Official Passage Discussion

If this is EASY, then how would you rate a box on which you could get root just by running linpeas ?

xD yeah this is right. I dunno, this is why HTB is getting reputation for being less and less beginner friendly. Because even easy level boxes you have to do a bunch of manual stuff. At least that was my experience recently

@AviusX said:

@TazWake I guess I know what you mean. I probably just compare too much. Like if I were to compare this to SneakyMailer, which had really long and fairly ‘new’ or ‘unique’ steps required to get to user, this seems like a piece of cake.
I usually find the user rated difficulty ratings to be far more accurate than the official ratings.

Yeah - that can be better but only when you get a lot of ratings. There are people who rate insane boxes a 1 and I’ve no idea why…

You can also use things like the number of user/root owns. If it is <30 after more than two months (Rope Two) you know it is stupidly hard. If it is > 1000 in the first week, it is probably fairly straightforward (not necessarily easy).

@Fr0sty9 said:

xD yeah this is right. I dunno, this is why HTB is getting reputation for being less and less beginner friendly. Because even easy level boxes you have to do a bunch of manual stuff. At least that was my experience recently

There are always phases as it takes about six months for a box to be released. That means if everyone today tried to make them easier, in six months we’d say “they are too easy” and everyone would make harder boxes etc.

I do think there should be at least some active boxes a brand new skiddie can progress (its been a while since something like Blue has been released).

For me - this box was well rated at medium.

Type your comment> @Fr0sty9 said:

If this is EASY, then how would you rate a box on which you could get root just by running linpeas ?

xD yeah this is right. I dunno, this is why HTB is getting reputation for being less and less beginner friendly. Because even easy level boxes you have to do a bunch of manual stuff. At least that was my experience recently

It’s funny that you say that, because I think about this regularly when people are asking about how the OSCP exam boxes compare to HTB boxes. I felt my OSCP exam boxes were all WAY easier than the latest easy boxes on HTB. Like I had 90/100 points in 10 hours on my OSCP exam.

Then again, some people say the OSCP boxes are like mediums on here, so I guess it is half personal opinion and luck.

Yeah - that can be better but only when you get a lot of ratings. There are people who rate insane boxes a 1 and I’ve no idea why…

@TazWake Are you talking about the guy who rated RopeTwo a 1? I laughed my ■■■ off at that ■■■■. Probably just did it for the memes. But yeah I understand what you mean.

You always need a large sample size for statistics like this to be more precise. For example I find that even hard machines are rated fairly easy according to user ratings when they’re released. It’s probably because the people who attempt hard boxes at release are usually more experienced/confident and find them easier. As the number of solves grow, the rating reflects the actual difficulty according to the average user better.

Type your comment> @pizzapower said:

Type your comment> @Fr0sty9 said:

If this is EASY, then how would you rate a box on which you could get root just by running linpeas ?

xD yeah this is right. I dunno, this is why HTB is getting reputation for being less and less beginner friendly. Because even easy level boxes you have to do a bunch of manual stuff. At least that was my experience recently

It’s funny that you say that, because I think about this regularly when people are asking about how the OSCP exam boxes compare to HTB boxes. I felt my OSCP exam boxes were all WAY easier than the latest easy boxes on HTB. Like I had 90/100 points in 10 hours on my OSCP exam.

Then again, some people say the OSCP boxes are like mediums on here, so I guess it is half personal opinion and luck.

OSCP is a lot more about enumeration and a pathway to exploiting something. Rather than some random CTF where you gotta exploit something and you only find it by desperately checking everywhere.

Yes, the difficulty of HTB boxes is, in average, going upwards, because the sample of people rating them are practicing more and completing more boxes. Surely, as an HTB participant, something I found medium 12 months ago, would probably seem much easier now; and most of us behave that way. For newcomers it must be harder.

Wow!!! I would not want anyone to smash their keyboard/monitors etc. when they pivot from user1 → user2. For root, all the covid 19 ■■■■ is just telling you that enum is more about just running tools. Don’t run them, won’t help you. Just use the “-a” with listing and read. If you have to read through the entire dir don’t shy away. The more you read, more you will understand.

Thanks, I learned a lot!

Great box, nice and easy for a change, although I did get hung up overlooking some simple stuff here and there, and trying to automate my manual exploit process in the beginning with bash scripts.

Really fun box so far, maybe one of the first I’ve done with minimal hints, though I think I’ve managed to get it wrong both times! I’ve read both the user and root flag files but neither hashes are being accepted by htb; if anybody is able to chat through what I’ve done so far and tell me I’m being dumb, I’d really appreciate it!

@CallumJ90
Try resetting the box, might be because of HTBs dynamic flags

@3zculprit said:
enum is more about just running tools. Don’t run them, won’t help you. Just use the “-a” with listing and read. If you have to read through the entire dir don’t shy away. The more you read, more you will understand.
A phenominal hint. If you’re still having trouble, refer to this.

rooted. thanks @ChefByzen for a nice box - the root part was very cool

Probably one of my favorite boxes to date. Really good logical flow and I’d agree with other posters that the difficulty advances as you progress through the box.

My hint for root would be to read the other posts carefully and to echo a very recent post, ensure you utilize the -a when listing directories. Enum scripts will only get you so far.

Feel free to DM for nudges and thank you @ChefByzen for the box!

Hey there, i need a nudge.
I have a shell, and i have to find user1.
I searched around and i find a lot of hashes, none of them is the right one i think because they’re all uncrackable.
can someone help me?

Rooted!

Straight forward but still has its own unique path/ exploits, not encountered earlier.

Hints:
Initial Foothold: Google. Yes its that simple but still a minor tweak.
User 1: Enumerate everything. Each folder and each file inside.
User 2: This is very simple. check everything inside your home.
Root: Again. Don’t leave your home. Ur bus will take you to places you never imagined

DM for any nudges
thanks to @ChefByzen for such an awesome box

@Meise said:

Hey there, i need a nudge.
I have a shell, and i have to find user1.
I searched around and i find a lot of hashes, none of them is the right one i think because they’re all uncrackable.
can someone help me?

Have you tried hashid? Are you sure they are “hashes” (i.e. are they fixed-length strings which is a good indication that something is hashed).

Type your comment> @TazWake said:

@Meise said:

Hey there, i need a nudge.
I have a shell, and i have to find user1.
I searched around and i find a lot of hashes, none of them is the right one i think because they’re all uncrackable.
can someone help me?

Have you tried hashid? Are you sure they are “hashes” (i.e. are they fixed-length strings which is a good indication that something is hashed).

yeah, they’re all uknown hashes

@Meise said:

yeah, they’re all uknown hashes

When you decode them, do you get anything more useful?