Official Blunder Discussion

Hello, can someone PM me to explain what to do for the initial foothold?

finally rooted, getting foothold was fun part after that its easy.

Having a lot of trouble getting the shell manually. I’m aware of the POCs and I think it’s pretty clear what they are doing. My problem is this: I send a request to upload an image with an acceptable file extension. I capture that request in burp and change the file and it’s contents in an effort to upload a new .htac**** file. Despite the fact that I capture the request in burp, when I forward the modified request on, the app still responds that I can only upload files with specific extensions, which tells me this validation is happening on the server. If that’s the case, how are people getting this new file uploaded?

Rooted!

That was actually really interesting a great box to learn some basics, tune my eyes and thought process in, this was the first box I’ve looked at in detail since going through starting Point and it took me probably 7 hours split over a few sessions, largely due to unfamiliarity of tools, Yes others have done it quicker but as someone who has just completed their first box, I was more then happy.

For those that are stuck feel free to pm and I’ll try and lightly point you in the right direction if you tell me what you’ve tried and what you’ve found etc. I’ll admit, there was a few times i felt like shouting out for help but glad i stuck with it and I’ll re-iterate what others have said previously

If you read this forum post carefully all the information you need for every step is listed.

Footholding was a tad tricky, i spotted what i needed to do instantly but doing it took a bit of time cobbling together.

Beware of rabbit holes, I fell into more than one or two.

With the right tool / script / CVE / Knowledge; Each stage could be completed within 10-15 minutes so if what your doing is trying to take longer you’re probably doing something wrong.

hey guys. I’m very stuck with login. I think i have the correct user “f…” but i don’t know how i can get the password. I’ve read i have to do my own wordlist but don’t have luck. Am I on the correct path with the user? Someone can tell me any hint to get the password?

Have issue with msf…
Here my log:
[] Started reverse TCP handler on 10.10.14.187:4444
[+] Logged in as: ******
[
] Retrieving UUID…
[] Uploading XnmMCeRUYz.png…
[
] Uploading .htaccess…
[] Executing XnmMCeRUYz.png…
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
[
] Exploit completed, but no session was created.

@herrlestrate said:

Have issue with msf…

This gets asked every few days. I don’t have an answer because I never experienced this issue. Generally, it means things like the payload needs to be changed.

I keep running into this issue in metasploit module, if somone could help me out, i would greatly appreciate it

I have censored the spoilers

I keep running into this issue

Started reverse TCP handler on 192.168.43.183:4444
[+] Logged in as: ******
Retrieving UUID…
Uploading vqBjNbYrIS.png…
Uploading .htaccess…
Executing vqBjNbYrIS.png…
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
[*] Exploit completed, but no session was created.

Someone please help me. I am new to htb

Type your comment> @Archangel78 said:

I keep running into this issue in metasploit module, if somone could help me out, i would greatly appreciate it

I have censored the spoilers

I keep running into this issue

Started reverse TCP handler on 192.168.43.183:4444
[+] Logged in as: ******
Retrieving UUID…
Uploading vqBjNbYrIS.png…
Uploading .htaccess…
Executing vqBjNbYrIS.png…
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
[*] Exploit completed, but no session was created.

Someone please help me. I am new to htb

Check your LHOST IP

I have seen that many people here are using MSF module to exploit the vulnerability. You can choose that as your wish.
But many are not configuring LHOST properly. Check options before exploit.

Spoiler Removed

Type your comment> @Archangel78 said:

I keep running into this issue in metasploit module, if somone could help me out, i would greatly appreciate it

I have censored the spoilers

I keep running into this issue

Started reverse TCP handler on 192.168.43.183:4444
[+] Logged in as: ******
Retrieving UUID…
Uploading vqBjNbYrIS.png…
Uploading .htaccess…
Executing vqBjNbYrIS.png…
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
[*] Exploit completed, but no session was created.

Someone please help me. I am new to htb

Hey bud. Welcome to HTB.

You should consider your VPN IP address instead of LAN IP address for anything inside HTB.
Your tun0 (VPN) IP address will be something like 10.10.14.xx .
Use that in your msf options instead of 192.168.xx.xx . You can do that.
Good luck :wink:

Type your comment> @hackgineer said:


My question is how do I give respect to someone if they helped me out? I can’t seem to figure out where or how I do that to a user account.

Did you try finding the user account in hackthebox site (not the forum) ?
If you click on “Member Finder” in the top right corner, just fill in the name and search for user… then, in his profile the first button under his name is: “Give Respect”
Hope it helps :slight_smile: respect

Rooted, foothold and user are nice, root super ez.
PM for nudges

Okey, actually rooted. Good service for noobs (like me).

If you have trouble with MSF - check your iptables. Maybe your iptables block any INPUT connections. (i had the same problem).

rooted… I really overcomplicated this one. User took way to long, just simple enumeration gives you all you need.

root /escallation tok around 5 minutes. and again, just simple enumeration and google what’s right infront of you.

Finally rooted! This was my first ever box on HTB and it took me 3 days x_x

Hints:-

  1. Foothold - Fuzz with the most common file extensions you can think of to get the username. After that, just be “cool” :wink:
  2. User - Easiest part of the challenge. Investigate the application’s files thoroughly.
  3. Root - Took me the most time. Felt so stupid after I found it. The nudges “check your privs” and “root required a single line command” helped a lot.

Type your comment> @horatiu said:

Did you try finding the user account in hackthebox site (not the forum) ?
If you click on “Member Finder” in the top right corner, just fill in the name and search for user… then, in his profile the first button under his name is: “Give Respect”
Hope it helps :slight_smile: respect

Thank you!! "Respect given"s are complete :wink:

Hey everyone
I have written a python class based on the poc if anybody is interested. I am not sure if it is ok to share here since it could be a spoiler. I would like to give some hints to my fellow beginners:

  1. I banged my head against a wall with the dubdubdub until I looked for bases with data in them.
  2. I cant believe that such a simple out of bounds error in such a vital part was only discovered one year ago.

@MarinaD said:

Hey everyone
I have written a python class based on the poc if anybody is interested. I am not sure if it is ok to share here since it could be a spoiler.

I’d be tempted to wait until after the box retires.

I would like to give some hints to my fellow beginners:

  1. I banged my head against a wall with the dubdubdub until I looked for bases with data in them.
  2. I cant believe that such a simple out of bounds error in such a vital part was only discovered one year ago.