Official Compromised Discussion

Accidentally reset my entire desktop and panels while messing around waiting for nmap to finish. Spent the last 45 min trying to get everything fixed. Can finally start this box now

I have grepped everything in existence where tf is this thing… I know you’re somewhere…

Edit: can someone give me a nudge? I seriously can’t find this

Edit 2: I was using the IP for feline the entire time *facepalm*

The shell script from @sparkla is very cool once you get a working webshell. Feels like a real shell, including proper formatting.

Stuck moving forward from here though.

Update: Moved forward, thanks to some nudges from @GPLO and @metuldann. Learned a new technique. Now on to the next user.

Update 2: Managed to get the user flag. Now trying for root. So far haven’t found anything “left behind” which can help me - any advice about where to look would be appreciated.

Found something. Now just need to make it work.

Finally got root. The last part is very cool. Thanks @D4nch3n for a great box - I learned a lot.

Type your comment> @sparkla said:

Again I decided against knowing better to try & move forward from the pseudo-shell to my user. I had some “fun” but still unable to make anything out of it.

My initial prediction remained true, whatever is supposed to work here seems to work only in a very specific way, you’re either lucky enough to find it or you aren’t - for me this has little to do with hacking.

Many hours wasted, learned nothing new, not the type of box I like to play here. Trollbox, Guessbox, Mysterybox, whatever you wanna call it. Not a Hackbox.

aren’t half the boxes like this anyway?
I thought it was a good box. some known vulns, some adapted vulns etc.
It’s all learning!!
Must say couldn’t have rooted without help though!

Type your comment> @sparkla said:

Again, first blood happened like nothing was wrong, the missing link was spread through forum messages, probably initiated by the creator. I asked “why” we’re having to endure such frustrating experiences and never got a real answer. That’s what I call a Trollbox. Creators intentionally trolling players or not telling the reason why they do it.

I’ve had this feeling since quite a while, that first blood has become a total BSh.t. Creators, moderators, other HTB staff, their friends and friends of friends. This is how it looks like and works. This is a commercial project in many aspects (not only the simple and straightforward) and owners apparently think that this way is the best one. You just need to filter out what has value from a total garbage, forget about first blood and I can guarantee you that you will feel way better immediately.

Anyone else getting an unresponsive webshell?

nvm

When I upload a file with the vq*** , the web interface crashes… but I’m still able to do some directory browsing on the website … is that behavior intended ?

Please stop uploading files it crashes the server and has nothing to do with the exploit

$: ls /home
<Response [200]>

$:

Oh you don’t wanna print anything? Yea… that’s cool…

Type your comment> @sparkla said:

[Redacted] - I stand to every word I said and that includes I have no intention to hurt or harm creators, the project or anyone else. It also includes, a lot of things aren’t ok. Lets hope, they get better.

Of course you do, and of course no one wants to hurt anyone. You raised your concerns and I gave you an absolutely free of charge advise how could you possibly start feeling better and how can you find the peace of mind you’ve apparently lost. Nothing more than that.

It is an interesting box and it is nice to see some DFIR skills being needed. Thanks to @D4nch3n for taking the time and effort to build this!

I found it very enjoyable and the process was fairly straight forward. I can see how people might get frustrated though, my main tip would be slow down and make sure you’ve thought of what you are doing.

This box will definitely punish people who rush to get a reverse shell.

#Sort of hints

Initial Foothold: the public exploit does work but needs modification. Investigate why it fails and there is also public information on how to fix this.

First account: Enumeration is the key. The information is available in at least two places. You can use this to access something via the initial foothold. Enumerate what it can do and then you can convince it to trust you so you can access as this account.

Second account: You should know what account you want. Enumerate carefully and find loot. Use loot.

Privesc: The box name is a hint. Look for things left behind. Use the hints on page 1. Ghidra helps but there are lots of other ways to do this. Find loot. Use loot.

Overall, really good box which sits nicely in the “hard” bracket.

@TazWake said:
It is an interesting box and it is nice to see some DFIR skills being needed. Thanks to @D4nch3n for taking the time and effort to build this!

I found it very enjoyable and the process was fairly straight forward. I can see how people might get frustrated though, my main tip would be slow down and make sure you’ve thought of what you are doing.

This box will definitely punish people who rush to get a reverse shell.

#Sort of hints

Initial Foothold: the public exploit does work but needs modification. Investigate why it fails and there is also public information on how to fix this.

First account: Enumeration is the key. The information is available in at least two places. You can use this to access something via the initial foothold. Enumerate what it can do and then you can convince it to trust you so you can access as this account.

Second account: You should know what account you want. Enumerate carefully and find loot. Use loot.

Privesc: The box name is a hint. Look for things left behind. Use the hints on page 1. Ghidra helps but there are lots of other ways to do this. Find loot. Use loot.

Overall, really good box which sits nicely in the “hard” bracket.

I really thought I was gonna get this one before you… ended up having to spend all day on homework smh :joy:

@LMAY75 said:

I really thought I was gonna get this one before you… ended up having to spend all day on homework smh :joy:

Sorry! I had a slight advantage for privesc though as it aligned fairly well to my day job…

Rooted! Nice machine.
Learned some good stuffs.
The root part is tricky and awesome.

For Foothold: Google FU.
For user: Enumeration
For Root: If you got something, play with it in all possible orders. :wink:

Yup the root is a bit of a kicker… got user a while back - shell’s arent that unstable. Good box.

Can I get some help trying to dump this s** db? The shell doesn’t seem to like my commands.

Edit: got it, for anyone facing the same problem I had to use --password instead of -p

@sparkla said:

I managed to get a real shell afterwards but user.txt wasn’t in the location shown by the locate command. Not sure if that was intended or another “user manipulation”, it was very late so I didn’t reset the box to check again.

The user flag is where it should be. I suspect that if you aren’t in the right account you can’t see it.

@sparkla said:

Try

locate user.txt

Maybe that helps to understand my question.

I will tomorrow.

Keep in mind, locate does a search in the updatedb database - it will only find files that are stored in the db. It is often not as effective as a find command.

For example find / -name "user.txt" 2>/dev/null would, in most situations be a better choice. (I have no idea if it would work on this box, I never tried it). File permissions can affect both.

I have never been so stuck in my entire life :joy: