Official Academy Discussion

Rooted. An OSCP-like box. Recommend for who gonna have OSCP exam

any hint guys

Got the foothold, trying to get to a user.
Found a hash but wasnā€™t able to crack it. Am I missing something else or am I just too bad at cracking ? :slight_smile:

Struggling to make progress. Ive tried sql injection on the webpages but made no progress. Ive run nikto and ffuf looking for subdomains. Im going to try the non webport next

rooted

thanks to @zweeden

Whew! Got user and root :smile: a huge thanks to @zweeden for the gentle nudges in the right direction. Didnā€™t give the whole answer, but just helped refocus my efforts when I was spinning my wheels.

The beginning e.g. gaining a foothold I would consider easy difficulty, however I think overall this box should be considered more towards medium difficulty. Not necessarily because it requires any intermediate knowledge on exploits or techniques, but beginners typically struggle the most with enumeration TTPā€™s more than anything. I know I struggled the most at this stage on this box, there is just so much to go through at every sub-stage of enumeration here.

Tips for anyone who is completely stuck:

  • Gaining a foothold: this can really be considered two parts. For the web application side, think about how simple it might be to change a certain value so that you can become someone with particular privilegesā€¦ Once you do that, donā€™t forget the basics about DNS. As @whitewhale mentioned, you need to identify when you find a red herring ā€“ MOVE ON if you are spinning your wheels on a particular finding. If you make it that far, remember to always google application names when you discover something you might not be familiar with. You can see from the machine statistics graph that this is rated very high in well documented exploits.

  • User: As everyone else mentioned, enumeration is key. Understand where particular credentials might be stored that you can see as the current particular user (when you gain a foothold). Google how to recursively grep in files, you will need this now and later! Remember that people are creatures of habit, especially with passwordsā€¦

  • Root: This was really the hardest part for me. If you are not good at enumeration, now is your time to get better. First thing you should always check is who you belong to and what powers and access that gives you. There is SO much to go through, you need to think about how you can use grep or other ways of filtering out the ā€œnoiseā€ so you can find particularly interesting entries. Remember that if you pipe into less you can search for regular expressions with /. Use this to build up a repertoire of expressions that you can grep. Also remember that lateral movement is important! ā€œYouā€ might not be able to do something, but you might be able to figure if someone else canā€¦ Once you progress, if you are struggling with privesc techniques on a Linux system, OverTheWireā€™s ā€œLeviathanā€ wargame can seriously give you some good ideas here.

Rooted!
Nice box, really nice box.
Foothold: Check all your posts and gain admin, then search what can you do to gain RCE from the second part (you will know when you will find it)
User: read every file
Lateral movement: You can read something. Find what and read them all (or grep/bash fu)
Root: This is easy, now gtfo

@waya said:
Got the foothold, trying to get to a user.
Found a hash but wasnā€™t able to crack it. Am I missing something else or am I just too bad at cracking ? :slight_smile:

Keep in mind there are always multiple ways to do things, but if you get brick-walled on one particular vector, take a note on it and move onto something else.

Take the advice from others on the thread, enumerate everything!

Hey guys look at the root directory when you are done, HTB have something awesome, for those who donā€™t know it yet :slight_smile:

@Anonymus said:
Hey guys look at the root directory when you are done, HTB have something awesome, for those who donā€™t know it yet :slight_smile:

IppSec also has released a video on this :slight_smile:

  • Rooted, a very interesting machine, thanks to the creator. @egre55 @mrb3n

Initial foothold: Not all vulnerabilities are about being a L33T hacker with super long payloads, Iā€™d suggest reading about logical vulnerabilities

User: You got there, Congratulation. Now you should be a good member of your community group and do your role

Root: Spawn dem shells and let those losers GTFO

@Aelarion said:

IppSec also has released a video on this :slight_smile:

Ippsec actually rocks, even if this time his video took my focus away from this box. :smiley:
Thanks @zweeden for the pointing me in the right direction.

Also @Aelarion said:

Keep in mind there are always multiple ways to do things, but if you get brick-walled on one particular vector, take a note on it and move onto something else.

I think this is the most useful advice (for me) I ever read here on htb.

Just got a foothold btw.

Rooted !

Straightforward box, thatā€™s a nice training for beginners :).
PM if needed !

Type your comment> @DavidWaugh said:

Struggling to make progress. Ive tried sql injection on the webpages but made no progress. Ive run nikto and ffuf looking for subdomains. Im going to try the non webport next

some good recon got me further.

Finally rooted
i was stuck on root part, thankā€™s to @Zweeden
this box is really fun , good job @egre55 @mrb3n
PM if you want some help

Can someone give me a nudge? Iā€™m enumerating for like 2 hours but still nothing.

Iā€™m stuck after get admin page and found the hidden place, any nudges?

Anyone done initial foothold exploit manually? Iā€™m trying to do it with curl but no luck

Could anyone please PM me hint for user? I looked at a lot of things, but no luck. Thanks :slight_smile: