Admirer

11719212223

Comments

  • Rooted this box a few days ago, but didn't get around to posting about it yet. Really liked this one, thanks @polarbearer and @GibParadox. There are quite a few rabbit holes on thix box, but to me they always felt natural, not like on other boxes. It felt a bit like this box is a machine that's actually being used by someone and that wasn't completely deliberately set up to be hacked :)

    There are many very good hints in this thread here. I don't really know what to add, but here's a try:

    Foothold: Enumeration really is key. If you always use the same wordlist and don't find anything, use other wordlists as well. Also take note of everything you find, because even if you can't directly use it, you might be able to use it later.

    User: To own the user, you'll have to perform quite an interesting exploit. Once you found the right page, some googling will easily give you the correct info. The exploit needs some setup, but isn't all too complicated in the end.

    Root: Another nice exploit that you need to use here. There's something there that you can control, although it might not seem like it at first. You might be looking for user input to exploit and the way to exploit is quite similiar to that, but it's aimed at something you might not consider to be "user input". However, take a close look at the user privileges you have.

  • I'm having a lot of fun with this box, and learning a lot but I'm stuck on mysql. I've spent more time trying to get that to work on my machine than the actual enumeration and exploit discovery. If anyone can point me in the right direction that would be great because so far none of the "simple fixes" on google are working out.

  • This has been the worst and the best machine for me. WHY? Because its my first box. LOL. Its been a frustrating journey but i feel so happy now. Its been 6 days working on this box (foothold and user - 4 days, root - 2 days). i learned a lot. In the forum you get many clues, but if you are a newbie like me, you dont understand them, but later after clearing each stage you understand. I need to thank @L0J0 and @TazWake for your help. Thanks guys.

    Foothold: run different wordlists when you bust those directories. Then you get some creds and then run enum more.

    User: Google the box name and you find something similar and then read multiple exploits. This step is most difficult step in this box.

    Root: look for user privileges and what can be done with the result.

    Finally I can also say ROOTED!!! :) PM me if you need any help.

    "DONT GIVE UP"

  • Stuck with user, I've google and read up on the exploit and found a rogue git but stuck on how to use it. MySQL isn't one of my strong points. Any hints please PM, thanks.

  • Rooted. It was truly a love/hate relation. I've spent lots of time in rabbitholes, but in the end it was really woth it. Root part is quite straightforward, but fun. User part needs a lot of patience, but remember to look for bad practices while enumerating.

  • edited June 1

    Spoiler Removed

    Hack The Box

  • @thescriptkiddy said:

    Spoiler Removed

    I suspect that is a rabbit hole.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • @TazWake said:

    @thescriptkiddy said:

    Spoiler Removed

    I suspect that is a rabbit hole.

    then what should be the next step

    Hack The Box

  • @thescriptkiddy said:

    @TazWake said:

    @thescriptkiddy said:

    Spoiler Removed

    I suspect that is a rabbit hole.

    then what should be the next step

    Look around more.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Solved this challenge today

    Lots of hints already on this discussion. I will reiterate some.

    • Start by looking for things that normally a web application owners want to hide from you.
    • To get foothold use FUZZing. There is no alternate. You may need to use wordlists that contain words commonly used in PHP applications. Search github for those.
    • Getting user is little harder but search engine/s are your friend. This technique is a new learning for me.
    • Root access is medium level. Don't overthink. Stick to basics.

    Will be happy to give nudge for those you want.

    Thanks @polarbearer and @GibParadox


    [email protected]:# hostname
    hostname
    admirer
    [email protected]:# ifconfig
    ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 10.10.10.187 netmask 255.255.255.0 broadcast 10.10.10.255
    inet6 fe80::250:56ff:feb9:4771 prefixlen 64 scopeid 0x20
    inet6 dead:beef::250:56ff:feb9:4771 prefixlen 64 scopeid 0x0
    ether 00:50:56:b9:47:71 txqueuelen 1000 (Ethernet)
    RX packets 13034433 bytes 2068617655 (1.9 GiB)
    RX errors 9241 dropped 7918 overruns 0 frame 0
    TX packets 11280599 bytes 3455117373 (3.2 GiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
    device interrupt 19 base 0x2000

    lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
    inet 127.0.0.1 netmask 255.0.0.0
    inet6 ::1 prefixlen 128 scopeid 0x10
    loop txqueuelen 1 (Local Loopback)
    RX packets 31892 bytes 3147119 (3.0 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 31892 bytes 3147119 (3.0 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    [email protected]:# id
    id
    uid=0(root) gid=0(root) groups=0(root)


  • Hi all,

    First active machine for me....

