is it try to send something?
I get mail list but nothing can do next
Yesterday I completed this machine. My feelings about this one is a bit mixed. Altogether the machine is above medium or medium based machines are getting harder then earlier, because of the complexity. The first path of the user was quickly solvable and I like these interactive machines but when you have at least 3 passwords, things are getting complex. You need to think out of the box a bit, and thatâs why I liked this machine (even though I hit my head on the wall when realized it).
If you know the specific script language internals you are good to go and this machine will be easy especially the root path. But if youâre not that type of person, you will have some hard time like I had. That part was frustrating and also the language has some annoying restricts/features (e.g. â vs ").
My hints (if there is a spoiler, pls remove it):
User: check your notes and try to find some relationship between the open services and the @-s on the site. You need some fishing rods and some cats to catch that fish
After that do some basic enumeration in the service (also check your notes and use google). The brainfuck part is coming; some hosts contains more h***s in it. You can guess or brute it, itâs up to you. Once you find it, you will understand how to get in. Just do what you wanted to do first on FT, but you couldnât trigger it.
ShellZ: you donât need to stick with the service user, just change to the other one you got earlier. Then you need to understand how things are going. Check the running processes, and you will get a clue, how should you get that user. Once you found out, you need a little GoogleFu how trick this internal service to get what you want. I think this is the hardest part. Yes, you need to upload something but itâs not the uploaded package what gives you the shell, so do not overcomplicate this.
Root: strongly related to the previous service. Basic privilege enumeration and GTFOBins will bring you the joy.
Thanks @sulcud for this machine, I learned a brand new thing what I didnât find in other machines earlier.
This box is offline every 5 minutes?
Well, that was quite a road to user.txt. Liked part with s****.** a lot! Getting root itself was a matter of a few seconds
And done! A few good learning points from this one. The path to user takes several long steps. Root was a breeze compared to it! If things arent working remember to check your package
I thought that was one of the best boxes Iâve done on here. It was super engaging, used things I hadnât really done in other boxes, and seemed like something that would be ultra realistic. Root was a bit disappointing because it was so trivial, but given the setup thatâs probably pretty realistic, heh.
Thanks to @j88001 for the nudge on how to go spear fishing
Thanks to @sulcud , this machine was for some steps amazing
The foothold was amazing but i need to search some nudge because, i have never do that before, i have never seen something before in this enviroment, so great machine! Try to user diffrent easy list, donât complicate
For the user part, it was confusing, thanks to @rulzgz to make me more clearly about steps. For the user, i can say, sometimes, if you write keeping a sequence , maybe you can try to invert that sequence. Googling, most common sequence didnt work for me.
THe root part was easy, it takes 5 minutes.
this machine was really hard for me took me ages to get the initial foothold but finally got root learned a lot of new things with this machine, thanks @schizo , @joenibe , @zaero and @CurioCT you all helped me rooting this box. really, appreciated your help!!
Am I meant to make a new gmail account just for this? Wouldnât google be, you know, not cool with that?
@user29 said:
Am I meant to make a new gmail account just for this? Wouldnât google be, you know, not cool with that?
You donât need to make any gmail account.
@user29 said:
Am I meant to make a new gmail account just for this? Wouldnât google be, you know, not cool with that?
No. Boxes on HTB are pretty much self contained.
Anyone have problem accessing website on port 80? I added record to hosts file and can ping it by a hostname but when accessing by browser I got 504 gateway timeout, but ping/traceroute works
@SovietBeast said:
Anyone have problem accessing website on port 80? I added record to hosts file and can ping it by a hostname but when accessing by browser I got 504 gateway timeout, but ping/traceroute works
It depends on how you are trying to access it. There are subtle but important differences between how ping (which sends an ICMP echo request) and a HTTP GET request work.
However, the first thing Iâd check is that you arenât trying to proxy your requests through Burp or something similar. A HTTP504 error normally means a proxy has failed and there shouldnât be one between you and the box here, unless youâve put it there.
@TazWake I didnt try proxy it, but I left it for ~15 mins and it is working now. Nothing changed in my end in meantime so idk what happend. But thanks for reply.
@SovietBeast said:
@TazWake I didnt try proxy it, but I left it for ~15 mins and it is working now. Nothing changed in my end in meantime so idk what happend. But thanks for reply.
Ok - maybe it was just some weirdness on the box.
Finally, I own this one.
The user part itâs the most difficult part. The root part is really easy.
These are my hints for those that are hanged on the initial foothold and the user part.
##Foothold
Donât focus on enumeration. After a basic enum doesnât waste your time.
As others said, the key itâs on the mail server
Test all of those email accounts. I ended up making my own script to do it.
You will need to listen for incoming things to your local machine
##User
The most interesting part by far
Check if some passwords that you got allow you to access to another user account. In the end, this part isnât really needed. You can use the initial shell to go further.
Check the vhosts
Try to understand how the service is working and how to deploy new packages
Also, itâs a must to listen to whatâs happening when you upload a new package.
##Root
The easiest part. Classical privesc.
Cheers!
Rooted.
100% agree with the comment above from @n3b0r. It feels like this box is in reverse - the foothold and user are the toughest parts. Enjoyable box.
Happy to hint if needed.
did anyone ever try smtp-user-enum.pl ? I had looked at it during the beginning, but out of curiosity I tried it. It isnât giving me results I expected.