Official Academy Discussion

@routetehpacket said:
I understand the foothold, but is there a way to observe that what I’m modifying is having an effect? just wondering how much trial-and-error I should expect to perform.

have you run gobuster (or any other tool that can brute-force directories/files on a web server)? this might help tremendously :slight_smile:

if you need more specific hints send me a DM.

but please explain what you did so far and what you want to do next (only regarding this machine, of course ;))

Nice box ! I spent way too much time looking for the second user, but I learned something new there. The root part took me 5min…

If you’re stuck with the first user like I was, maybe try to take a step back and ask yourself what is the obvious thing that you are looking for (it is an easy machine so…) ? And where/when/why could that thing being entered into the system ??? You know it’s there so, try to filter out your results…

There are specific tools that you can use but the ‘standard tool’ works fine if you apply the right filters.

Please PM if you need a nudge.

Very interesting box, thanks to @egre55 and @mrb3n.

Edit – removed by user

@d4gd4 said:

I’ve become confused about ‘user1’ and ‘user2’. Are people counting www-data as ‘user1’ sometimes? I had been assuming I need to move through 2 users AFTER www-data.

Try not to fixate on the terms and paths other people use, it wont always help you.

There may be multiple paths to get access to the root flag - the only one that matter is the one you can manage it through.

For example, on this box, there are six user accounts which appear to have interactive shells.

I have moved on from www-data to another user, and cannot find any info leading me to the next user. I managed to get some enum scripts

Manual enumeration is often better.

onto the machine despite there being a clear (very small) limit on the size of files I could copy over, and this gave me some ideas on WHERE to look. I simply don’t know what to look for. Some obvious keywords haven’t paid off…

So, first ask yourself what is it you are looking for (and I dont mean “passwords”). Have a think about what activity you want to be doing.

Then think if that activity is audited. It probably is. That means there might be a log of what has been captured by the auditing system.

When you find this, there might be too much data to easily read so now you can narrow it down but, again, think about how it is logged (hint: it doesnt use terms like password )

@TazWake Thanks for the advice, I’ll keep working on this.

Finally ROOTED !!! shout out to @Oussmak and @reedvaleeve. for their help steering me in the right direction. Fun box even though i pulled the few hairs i had left out!!!
Enumerate, enumerate,enumerate !

Got a shell
Let’s see what we got here

Rooted at long last!
There were just some things in there I didn’t know about.
But that’s great because I learned a lot on this box.
Thanks to @TazWake, @xaif7aLe and @R0cK for their help.

good box

Gang, sometimes flags might be under the nose, just pay attention to last symbols :smiley:

rooted the box and learnt a lot of new stuff. the flag submission keeps giving the incorrect flag error tho

I’m stuck on secret L****** error page. Tried gaining reverse shell using a known vulnerability, but no luck. No idea whether I am working in the right direction. Any nudges?

Type your comment> @iampachinko said:

rooted the box and learnt a lot of new stuff. the flag submission keeps giving the incorrect flag error tho

same, if you fix this can u tell me how u did?

@iampachinko said:

rooted the box and learnt a lot of new stuff. the flag submission keeps giving the incorrect flag error tho

@TeRMaN said:

Type your comment> @iampachinko said:

rooted the box and learnt a lot of new stuff. the flag submission keeps giving the incorrect flag error tho

same, if you fix this can u tell me how u did?

This comes up on every thread about once a week (mostly Mondays). HTB uses dynamic hashes and sometimes they dont work. The hashes should change after every reset and be different on different VPNs - this means that hashes should be used as soon as you get them and that sometimes the process which registers the new hash in the scoring server will break.

If it is a box that is being hit with resets, it becomes imperative that the hash is used immediately as a reset will render it invalid.

Your choices are really:

  • Wait a while, repwn the the box and get a working a hash.
  • Report it to HTB via a jira ticket and get them to fix the problem.

This isn’t something that can be fixed by the forum or by tips from other users.

This was persisting through resets, with US, EU, and free servers, etc. Flag is always the same. I am filing a ticket now.

Type your comment> @svenkali said:

This was persisting through resets, with US, EU, and free servers, etc. Flag is always the same. I am filing a ticket now.

@iampachinko, @TeRMaN, Support seems to have fixed it already.

Finally Rooted the box. It was fun easy box.
You just need to look very carefully for what you want and it will be right there.

PM if you need help

Type your comment> @saulgoodmn said:

Anyone do the user part manually?

Anyone get user manually instead of using msf*******? please PM me if you did. Just IMHO, I would say this is not OSCP like. I rooted and did a personal write up on every box in the public network during my lab time. The OSCP boxes are more like “find the exploit” enumerate, create your payload , find root vector own box. I only seen this method in the training .pdf in the 2020 version.

So I owned this machine and got root a few days back, but since then how I got in no longer works (was going back over my notes). Was how I got in a bug? (Using d**h) If so could someone share the intentional way of getting into this box as I can’t work it out?

You can check my HTB profile for proof: Login :: Hack The Box :: Penetration Testing Labs