Admirer

1171819202123»

Comments

  • Rooted.
    This was my first real box on HTB and I enjoyed it, especially the root part.

  • does anyone have a problem of opening port 3306? i tried various conf files but to no avail. i just cannot allow remote connections to my 3306:(

  • Type your comment> @minhobrandon said:

    does anyone have a problem of opening port 3306? i tried various conf files but to no avail. i just cannot allow remote connections to my 3306:(

    Did you check mariadb settings and iptables ?
    Maybe go through:
    https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/
    and recheck remote access ? Of course you need to grant access (at mariadb level) for a remote user using GRANT ...

    OSCP | RHCE | CKA

  • edited September 2020

    Root obtained:

    [email protected]:/tmp# hostname
    hostname
    admirer
    [email protected]:/tmp# whoami
    whoami
    root
    [email protected]:/tmp# 
    

    Edit: Worked once I changed which server I'm VPNd into.

  • Root part was very informative for the future :)

  • Rooted - Message for help with what you have tried so far

  • ROOTED !
    Intial foothold not too easy but a breeze from there,Funbox DM for nudges.

  • @GibParadox I have to say, for me it has been the best box I ever solve. No guesswork, nice challenges, totally liked.

  • Type your comment> @Rucker said:

    @GibParadox I have to say, for me it has been the best box I ever solve. No guesswork, nice challenges, totally liked.

    Awesome! Glad you liked it!

  • I am at the very last step before getting root, but my attack is falling down somewhere and I don't know why! I have successfully hijacked s*****.**. If I run the commands from b*****.** in the interpreter, my code gets executed, but not when I call a****_t****.** Would really appreciate it if someone could PM me...

  • [email protected]:/tmp$ uid=0(root) gid=0(root) groups=0(root)

    I really hated the foothold/user but the root path was awesome and made up for the prior annoyance. I have some leftover questions about the a*****r bypass that I can't find in the exploit docs so if anyone can help DM me please.

    Foothold: My problem was none of the relevant words were in my wordlists

    User: Very odd for an easy box, requires some effort.

    Root: A really cool idea, learned a lot and its valuable for the future.

    If you need any help DM me!

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • edited September 2020

    I cant get any login page despite enum with dirseach,gobuster,dirbuster at most I got forbidden dirs....I need a pointer any direction please?

  • @SuperRaptor said:

    I cant get any login page despite enum with dirseach,gobuster,dirbuster at most I got forbidden dirs....I need a pointer any direction please?

    Why does there need to be a login page?

    If you have fuzzed it fully you may have found something you need which tells you how to get access to something which can give you something you need to find out where to go with the next step.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited September 2020

    Just finished this box after a couple of days.

    Foothold was annoying and I only got it by reading some posts in here (and also used a tool I hadn't used before which is pretty nice).

    User was straightforward with some fiddling around with config stuff. I had never used/seen this method so that's good.

    Root...wandered down a completely wrong path but learned a lot about an exploit that doesn't work on this box along the way. Finding the right place was just a basic post-exploit step. I read and understood what was going on and kind of what I had to do but messed up a small detail.

    So my advice
    Foothold: if in doubt, think big.
    Root: pass don't set.
    Hope that's not too spoiler-y.

    Enjoyable box, but if this is easy...I have a long way to go. I only did this and Tabby so far, I'd say overall this box was harder but they are hard to compare.

  • edited September 2020

    hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)? there is a vulnerabilty on ad***_tas***.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

  • @xenofon said:

    hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)?

    At a basic level (and I don't mean to sound sarcastic) but if you cant see a good reason to do this, don't do it.

    Work your own path. You may have seen things which hint at this, but the hints could be wrong.

    However, if nothing else works, you might want to go back to this.

    there is a vulnerabilty on ad_tas.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

    I certainly didn't. If you get it to work, then it is the right path. If it doesn't work, it is the wrong one. Its literally that simple. Just because something looks like it might be vulnerable, doesn't mean it is - until you test it. Not every instance of shell_exec is vulnerable to exploitation - you'd need to be able to control what it executes and then you are limited to the privileges the code runs under.

    Some boxes have multiple routes to exploitation and if you find genuinely unintended ones, you can let HTB know and they'll patch it.

    One question I would ask though:

    You've seen hints saying "try $X" but you've also found a possible exploit for $Y but no one else appears to have mentioned it. You can't get $Y working.

    Does that imply it is the right path or the wrong path?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @xenofon said:

    hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)?

    At a basic level (and I don't mean to sound sarcastic) but if you cant see a good reason to do this, don't do it.

