...

    Thanks to the creators of this box for the pain in the a** and the stuff I learned today!

  • Oh yeah, I don't know if I can but I would like to fill a ban request for user @atsika who published a public write-up on this box. You're screwing up the fun of learning hacking for us who are here to actually gain skills instead of points.

  • @manderait said:

    Oh yeah, I don't know if I can but I would like to fill a ban request for user @atsika who published a public write-up on this box. You're screwing up the fun of learning hacking for us who are here to actually gain skills instead of points.

    The only way I know of to report things is via Jira (https://hackthebox.atlassian.net/servicedesk/customer/portal/1)

    While it is clearly a violation of the HTB Ts&Cs, and I haven't seen the write up in question. the reality is people find things like this if they are googling for HTB specific terms rather than researching exploits or vulnerabilities. For me, the user is screwing things up for people who want to follow a write up rather than gain skills.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Need some help logging into the A*****r page. I have the db set up on my machine but cant login from the portal. It says "Access denied for user 'root'@'localhost'"

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • @LMAY75 said:

    Need some help logging into the A*****r page. I have the db set up on my machine but cant login from the portal. It says "Access denied for user 'root'@'localhost'"

    There are some specific configuration steps which are required to allow remote connections.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I set up an mysql database on my machine and it still doesn't want to connect and login....

  • edited May 29

    Type your comment> @Gentooman said:

    I set up an mysql database on my machine and it still doesn't want to connect and login....

    maybe something is blocking it and you need to open the door to allow it inside..

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Type your comment> @acidbat said:

    Type your comment> @Gentooman said:

    I set up an mysql database on my machine and it still doesn't want to connect and login....

    maybe something is blocking it and you need to open the door to allow it inside..

    I already allowed EVERYTHING on my TUN0 adapter and it just won't connect....

  • Type your comment> @Gentooman said:

    Type your comment> @acidbat said:

    Type your comment> @Gentooman said:

    I set up an mysql database on my machine and it still doesn't want to connect and login....

    maybe something is blocking it and you need to open the door to allow it inside..

    I already allowed EVERYTHING on my TUN0 adapter and it just won't connect....

    Forgot one step BIN*********SS

  • Type your comment> @khalid7 said:

    I have this error MySQL server has gone away can any one tell me what to do ?

    Edit: Solved

    getting the same error how did you solve it/? bro

  • Get stuck in the "snake" game.
    I know what the snake is looking for.
    With tracing the path of the snake, the only thing that I realise is I cannot change anything in anyone of it.
    Am I in the wrong path again?

  • @6uta said:

    Am I in the wrong path again?

    I dont think so. Double check your realisation.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Could use a nudge. Found login, creds don't work. Used technique to grab files, with success but useless files. Am I on the right track? A little too vague? Don't want to spoil.

    Arrexel

  • @BINtendo said:

    Could use a nudge. Found login, creds don't work. Used technique to grab files, with success but useless files. Am I on the right track? A little too vague? Don't want to spoil.

    If you are looking at the right login place, look for a way you dont need credentials.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Rooted! Foothold really made me take a step back and analyze everything. Love the fact that not all creds thrown at you are useful, it feels very realistic. I personally loved this box from start to finish.

    Foothold

    This is where you need to step up your enumeration. Use different tools, fuzzing and manual enum if needed to find directories you're not supposed to be in. As someone earlier mentioned, the fact that one thing gives you a 403 doesn't mean its completely forbidden.

    User

    Piece everything together. The website's admin hints to using a 'better open source alternative' in some files, what could this mean?

    Root

    New privilege escalation method. No enum needed in my case. This path will become obvious from the start if you read everything carefully.

    Always happy to assist so PM me with details on where you're currently at and I'll try to nudge you in the right direction.

    Hack The Box

  • Type your comment> @TazWake said:

    @6uta said:

    Am I in the wrong path again?

    I dont think so. Double check your realisation.

    Thank you, just rooted.
    But I didn't found the snake will go to where I interested.
    So I tell the snake where it should go.

  • Rooted.

    Actually didn't have much of an issue with user (except for dirbuster not working for some reason?).

    Root involves a technique with a...twist that I have never seen before. I had no idea it was possible.

    Cool box! Thanks!

    Hack The Box

  • edited May 30
    Type your comment> @TazWake said:
    > @BINtendo said:
    >
    > (Quote)
    > If you are looking at the right login place, look for a way you dont need credentials.

    Ok so i'm pretty sure i'm on the right track. like i said, i can successfully grab files. but the useful files i want are restricted. i can't think of anything close by that would help. i'm up and down the github for this service, looking at my own setup for ideas...could use a push in the right direction. thanks

    Arrexel

  • Type your comment> @in3vitab13 said:

    Type your comment> @khalid7 said:

    I have this error MySQL server has gone away can any one tell me what to do ?

    Edit: Solved

    getting the same error how did you solve it/? bro

    google is the best answer
    the solution depend on you

  • Rooted. Foothold was a pain but really, as people say: "don't overthink it". You found a file, think about the instructions and take them literally. There are many clues that hint to the next step at each point, read the files and think about them.

    Really liked it in the end. Root was fun.

  • Rooted.

    Thanks @polarbearer and @GibParadox for nice box.
    I think the initial foothold was bit too long for me, as I did not scan properly with all required file extensions.
    But once you find the initial foothold file with the information, it's get easier.

    User is easy once you get the hint from box name. Root pretty easy.

    Hack The Box

  • Great box! I have learned new things in the root part. Thanks @disastrpc for the hints, and Congrants @GibParadox and @polarbearer

Sign In to comment.