I managed to get a real shell afterwards but user.txt wasn't in the location shown by the locate command. Not sure if that was intended or another "user manipulation", it was very late so I didn't reset the box to check again.
The user flag is where it should be. I suspect that if you aren't in the right account you can't see it.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Keep in mind, locate does a search in the updatedb database - it will only find files that are stored in the db. It is often not as effective as a find command.
For example find / -name "user.txt" 2>/dev/null would, in most situations be a better choice. (I have no idea if it would work on this box, I never tried it). File permissions can affect both.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Ok - so having tried this I might have a better idea what you mean.
Somethings to consider:
locate is (at least in my experience) really hit and miss. It frequently misses file on my local system because I dont keep the database up to date.
each user account has set privs, if the account you are in doesn't have privs to see the file, you might not be able to find it with other tools. Keep in mind what account is being used by which "exploit."
If you use the second account via the first bit, the output is muddy so it isn't great for broad searching (targeted enumeration still works).
On this box, there is no need to hunt the flags. They are exactly where they should be.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@TazWake Edit: Posts were timed badly. Now you answered my questions, thanks.
Awesome - I think I understand at last!
Hopefully, we are communicating on the same frequency now
It is a crying shame that so many people think it is funny/clever to break the boxes for other people. I wish more Linux boxes set the immutable flag on the flags.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Got user, wasn't so much hard as it was I had never used this method before and couldn't find anything online about it. Thanks to @TazWake for walking me through the second half with the S** service trickery.
Onto root, from what I see on this thread this will certainly go over my head. I have 0 knowledge of reversing... should be interesting.
Been increasing the difficulty over the past 2 weeks, Unbalanced was a cakewalk but this is definitely my max.
Edit: Starting the 6 hr ghidra crash course lol wish me luck
Always happy to help, DM me if you need anything! Link to Profile
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Type your comment> @LMAY75 said:
> How did you guys transfer the interesting file back over to your local macine? scp hangs when I try to connect back to my personal ssh server
A lot of ways are there! Scp, Nc, Pyserver, need more? Google it.
A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps
Had the same issues, couldn't get any connection to work. Could have scp'ed from my machine but instead I used b64 and copy paste for all transfers. SSH from me to the box is the only working connection.
Good suggestion from @sparkla - people often overlook how effective Base64 can be in transferring files between systems.
However if ssh from you to the box works, so should scp as it is basically the same protocol. If ssh works but scp fails, there is a good chance something on the box is broken.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
SSH from box to me doesn't work as well. I suspect either broken or on purpose to prevent usage of nc (and enforce the intended route) in the early stage of foothold.
SSH from box to me doesn't work as well. I suspect either broken or on purpose to prevent usage of nc (and enforce the intended route) in the early stage of foothold.
Rumour has it (and I certainly haven't even tried to confirm this yet) but SSH from HTB boxes to user machines is prevented.
You should be able to use SSH/SCP from your machine to this box though.
Couldn't spot the privesc, nudge welcome.
Its difficult to avoid spoilers. I'd start with thinking about this as a compromised device, and looking for things the attacker might have done to allow themselves back in.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
SSH from box to me doesn't work as well. I suspect either broken or on purpose to prevent usage of nc (and enforce the intended route) in the early stage of foothold.
Couldn't spot the privesc, nudge welcome.
DM me if you still need the nudge for privesc
Always happy to help, DM me if you need anything! Link to Profile
But apart from that (and the fact that I have no idea who "Rumour" is and why he 'has it") I take away the PrivEsc must be super easy and I just looked the wrong way.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
This may be why your SSH isn't working from the box to your machine. It may not be. YMMV.
FYI if anyone is stuck on this. Edit /etc/ssh/sshd_config and change "Port" to anything you want. SSH is only blocked on the standard port. I still wouldn't recommend leaving it enabled though, just start it when you need and stop it afterwards: systemctl start/stop ssh
FYI if anyone is stuck on this. Edit /etc/ssh/sshd_config and change "Port" to anything you want. SSH is only blocked on the standard port. I still wouldn't recommend leaving it enabled though, just start it when you need and stop it afterwards: systemctl start/stop ssh
@TazWake said:
I'd start with thinking about this as a compromised device, and looking for things the attacker might have done to allow themselves back in.
FYI if anyone is stuck on this. Edit /etc/ssh/sshd_config and change "Port" to anything you want. SSH is only blocked on the standard port. I still wouldn't recommend leaving it enabled though, just start it when you need and stop it afterwards: systemctl start/stop ssh
Have players been hacked?
I don't know to be honest... I just saw the announcement on Discord, but have to assume so.
Comments
Can I get some help trying to dump this s** db? The shell doesn't seem to like my commands.