    I feel I've made progress and have found what appears to be useful credential (although I don't know what I can do with them yet) and I've also identified an exploit which I am currently trying to set-up (this is where the issue is).

    I need to use the second login page on the box to connect to something (MY hope is that its obvious what) on my local machine. My issue is I cant set-up the something correctly, how do I change the usernames and the passwords for this (I'm using a version called Maria)? Do I need to configure port and things like that? Can I just start Maria and make what I need and expect the exploit to work?

    I don't know if this is overly/pointlessly cryptic and I apologise if it is, I'm just trying to avoid spoiling for others...

    Any help/respones/DM's are much appreciated :)

  • edited June 3

    Access denied for user 'demo'@'10.10.10.187' (using password: YES)

    GETTING THIS ERROR WHEN I TRY TO LOGIN IN THE ad*****.php

    • demo is the user i created in my local mysql

    Hack The Box

  • Type your comment> @thescriptkiddy said:

    Access denied for user 'demo'@'10.10.10.187' (using password: YES)

    GETTING THIS ERROR WHEN I TRY TO LOGIN IN THE ad*****.php

    • demo is the user i created in my local mysql

    Grant enough priv.

  • Type your comment> @Karthik0x00 said:

    Type your comment> @thescriptkiddy said:

    Access denied for user 'demo'@'10.10.10.187' (using password: YES)

    GETTING THIS ERROR WHEN I TRY TO LOGIN IN THE ad*****.php

    • demo is the user i created in my local mysql

    Grant enough priv.

    YEAH I GOT IT
    THERE WAS SOME MISTAKE IN THE PRIVILEGE QUERY ONLY...

    Hack The Box

  • this is not an easy box, I struggled a lot..but I learned a lot of things, both for root and user

  • Finally Rooted. Jeez this one gave me some trouble. Anticipating that I would breeze right through it because it was an "easy" box was a mistake. I think this should have been a medium but thats just me.

    Heres some nudges for everyone bashing their heads into their keyboards:
    Foothold: Like everyone has been saying use gobuster, ffuf, or dirsearch and use new lists (the ones from seclists on github worked perfect for me) this should lead you to some good stuff
    Foothold part 2: The foothold is the longest part on this one. Once you found where you are supposed to be connect back to yourself ;)
    Root: This was a priv esc I haven't seen before. straight forward I knew what I had to do but just had trouble finding examples online

    GotRoot
    If I helped you out at all, feel free to click my badge and give +1 respect!

  • Rooted! This box was delicately crafted to annoy the fuck out of you. I'm very grateful though because I learned a lot!

    'FOOTHOLD': The site is pretty but useless! I had to hear that soundtrack 5 times before I figured out I was being trolled. Other than that, Eternal fuzzing... really! the only way you wont die before you finish that big ass list of text is if you Fuzz Faster U Fool !! After you find that censoring robot guy just remember you are looking for CONTENT (aka files, not directories.
    'USER': was interesting but mainly because I had to reinstall mysql (mariadb) on my debian box. Once you have the basic info about the remote service, you will even find a demo on the web of how to get juicy stuff. Now that you feel the power, think of the files you found before and which one might have the creds you need. Go get it... then see what you can do with it.
    'ROOT': Check what you can do with your current user. Then once you find the stuff try to figure out how to Import your instructions there. this was very new to me! loved it.

  • Rooted a few days ago, funny and not so easy box. Name of the machine is a big hint. For the foothold, enumeration with different wordlists is the key. Then you'll find some files with useful information in order to understand how the site is built. Read carefully also the comments left in those files, connect the dots and google will be your best friend. There's a huge vulnerability that can be used to retrieve other informations. Then it's pretty easy to get user. Escalation to root will require another bit of effort, but looking at what you can do with your user will help a lot. Try to work on it!
    Hope this is not a spoiler, if you need some nudges PM me and let me know what you've already tried!

    Hack The Box

  • Rooted. Recap on my python fundamentals! Big thank you to the box creators!
  • Rooted :mrgreen:

    This box is a good reminder to think about what you're actually trying to enumerate and select your resources accordingly instead of using the same old lists.

    The exploit was an intersting one and the priv esc to root was fairly obvious but something i hadn't had to use prior to this machine.

    All in all a great box, thanks @polarbearer and @GibParadox!
  • This one is beating me, i'm stuck and a bit frustrated, i think i missed something in the way, but i cant even figure what is It. It someone can throw some light to my darkness, just to see the path and continue...

    Everything began fine, the initial enum was slow but nice, everything flowed and with any piece of info i found, after analyzing and checking it, i had a mental image of the next step or what to do to keep moving forward... But suddenly, when some good stuff and interesting vector popped out... just when i had the feeling that i got the main thing.... the get blocked, stucked without any clue, or what/where i need to look for next step.

    Summarizing what i found:

    • With many other creds i found a working user/pass, that give me db schema and data, and a compressed backup of web files. The service config seems that allow me to enumerate valid users even wihout a password, but i couldn't find any other account.
    • I was able to relate some of this files with the ones served in 80, but also i noticed there are not exactly the same, some files dissapeared, others are just different, even i found a file that looks like the main web content but definitely no t the same, because the downloaded one has a typo that will throw a syntax error.
    • I played with the files i found, the purple info page, the test script, the script that trigger common task executing a shellscript file. Nothing useful found.
    • Some of the dissapeared files give me the idea of what i need to search for, in the content talk about a to-do and search an opensource alternative. When i noticed that, quickly found the alternative opensource tool.
    • The hipotetical creds needed to use the tool doesn't worked as expected (previous typo error) and after some research i found the vuln, that worked fine, but i can't get any useful info that makes me advance or even a clue of next step...

    I understand the vuln, i can make It work with a fake Server and with a legit one installed for this purpose. I even analyzed the protocol packets with wshark trying to find some leak that didn't showed in the "normal" output.
    I can access any file within basedir, but with the known files and paths i only get the correct credentials to use with the tool, that only allows me to read a bunch of items.
    If i try to read any file out the basedir, not allowed. Not found any way to bypass this limitation.
    I tried to think in possible content, filenames, made a wordlist permuting possible files, and variations (backup, temp, old files....): http server files, config files, version control files, system files, guessed some possible files... without any single hit.

    And now, i'm blocked, no idea what to do, what to search for or even any hypothetical way to advance toward user flag... i'm sure i am missing something, but i can guess where, when or why...

    Any clue or suggestion of what to do or what to try? I'm very frustrated, and the feeling that i'm close or the missing piece it's some crystal-clear-stupid-small-obvious thing... it's killing me.

    thanks

    rulzgz

  • Type your comment> @rulzgz said:

    This one is beating me, i'm stuck and a bit frustrated, i think i missed something in the way, but i cant even figure what is It. It someone can throw some light to my darkness, just to see the path and continue...

    Everything began fine, the initial enum was slow but nice, everything flowed and with any piece of info i found, after analyzing and checking it, i had a mental image of the next step or what to do to keep moving forward... But suddenly, when some good stuff and interesting vector popped out... just when i had the feeling that i got the main thing.... the get blocked, stucked without any clue, or what/where i need to look for next step.

    Summarizing what i found:

    • With many other creds i found a working user/pass, that give me db schema and data, and a compressed backup of web files. The service config seems that allow me to enumerate valid users even wihout a password, but i couldn't find any other account.
    • I was able to relate some of this files with the ones served in 80, but also i noticed there are not exactly the same, some files dissapeared, others are just different, even i found a file that looks like the main web content but definitely no t the same, because the downloaded one has a typo that will throw a syntax error.
    • I played with the files i found, the purple info page, the test script, the script that trigger common task executing a shellscript file. Nothing useful found.
    • Some of the dissapeared files give me the idea of what i need to search for, in the content talk about a to-do and search an opensource alternative. When i noticed that, quickly found the alternative opensource tool.
    • The hipotetical creds needed to use the tool doesn't worked as expected (previous typo error) and after some research i found the vuln, that worked fine, but i can't get any useful info that makes me advance or even a clue of next step... I understand the vuln, i can make It work with a fake Server and with a legit one installed for this purpose. I even analyzed the protocol packets with wshark trying to find some leak that didn't showed in the "normal" output.
      I can access any file within basedir, but with the known files and paths i only get the correct credentials to use with the tool, that only allows me to read a bunch of items.
      If i try to read any file out the basedir, not allowed. Not found any way to bypass this limitation.
      I tried to think in possible content, filenames, made a wordlist permuting possible files, and variations (backup, temp, old files....): http server files, config files, version control files, system files, guessed some possible files... without any single hit.

