Official Blunder Discussion

Root was surprisingly easier than I though, literally a one liner. People aren’t joking or exaggerating. Googled 2 things in sequence, and got the answer.

User was extremely easy, enumeration like everyone has been saying.

Initial Foothold is a bit confusing as to what you should do. But you have to go back to your caveman mentality and just force the door you might find.
:smile:

ROOTED!

There’s quite a bit of info in the comments. So my only hints are:

Foothold - read the comments
User - continue reading the comments
Root - read the comments some more

:slight_smile:

Got both flags but when i submit them i get the error “incorrect hash for blunder” . I tried to reset the machine but the limit is reached for today. Is my first box… Am i doing something wrong?

@slashviper said:

Got both flags but when i submit them i get the error “incorrect hash for blunder” . I tried to reset the machine but the limit is reached for today. Is my first box… Am i doing something wrong?

If you read through a few of the threads here you will see that this is an occasional problem.

HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.

However, it also means that sometimes the hashes don’t load properly and it creates issues.

The main suggestions seem to be:

  1. reboot, repeat the pwnage, get the new flags, try them
  2. report it to HTB via a JIRA ticket and see if they can fix the issue

Rooted. PM for nudges.

just rooted the machine without even touching one of the users. does he have a purpose?

Dire need of help on root. I thought the user was pretty easy…everybody saying root is the easy part but I can’t for the life of me find it. I’ve got a shell with f***** user. Linpeas doesn’t finish the scan, so looking through what it gives me, I don’t see anything in particular. I’ve found a couple of CVEs but there are people saying you should only have to type two commands and if you’re uploading stuff, you’re on the wrong track.
[+] Searching specific hashes inside files - less false positives (limit 70)
That’s as far as Linpeas gets me. I’m probably missing something above that, but I’m definitely not able to get anything past that. Please help, point me to the correct John Hammond Video, or any kind of nudge would be greatly helpful.

ps - I’m also on the EU vpn. I worked on it all last weekend using the US vpn but was disconnected nearly every three minutes. Thanks to anybody that will help.

Finally got shell
strange password mechanism XD

thanks for @Karthik0x00 for the nudge

I’m not sure if privesc is needed for user flag part or not
because the file is permission denied !

could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

rooted. thanks for:
@ElleuchX1 and @JonnyGill

user: all the tips have already been prescribed here, but I can remember again, enumeration, enumeration and enumeration, pay close attention to all the details of the initial page, the rest is a consequence.

root: I certainly improved the enumeration that is key to solve this box. root is super easy.

Type your comment> @■■■■2000 said:

could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

Read the hints from users it’s obvious !

Initial foothold: enum, enum and enum (for special files) and look with clear eyes at content of site :slight_smile:

@SpaceMoehre said:

just rooted the machine without even touching one of the users. does he have a purpose?

Depends which user you didn’t touch.

@flatlin3 said:

Dire need of help on root. I thought the user was pretty easy…everybody saying root is the easy part but I can’t for the life of me find it. I’ve got a shell with f***** user. Linpeas doesn’t finish the scan,

This is a box where enumeration tools will actively undermine your ability to progress.

Manual checking is significantly more effective.

When you do this, you can find something which was a publicly disclosed issue/exploit towards the end of last year.

@■■■■2000 said:

could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

You need to fuzz for interesting documents on the server. Then you need to look at using a tool to carve words off the website to use as a wordlist.

Found a way to upload and the corresponding location. However, calling doesn’t seem to trigger anything :confused: Hm.

Stuck on root
When i run commands like s*** -l with h*** user to check the prives,
I get “s***: no tty present and no askpass program specified” message

Am I in wrong direction about struggling with that?
Because I found several vulnerabilities for s*** version but can’t run the command because of above message !

@KouroshRZ said:

Stuck on root
When i run commands like s*** -l with h*** user to check the prives,
I get “s***: no tty present and no askpass program specified” message

Am I in wrong direction about struggling with that?
Because I found several vulnerabilities for s*** version but can’t run the command because of above message !

You need to “upgrade your shell.”

Type your comment> @TazWake said:

@KouroshRZ said:

Stuck on root
When i run commands like s*** -l with h*** user to check the prives,
I get “s***: no tty present and no askpass program specified” message

Am I in wrong direction about struggling with that?
Because I found several vulnerabilities for s*** version but can’t run the command because of above message !

You need to “upgrade your shell.”

Thank you very much, it was really annoying issue (p****n reverse shell is really better)
Finally got root, It took less than a minute :slight_smile:

@KouroshRZ said:

Thank you very much, it was really annoying issue (p****n reverse shell is really better)
Finally got root, It took less than a minute :slight_smile:

Nice work.

My current issue is that I get this message in msf and it doesn’t create a session suggesfully.
Started reverse TCP handler on CENSORED
[+] Logged in as: f***** (I censored this as well)
Retrieving UUID…
Uploading UQygUigAYU.png…
Uploading .htaccess…
Executing UQygUigAYU.png…
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
Exploit completed, but no session was created.
What are the recommendations for facing this situations and figuring out which part of the msfconsole is wrong? Thx a lot