Edit: got it, for anyone facing the same problem I had to use --password instead of -p
Always happy to help, DM me if you need anything!
Link to Profile
@sparkla said:
The user flag is where it should be. I suspect that if you aren't in the right account you can't see it.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
locate user.txt
Maybe that helps to understand my question.
@sparkla said:
I will tomorrow.
Keep in mind,
locatedoes a search in theupdatedbdatabase - it will only find files that are stored in the db. It is often not as effective as a find command.For example
find / -name "user.txt" 2>/dev/nullwould, in most situations be a better choice. (I have no idea if it would work on this box, I never tried it). File permissions can affect both.Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I have never been so stuck in my entire life
Always happy to help, DM me if you need anything!
Link to Profile
In my case locate showed user.txt should be in home of my***. But it wasn't.
@sparkla said:
Ok - so having tried this I might have a better idea what you mean.
Somethings to consider:
On this box, there is no need to hunt the flags. They are exactly where they should be.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@sparkla said:
Ah, interesting. When I ran locate just now it returned nothing!
It should be. If it isn't someone messed with your box.
EDITED TO ADD:
I am sorry, I've realised I might have added to the confusion here because I wasn't paying enough attention to detail in my replies.
Hopefully, this is cleared up now.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@TazWake Edit: Posts were timed badly. Now you answered my questions, thanks.
Type your comment> @sparkla said:
Awesome - I think I understand at last!
Hopefully, we are communicating on the same frequency now
It is a crying shame that so many people think it is funny/clever to break the boxes for other people. I wish more Linux boxes set the immutable flag on the flags.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Got user, wasn't so much hard as it was I had never used this method before and couldn't find anything online about it. Thanks to @TazWake for walking me through the second half with the S** service trickery.
Onto root, from what I see on this thread this will certainly go over my head. I have 0 knowledge of reversing... should be interesting.
Been increasing the difficulty over the past 2 weeks, Unbalanced was a cakewalk but this is definitely my max.
Edit: Starting the 6 hr ghidra crash course lol wish me luck
Always happy to help, DM me if you need anything!
Link to Profile
Really interesting box! I have learned a few news things!!
Thanks for the hints and Congrats @D4nch3n !
Pm if you need a small nudge
How did you guys transfer the interesting file back over to your local macine? scp hangs when I try to connect back to my personal ssh server
Always happy to help, DM me if you need anything!
Link to Profile
Netcat worked for me, but YMMV.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
> How did you guys transfer the interesting file back over to your local macine? scp hangs when I try to connect back to my personal ssh server
A lot of ways are there! Scp, Nc, Pyserver, need more? Google it.
A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps
Type your comment> @gunroot said:
scp wasnt working at first, so I thought there might be another way. Ended up getting it working though thanks!
Always happy to help, DM me if you need anything!
Link to Profile
A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps
Type your comment> @gunroot said:
No I ended up getting scp to work. It was just hanging at first.
Always happy to help, DM me if you need anything!
Link to Profile
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
Fuck yea!
DM me if you need any hints. Most satisfying root possibly ever, very proud of myself there
Always happy to help, DM me if you need anything!
Link to Profile
Had the same issues, couldn't get any connection to work. Could have scp'ed from my machine but instead I used b64 and copy paste for all transfers. SSH from me to the box is the only working connection.
Good suggestion from @sparkla - people often overlook how effective Base64 can be in transferring files between systems.
However if ssh from you to the box works, so should scp as it is basically the same protocol. If ssh works but scp fails, there is a good chance something on the box is broken.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Couldn't spot the privesc, nudge welcome.
@sparkla said:
Rumour has it (and I certainly haven't even tried to confirm this yet) but SSH from HTB boxes to user machines is prevented.
You should be able to use SSH/SCP from your machine to this box though.
Its difficult to avoid spoilers. I'd start with thinking about this as a compromised device, and looking for things the attacker might have done to allow themselves back in.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Type your comment> @sparkla said:
DM me if you still need the nudge for privesc
Always happy to help, DM me if you need anything!
Link to Profile
But apart from that (and the fact that I have no idea who "Rumour" is and why he 'has it") I take away the PrivEsc must be super easy and I just looked the wrong way.
@sparkla said:
This is the rumour: https://forum.hackthebox.eu/discussion/comment/83605/#Comment_83605
This may be why your SSH isn't working from the box to your machine. It may not be. YMMV.
PrivEsc on this box is not easy.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
FYI if anyone is stuck on this. Edit
/etc/ssh/sshd_configand change "Port" to anything you want. SSH is only blocked on the standard port. I still wouldn't recommend leaving it enabled though, just start it when you need and stop it afterwards:systemctl start/stop sshHave players been hacked?
That's the theme of this box.
I don't know to be honest... I just saw the announcement on Discord, but have to assume so.