Official Blunder Discussion

Type your comment> @TazWake said:

@Nism0 said:

(Quote)
It also needs you to use a specific version of the application, its not as simple as the configuration file.

As i wrote it is in the right version.

@Nism0 said:

As i wrote it is in the right version.

Ok, I’ve got nothing. Something has obviously been patched on your system but what that is, can’t be easily guessed without access to your system.

Ok posting here as directed by Taz. I have user.txt which is now different to the one 10 mins ago but when I try to own user it keeps rejecting it. Both have been rejected and then my MP sessions keep getting killed. Obv don’t want to give to much away which is why I’m trying to be careful what I write.

@benandrews8 said:

Ok posting here as directed by Taz. I have user.txt which is now different to the one 10 mins ago but when I try to own user it keeps rejecting it. Both have been rejected and then my MP sessions keep getting killed. Obv don’t want to give to much away which is why I’m trying to be careful what I write.

At the risk of bouncing you around, if you’ve tried the hash after it has changed and it still isn’t being accepted double check that you’ve rated the box (it wont accept a hash until you do that) but if you are getting an invalid hash message its worth raising a Jira ticket with HTB - the dynamic hashes are fairly new so there may be an implementation issue they need to fix.

Tickets can be logged via Jira Service Management

The shell dying might be a sign that something on the box hasn’t started up properly or if you are on a free server it could be a side effect of lots of people throwing random attacks without understanding what they are doing.

The box should be fairly stable - I certainly didn’t experience any issues on Monday when it was still very new (although on a VIP server).

Type your comment> @TazWake said:

@benandrews8 said:

Ok posting here as directed by Taz. I have user.txt which is now different to the one 10 mins ago but when I try to own user it keeps rejecting it. Both have been rejected and then my MP sessions keep getting killed. Obv don’t want to give to much away which is why I’m trying to be careful what I write.

At the risk of bouncing you around, if you’ve tried the hash after it has changed and it still isn’t being accepted double check that you’ve rated the box (it wont accept a hash until you do that) but if you are getting an invalid hash message its worth raising a Jira ticket with HTB - the dynamic hashes are fairly new so there may be an implementation issue they need to fix.

Tickets can be logged via Jira Service Management

The shell dying might be a sign that something on the box hasn’t started up properly or if you are on a free server it could be a side effect of lots of people throwing random attacks without understanding what they are doing.

The box should be fairly stable - I certainly didn’t experience any issues on Monday when it was still very new (although on a VIP server).

Thanks! I’m on VIP but even after double checking that I am rating the box I am still being told its an invalid hash. I’m pretty certain I know how to get root as well but cant maintain a session for long enough to get there! I’ll open a ticket like you said. Thanks for your help.

@benandrews8 said:

Thanks! I’m on VIP but even after double checking that I am rating the box I am still being told its an invalid hash. I’m pretty certain I know how to get root as well but cant maintain a session for long enough to get there! I’ll open a ticket like you said. Thanks for your help.

OK - frustrating though it is, you might be better holding off for a while to see if the box on your server has some issues.

On VIP it shouldn’t be busy enough for people to be bouncing it while you are working and I’ve found it to be quite stable. There is a good chance a reset or something previously didn’t work or something has hung in the process (which might also be why the hash isn’t registering with the system).

Sadly there isn’t really a solution other than wait to see if it gets fixed.

Enum enum enum like has been said in here, still no luck getting foothold. Using GB***** and DB***. Any nudge would be appreciated. I see some of you saying no need to brute force but tried anyway using H*** and then WZ with a custom wordlist without any luck. Getting false positives in H* I think due to the error message I’m using or possibly the CSRF token in my request body. Not really experienced with it tbh. Have been working on this for over a day asking for help with foothold now.

Well, i admit that this box made me rethink a lot.
Was it hard? I can’t say that because it required no hardcore skills.
Was it tough? You bet it was!
And the reason why i felt it so tough is that it literally drove me away from my usual attitude.
A LOT of enueration, a bunch of guessing, too many rabbitholes…
Definitely those are not the boxes i like the most, but for sure are the ones from which I’m learning the most.
thanks @Aniruddh9 for pulling me back on track and reminding me that there’s a bunch of online resources that should be tried before saying that “it’s unbreakable!”…

Spoiler Removed

Type your comment> @maronull said:

Type your comment> @norcaltweekers said:

Enum enum enum like has been said in here, still no luck getting foothold. Using GB***** and DB***. Any nudge would be appreciated. I see some of you saying no need to brute force but tried anyway using H*** and then WZ with a custom wordlist without any luck. Getting false positives in H* I think due to the error message I’m using or possibly the CSRF token in my request body. Not really experienced with it tbh. Have been working on this for over a day asking for help with foothold now.

have you tried cewl?

Yes, to make my list, i didn’t try to enum using that list, only used it with H**** and Wf***. I’m not sure I have the username correct. Tried a username list with names from the site but with false positives from H**** I think I may have built my command incorrectly?

I’m sure the username and password are in the site somewhere from your response and others but still no luck.

@norcaltweekers said:

Yes, to make my list, i didn’t try to enum using that list, only used it with H**** and Wf***. I’m not sure I have the username correct.

You don’t have the correct username.

Enumerate more to find a file with the user’s name in it.

My god that was a difficult foothold for me, albeit I am a Noob. Once I found the username (enumeration with file extensions is key), I was stuck on fuzzing until I figured out the references here of “you need to be cool”. Never would have got it w/o that. Challenging foothold, but fun. I’m hoping the rest is easier :slight_smile:

PM me if anyone needs help.

Rooted!

Foothold: Fuzz and pay attention to extensions. I remember also having to specify this particular extension for a box in recent months. Poke around and think about what is preventing you from using the usual tools. I wrote my own script which I modified from another (probably retired) HTB web challenge I did. Like others have said, use a custom wordlist, then be patient. If anyone has tips on shortening the wait time, I would be happy to hear from you!

User: Certain image files could be helpful but not entirely necessary. Look for new versions.

Root: Check abilities. If you are one who tracks vulnerabilities frequently, you might see this right away. It took a while for me.

Rooted. Decent box, got lost in a rabbit hole after initial foothold for a bit. For the initial foothold you don’t even need a script, I just used Burp with a macro.

Learnt a nice easy priv esc from this one.

Thanks @egotisticalSW

root@blunder:/root#

rooted! :smiley:

The initial foothold is always a hassle for me, especially on the free plan.
Switching to US servers improved the experience a little.

Initial Foothold: scanning for the right extensions and a custom wordlist did the trick, but I’ve been required to modify a py script, the same way I did on a previous HTB machine.

User: it’s all about enumeration. Once you’re in, just look for credentials and you’ll soon be someone else :wink:

Root: it has been super easy and a little unexpected. Even if I’m not following CVE updates so often, a quick search on google has taken less than 5 minutes

Thanks @egotisticalSW! :blush:

P.S.: so, I suppose those pictures were intended to be there…

just got the foothold, thanks to @xOkami , @JK3d0 , @zer0bubble , @DragonEye
the nudge was super help full.

now move on to the user

very funny machine, foothold maybe a little complex but simple, user and root is a joke .
dont fall into hash rabit hole…
feel free to dm me for nudges
thanks to the creators

Spoiler Removed

Found the user name through a file, use cl+b*p to try to enumerate the password, but did not find the password.need helps, please PM me, thanks!

root it!