Official Blunder Discussion

1235719

Comments

  • @benandrews8 said:

    Ok posting here as directed by Taz. I have user.txt which is now different to the one 10 mins ago but when I try to own user it keeps rejecting it. Both have been rejected and then my MP sessions keep getting killed. Obv don't want to give to much away which is why I'm trying to be careful what I write.

    At the risk of bouncing you around, if you've tried the hash after it has changed and it still isn't being accepted double check that you've rated the box (it wont accept a hash until you do that) but if you are getting an invalid hash message its worth raising a Jira ticket with HTB - the dynamic hashes are fairly new so there may be an implementation issue they need to fix.

    Tickets can be logged via https://hackthebox.atlassian.net/servicedesk/customer/portal/1

    The shell dying might be a sign that something on the box hasn't started up properly or if you are on a free server it could be a side effect of lots of people throwing random attacks without understanding what they are doing.

    The box should be fairly stable - I certainly didn't experience any issues on Monday when it was still very new (although on a VIP server).

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    @benandrews8 said:

    Ok posting here as directed by Taz. I have user.txt which is now different to the one 10 mins ago but when I try to own user it keeps rejecting it. Both have been rejected and then my MP sessions keep getting killed. Obv don't want to give to much away which is why I'm trying to be careful what I write.

    At the risk of bouncing you around, if you've tried the hash after it has changed and it still isn't being accepted double check that you've rated the box (it wont accept a hash until you do that) but if you are getting an invalid hash message its worth raising a Jira ticket with HTB - the dynamic hashes are fairly new so there may be an implementation issue they need to fix.

    Tickets can be logged via https://hackthebox.atlassian.net/servicedesk/customer/portal/1

    The shell dying might be a sign that something on the box hasn't started up properly or if you are on a free server it could be a side effect of lots of people throwing random attacks without understanding what they are doing.

    The box should be fairly stable - I certainly didn't experience any issues on Monday when it was still very new (although on a VIP server).

    Thanks! I'm on VIP but even after double checking that I am rating the box I am still being told its an invalid hash. I'm pretty certain I know how to get root as well but cant maintain a session for long enough to get there! I'll open a ticket like you said. Thanks for your help.

  • @benandrews8 said:

    Thanks! I'm on VIP but even after double checking that I am rating the box I am still being told its an invalid hash. I'm pretty certain I know how to get root as well but cant maintain a session for long enough to get there! I'll open a ticket like you said. Thanks for your help.

    OK - frustrating though it is, you might be better holding off for a while to see if the box on your server has some issues.

    On VIP it shouldn't be busy enough for people to be bouncing it while you are working and I've found it to be quite stable. There is a good chance a reset or something previously didn't work or something has hung in the process (which might also be why the hash isn't registering with the system).

    Sadly there isn't really a solution other than wait to see if it gets fixed.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Enum enum enum like has been said in here, still no luck getting foothold. Using GB***** and DB*****. Any nudge would be appreciated. I see some of you saying no need to brute force but tried anyway using H**** and then WZ with a custom wordlist without any luck. Getting false positives in H**** I think due to the error message I'm using or possibly the CSRF token in my request body. Not really experienced with it tbh. Have been working on this for over a day asking for help with foothold now.

  • Well, i admit that this box made me rethink a lot.
    Was it hard? I can't say that because it required no hardcore skills.
    Was it tough? You bet it was!
    And the reason why i felt it so tough is that it literally drove me away from my usual attitude.
    A LOT of enueration, a bunch of guessing, too many rabbitholes...
    Definitely those are not the boxes i like the most, but for sure are the ones from which I'm learning the most.
    thanks @Aniruddh9 for pulling me back on track and reminding me that there's a bunch of online resources that should be tried before saying that "it's unbreakable!"...

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • Spoiler Removed

  • Type your comment> @maronull said:

    Type your comment> @norcaltweekers said:

    Enum enum enum like has been said in here, still no luck getting foothold. Using GB***** and DB*****. Any nudge would be appreciated. I see some of you saying no need to brute force but tried anyway using H**** and then WZ with a custom wordlist without any luck. Getting false positives in H**** I think due to the error message I'm using or possibly the CSRF token in my request body. Not really experienced with it tbh. Have been working on this for over a day asking for help with foothold now.

    have you tried cewl?

    Yes, to make my list, i didn't try to enum using that list, only used it with H**** and Wf***. I'm not sure I have the username correct. Tried a username list with names from the site but with false positives from H**** I think I may have built my command incorrectly?

    I'm sure the username and password are in the site somewhere from your response and others but still no luck.

  • @norcaltweekers said:

    Yes, to make my list, i didn't try to enum using that list, only used it with H**** and Wf***. I'm not sure I have the username correct.

    You don't have the correct username.

    Enumerate more to find a file with the user's name in it.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • My god that was a difficult foothold for me, albeit I am a Noob. Once I found the username (enumeration with file extensions is key), I was stuck on fuzzing until I figured out the references here of "you need to be cool". Never would have got it w/o that. Challenging foothold, but fun. I'm hoping the rest is easier :)

    PM me if anyone needs help.