    Work your own path. You may have seen things which hint at this, but the hints could be wrong.

    However, if nothing else works, you might want to go back to this.

    there is a vulnerabilty on ad_tas.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

    I certainly didn't. If you get it to work, then it is the right path. If it doesn't work, it is the wrong one. Its literally that simple. Just because something looks like it might be vulnerable, doesn't mean it is - until you test it. Not every instance of shell_exec is vulnerable to exploitation - you'd need to be able to control what it executes and then you are limited to the privileges the code runs under.

    Some boxes have multiple routes to exploitation and if you find genuinely unintended ones, you can let HTB know and they'll patch it.

    One question I would ask though:

    You've seen hints saying "try $X" but you've also found a possible exploit for $Y but no one else appears to have mentioned it. You can't get $Y working.

    Does that imply it is the right path or the wrong path?

    i understand your point,but the thing that i do not understand is that,why we fuzzing a directory (util.....-sc.....) when we see the contents of it from ftp, why we need to scan it throught the web..?that is my question,and why adm**.pp is not visible?

  • Type your comment> @xenofon said:

    Type your comment> @TazWake said:

    @xenofon said:

    hey guys why we want to fuzz utili**-sc**** with some tools(wfuzz,gobuster)?

    At a basic level (and I don't mean to sound sarcastic) but if you cant see a good reason to do this, don't do it.

    Work your own path. You may have seen things which hint at this, but the hints could be wrong.

    However, if nothing else works, you might want to go back to this.

    there is a vulnerabilty on ad_tas.p*p (shell_exec) i am trying to get an rce from there but nothing,did anyone do it this way?

    I certainly didn't. If you get it to work, then it is the right path. If it doesn't work, it is the wrong one. Its literally that simple. Just because something looks like it might be vulnerable, doesn't mean it is - until you test it. Not every instance of shell_exec is vulnerable to exploitation - you'd need to be able to control what it executes and then you are limited to the privileges the code runs under.

    Some boxes have multiple routes to exploitation and if you find genuinely unintended ones, you can let HTB know and they'll patch it.

    One question I would ask though:

    You've seen hints saying "try $X" but you've also found a possible exploit for $Y but no one else appears to have mentioned it. You can't get $Y working.

    Does that imply it is the right path or the wrong path?

    i understand your point,but the thing that i do not understand is that,why we fuzzing a directory (util.....-sc.....) when we see the contents of it from ftp, why we need to scan it throught the web..?that is my question,and why adm**.pp is not visible?

    maybe a file was included after the upload to the ftp server?this is what we examine by fuzzing utl.....-sc....??

  • @xenofon said:

    maybe a file was included after the upload to the ftp server?this is what we examine by fuzzing utl.....-sc....??

    As I said, if it doesn't make sense, don't do it - some hints are simply wrong.

    However, I don't think this one is.

    Just because you find some files in an archive, doesn't mean you've found all the files. If I was managing a server and I was adding content every week but taking a monthly backup, if you look at the back up you do not see the live environment unless you get really, really lucky.

    When we have two sets of information - such as an archive and a live version, being able to see if there is a difference between the two can lead to some interesting discoveries.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @xenofon said:

    maybe a file was included after the upload to the ftp server?this is what we examine by fuzzing utl.....-sc....??

    As I said, if it doesn't make sense, don't do it - some hints are simply wrong.

    However, I don't think this one is.

    Just because you find some files in an archive, doesn't mean you've found all the files. If I was managing a server and I was adding content every week but taking a monthly backup, if you look at the back up you do not see the live environment unless you get really, really lucky.

    When we have two sets of information - such as an archive and a live version, being able to see if there is a difference between the two can lead to some interesting discoveries.

    thank you very much for the info

  • edited September 2020

    I have the User flag but once I pasted the hash it doesnt wotk ! ... I spent a lot of time with local database with some basic things hahaha !!

    Today is working !! :)

  • Thanks @polarbearer & @GibParadox for nice box!
    Foothold was pain for me, especially when I found all creds, but had no clue where to use them :) But then I took closer look at the name of the box, it's does matter. Lateral movement was not too hard

    N0rt0N

  • Spoiler Removed

  • edited September 2020

    @shinsei said:

    I was able to access the file, but when I enter the flag on the site, I get an error Why? Who will tell you?

    Reset the machine, wait a little, and try again. Make sure that the flag is different to the one you got the last time. Should it still not work, raise a ticket at HTB's JIRA: https://forum.hackthebox.eu/discussion/2994/htb-support-on-jira


    Hack The Box
    GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

Sign In to comment.