    And now, i'm blocked, no idea what to do, what to search for or even any hypothetical way to advance toward user flag... i'm sure i am missing something, but i can guess where, when or why...

    Any clue or suggestion of what to do or what to try? I'm very frustrated, and the feeling that i'm close or the missing piece it's some crystal-clear-stupid-small-obvious thing... it's killing me.

    thanks

    Hey @rulzgz , in that "compressed backup of web files" there is a "main" file that you need to look into; it is evidently outdated, but now you have a way to get the latest ../bye!

  • @D4yz said:

    Hey @rulzgz , in that "compressed backup of web files" there is a "main" file that you need to look into; it is evidently outdated, but now you have a way to get the latest ../bye!

    Ohhhh shit!! I got it!!

    I'm feeling sooooo stupid and embarrased... i found these damn creds with the first file read... my mistake: assuming the correct password was only for ONLY ONE service.

    I checked it, worked fine connecting to db but i didn't see anything useful there and quickly discard it as a dead end like many others in this box... without trying the user/pass with other services exposed in the box.

    Thanks @D4yz for your answer, when i read it and it doesn't point to other path, i instantly know i already have what i need to continue...

    rulzgz

  • Rooted!! If you need help, can ask me.

  • Just got root! If you need help, feel free to DM me.

  • edited June 13

    rooted...
    initial foothold was bit rough because someone removed the u******_*****s dir, so I was in a rabbit hole for a large time even my intuitions where right....

    foothold : enum,enum,enum... look for something that u shouldn't see, even something is not accessible doesn't means that we can't enumerate it... you will be able to see what you shouldn't see with dirbuster and a decently large word-list... use what you got...
    with a little bit of inspection and logical thinking after that you will be able to reach the login page..... trust your intuitions.... :smiley:

    user : from there on wards google is your friend.... exploit it and get what you want.... just think about what you saw and where you saw it in the previous enums and inspections......
    if you get something spicy don't forget that a key can open more than one doors :wink:

    root: inspect thoroughly and remember what you saw earlier... try to locate the king and how the snake is related.. sometimes snakes can be poisonous too... :wink:
    control the snake by providing what it wants and then you control the king...
    Nb: always remember that snakes survive only in good environment :wink:

    Hope that I am not spoiling the box

    thanks @TazWake for the nudge in setting up the atmosphere :love:

  • edited June 12

    advice to the newbies who don't know fuzzing : watch that tutorial :

  • If you have user and are at a loss as to where to go next, look at your enumeration notes. There should be something in them that is very important for this stage. All in all a great box. thanks to @Str4thus and @human for the help. I'm happy to give nudges. Just tell me what you have done so far.

  • Loved the box, all from the beginning to the end. Although I wouldn't mark it as easy, medium at least. Feel free to DM me for hints (fjank at discord)

    [email protected]:~# ifconfig | fgrep 10. | awk '{print $2}' && id
    10.10.10.187
    uid=0(root) gid=0(root) groups=0(root)
    
  • edited June 15

    Oh boy what a journey this was. Kudos to @polarbearer and @GibParadox for a fun box.

    First box I solve without hints, except what's written on the forums. I'll also leave some hints, in case others might need it:

    Basic foothold:

    • Stick to the basics
    • Be persistent, run the same command over and over, with slight variations.
    • If you can't access it, doesn't mean you can't access it.

    User:

    • Use all your google skills here.

    Root:

    • Read everything
    • Might seem obvious, but turns out different users might see different things when looking in the same spot.

    Feel free to DM me for a nudge, just explain what you've done and I'll point you in the right direction.

    Paddon

Sign In to comment.