  • Rooted!

    Foothold: Fuzz and pay attention to extensions. I remember also having to specify this particular extension for a box in recent months. Poke around and think about what is preventing you from using the usual tools. I wrote my own script which I modified from another (probably retired) HTB web challenge I did. Like others have said, use a custom wordlist, then be patient. If anyone has tips on shortening the wait time, I would be happy to hear from you!

    User: Certain image files could be helpful but not entirely necessary. Look for new versions.

    Root: Check abilities. If you are one who tracks vulnerabilities frequently, you might see this right away. It took a while for me.

  • Rooted. Decent box, got lost in a rabbit hole after initial foothold for a bit. For the initial foothold you don't even need a script, I just used Burp with a macro.

    Learnt a nice easy priv esc from this one.

    Thanks @egotisticalSW

    [email protected]:/root#

  • edited June 4

    rooted! :smiley:

    The initial foothold is always a hassle for me, especially on the free plan.
    Switching to US servers improved the experience a little.

    Initial Foothold: scanning for the right extensions and a custom wordlist did the trick, but I've been required to modify a py script, the same way I did on a previous HTB machine.

    User: it's all about enumeration. Once you're in, just look for credentials and you'll soon be someone else ;-)

    Root: it has been super easy and a little unexpected. Even if I'm not following CVE updates so often, a quick search on google has taken less than 5 minutes

    Thanks @egotisticalSW! :blush:

    P.S.: so, I suppose those pictures were intended to be there...

  • edited June 4

    just got the foothold, thanks to @xOkami , @JK3d0 , @zer0bubble , @DragonEye
    the nudge was super help full.

  • now move on to the user

  • very funny machine, foothold maybe a little complex but simple, user and root is a joke .
    dont fall into hash rabit hole.....
    feel free to dm me for nudges
    thanks to the creators

    there is no place like 127.0.0.1
  • Spoiler Removed

  • edited June 4

    Found the user name through a file, use c**l+b***p to try to enumerate the password, but did not find the password.need helps, please PM me, thanks!

    root it!

  • Spoiler Removed

  • Beside the initial frustration of finding the password it was a nice machine to learn how to create a simple brute-force script. First I screwed up that password by transforming it to low**c***e. If you are that kind of people who likes the 'hard way' take care of the POST parameters and just forget to send the Headers in your POST. After that my bruteforce script was worked like a charm.

    If you want to manually exploit the C*S and found the article which describes the vulnerability, one reminder; take care of every parameters and do exactly what the POC does. I've lost a lot of time trying to place something in a wrong directory....

    For user if you haven't found anything, just reread the posts in this forum.

    Root is < 1 minute if you have some kind of routine. If not, check what you could do in "godmode".

  • Finally i was able to root it. I really enjoy the box, it took me sometime to modify the python code to make it work. But just wondering if there is another way to get f****s password without using a bruteforce?

  • I guess you might think about using it just out of habit if you pay attention when looking around the webpage, but that's not where my mind went at all so I ended up wasting almost an entire day :D

  • Finally rooted......foothold was slow, took some digging and reading! to see the obvious. Getting user was a pain, not helped by me flying down a bunny tube for few hours, only to realize I was making a silly mistake.

    After that root was sorted by a bit of googlating and 5 mins later done.

  • @bobthebadger said:
    Finally rooted......foothold was slow, took some digging and reading! to see the obvious. Getting user was a pain, not helped by me flying down a bunny tube for few hours, only to realize I was making a silly mistake.

    bunny tube! haha
    thank you for that

  • Finally Rooted. Very funny machine...

    HINTS
    * Create a personalized wordlist with the information you get
    * Automated tools can help you, but be careful
    * A recent CVE can help you

    PM me if you need any nudge, I like to help :smile:

  • Type your comment> @LordOfAgap said:

    Finally i was able to root it. I really enjoy the box, it took me sometime to modify the python code to make it work. But just wondering if there is another way to get f****s password without using a bruteforce?

    Hey. I didn't write any script to brute Force pass. But I found it by just trying all the names in that custom wordlist manually (I thought I got the pass in 5-10th attempt). Lol I had luck.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited June 4

    I'm trying to exploit the foothold vuln. manually. May be some kind of WAF? Any hint?

    EDIT: Rooted! If someone used the brute-force approach please write me in PM :)

  • @0xBro said:

    I'm trying to exploit the foothold vuln. manually. May be some kind of WAF? Any hint?

    Google is your friend here. Search for the name of the thing you are trying to attack and ways to bypass its restrictions.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited June 4

    Type your comment> @retrymp3 said:

    This exploit may require manual cleanup of '.*****' on the target " - I am pretty sure that this wasn't intended. I can't advance further with this maybe reseting the box will help. Cause we dont have permissions to write on any files from foothold

    Edit :leave t***** *** as default. For this to work😊

  • Rooted. Great box. Props to @egotisticalSW.
    Foothold, some zz and some cool ness.
    No hints needed for user and root
  • Rooted.
    As some wrote, many rabbit holes for the user.
    Root very easy.
    PD: Gracias Torre Oscura!

Sign In to comment.