Travel

Wow that box wasn’t easy at all, I learned a lot, it tooks so much time to finish this but I don’t regret it . I had most of the concept but here you need to go deep enough and make no mistake.
Initial foothold: enumerate until you find the page where to travel, try to send your “request” by “another route”
User: When you are able to travel, you are still at the beginning of the road, look for hints and go back, there is not only one way
Root: The user that has access to all the roads can make anyone travel to the root

Can someone PM me for a sanity check on the initial foothold? Thank you

Really hard box but the best one I did so far. Thank you very much for the box creators.
The initial part is the hardest one.
user: There is very popular tool which will help you with the initial foothold and get back the connection - the travel route and the tool name are very similar.
root: don’t forget to check all files and then you will see your travel path

I found some interesting stuff for the path to root but I’m not sure how It can be leveraged? A possible rabbit hole? Has it even been leveraged in the wild?

finally owned. What a box. Learned a ton of stuff. Couldn’t have done it without some tips.

foothold: find all files you can and figure out an unusual way to communicate. After that you can force the service to open a door for you. Note: pay attention to the bytes!

user: enumeration

root: manipulate the guardian to let you in and give you what you need

paying it back – ping me for tips if needed

Massively challenging box - as everyone else here has said.

Well done to @xct and @jkr for making something which really does push creativity.

I probably spent two weeks trying to get user and the main thing I can suggest is look very carefully at everything you can get your hands on. The bedrock of the attack is a common problem in the language used then after that its about working out a way to exploit something else running.

When it came to root, I think I was given a bit of an easy ride because someone else had left traces of what they did which gave me a massive pointer in the right direction, but general enum will also get you to see the way to get root. Then it is a matter of research.

Fucking amazing box!!!

I really enjoied this box and took me a lot of time

Initial shell was pretty amazing and really hard so my hints

  1. enumerate with clasical tools. Read the website and get one more site. In that site enumerate again and dump everything that you can. When you get all, try to clone and replicate in you localhost. I didn’t need m******d service.

user: clasic enumeration. Try to do it manually cuz some tools will give you too much info. How eve both ways should give all you need

root: This part was hard for me: I didnt have experience in that service in that SO. I had to ready everything. when you get user, just try to do it the same thing and verify what you got, read and get some research if you need as I did

Again, amazing box thx for this

I’m stuck on problem any one can help me plz PM :neutral: )

Finally got root ,
this box is very very good and realistic .
Thanks for the Authors :slight_smile:

What a journey! But it was definitely worth it! Great job @xct and @jkr!
And thanks to @TheWorld and @Neo2SHYAlien for your nudges.
Some additional hints to what is already found here:
foothold: A single byte can make a huge difference. Don’t be a private member like I did first but a public one.
User: usual enum
Root: After user you’ll pretty instantly find something juicy which is the way forward. Check with google how this thing may relate to linux authentication and how you can leverage that for your success.
As always: PM for hints, this box is a beast :wink:

Is there anyone else here, who spent days just trying to find something? I’ve used multiple directory scanning tools, that come up with nothing.

Finally Rooted !
Thank to everyone that gave me hints
That was the hardest box that I’ve done so far.

PM me for nudge.

Rooted.

I think that was the best box I’ve ever played on HTB. Both user and root seriously challenged my creativity. I learned SO much, thank you guys for making this. Incredible.

This one was insane!
I would have never done this without help!

User : Once you find that SF think what can you request, do not point to yourself.
Once you got it, Google "S
F m******e php"
Root : user permission, query and groups

If anyone could offer some sanity checking for my foothold method it would be appreciated.

I have a pretty good idea of what I want to do with m******** and I can see my results in d*******p but i’m not getting anything to happen with my payload, it just gets re-overwritten.

Edit: Thanks straylight

i have got these 2 files r**_********.php ********.php need help in command injection

Spoiler Removed

can anyone help with m********d part ??

Rooted. Whew. That was a hard box. The initial foothold was the trickiest, and I admit I needed some great nudges from @TazWake @gunroot and @Roinard. Thanks to all of you, much respect will be coming. Once I had that it was a matter of chugging through the steps.

I don’t have anything to add to what has already been posted here.

That was a total beast and thanks to the folks that stayed with me through that one. For some reason this gave me the most problems of all the boxes I’ve done and I’d like to understand why. I’m interested in the mindset and approach taken for that initial foothold. Please DM if you have a write up and would be willing to share so I don’t have to wait for the machine to retire - it’s really bugging me. I’ve rooted and can provide evidence so you know I’m not looking for spoilers and cheating.