Official Laboratory Discussion

@TazWake said:
@cmoon said:

I had to resort to changing servers over and over again until I found one that had a working webpage.

Possibly too late to be helpful now, but I really think its better if people report things like this via a jira ticket.

If you have to change servers, then it implies something on the original server is broken and it isn’t being fixed by a reset. It frustrates me that it is becoming more and more common but HTB wont ever become aware of it unless people tell them.

Probably should have on this one but I figured I was just too impatient. Definitely done that before

Just rooted it. Definitely shouldn’t be rated easy. Feel free to pm me for a hint but make sure you’re prepared to tell me what you’ve tried.

Yeah this was a very nice box! Took a lot of effort to get everything right. I agree not easy… for now… I had some insights that it will become quite easy in the near future.

Though if you want to learn keep doing it in this difficult intended way! Thanks and kudos to the creator!

If anyone of able to give a nudge on how to get the reverse shell, payloads don’t seem to be working

nvm rooted

i have user and im trying to send dr-s**y to my attacker machine, and nothing is working. I tried scp, wget, and curl.

@krisp33 said:

i have user and im trying to send dr-s**y to my attacker machine, and nothing is working. I tried scp, wget, and curl.

When you can’t send it, try to rather pull it :wink:

@krisp33 said:

i have user and im trying to send dr-s**y to my attacker machine, and nothing is working. I tried scp, wget, and curl.

In addition to @HomeSen’s excellent (as always) advice, you might consider if you really need to copy it to your local machine. As far as I can remember, you can find all you need on the box.

Spoiler Removed

Man, the 502’s been there for like 45 minutes…
Thanks to @Hyp3rDrive for his guidance about running d****r I got a user shell last night and wanted to keep working on the box this morning but eh… Another time.
Great box so far though, a lot harder than anything I’ve done before, which kinda feels good actually :slight_smile:

@dragonista said:

Man, the 502’s been there for like 45 minutes…

If you have the time, please report this to HTB. Even if they are fairly dismissive (as when I reported it :smile: ), it will give them metrics which highlight the problem.

Type your comment> @dragonista said:

Man, the 502’s been there for like 45 minutes…
Thanks to @Hyp3rDrive for his guidance about running d****r I got a user shell last night and wanted to keep working on the box this morning but eh… Another time.
Great box so far though, a lot harder than anything I’ve done before, which kinda feels good actually :slight_smile:

Switching servers solved the problem for me :slight_smile:

I got a reverse shell with user “git” in a doc*** cont*** apparently. That is the correct way? after that, how i get root access into doc*** cont*** or to host? (Sorry for my english, I’m argentinian). Thanks.

I could really use a hint for the root part. My brain might be fried after all I had to go to get there and now I’m clueless lol. I ran several enum scripts, looked in every folders, tried different approaches, nothing’s worked, I really have no idea what I could be missing !

@dragonista said:

I could really use a hint for the root part. My brain might be fried after all I had to go to get there and now I’m clueless lol. I ran several enum scripts, looked in every folders, tried different approaches, nothing’s worked, I really have no idea what I could be missing !

Enumeration is the key and most of the enum scripts should have found the interesting thing. If not a manual find will flag it, as it doesn’t normally appear in Linux. When you find it, examine it, see what it does, hijack it, get root.

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ty.

Type your comment> @davidcp said:

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ty.

As a test if you have noted the name referenced in your nmap scan output, have you tried curl -H 'Host: «name»' 10.10.10.216? (Pardon if obvious but your question read to me as if this might be the stumbling block here.)

@davidcp said:

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ok first - this is not an easy box really. I know it is rated easy but it isn’t.

I strongly suggest you work through the starting point boxes before you move on to this, or even some of the stuff at https://academy.hackthebox.eu/. The reason I suggest this is that you may need some practice on the methodologies and most of the machines in the live category don’t really provide this.

Failing that, look at what output nmap has given you. Go to the places it tells you are open. For example, if it says a web server is running, visit it in a web browser.

If nmap says its using a domain name, add that to your hosts and visit it in a browser.

Finally rooted !

It took me quite some time to get the foothold, but at the end, it was very interesting to reproduce everything on my local machine. I feel like it’s a very good practice for beginners like me and even though the difficulty level is not really “appropriate”, maybe HTB rated it as easy because they want beginners to take/understand that approach of working ???

Anyway, thanks to @0xc45 for the nice box, and also to @Rudex and @Hyp3rDrive for the nudges. I should definitely read everything more carefully !

Feel free to pm if you need a nudge.

Definitely the hardest easy box I’ve done, just down to the amount of effort required to get foothold. Still relatively new here and I worked on this box for easily 12-15 hours over the course of a week (albeit I spent a lot of time writing python to practice my vuln automation). I was so fried by the time I got to root that I was staring directly at the answer for an hour before I called it a night. Woke up the next morning and knew exactly what to do. If you’re struggling at any point, read through this whole thread, all of the answers are here in some form or another.

Some additional advice that I haven’t seen in the thread:

  • Don’t inherently trust POCs, if they don’t work out of the box, then look for another or try and map out what’s happening and write it yourself.
  • Software Versions are important
  • If you’re building a new VM, snapshots are great right before you install anything that you may make a mistake on… Reverting a snapshot is way quicker than reinstalling an OS.

If you want help from a noob, feel free to reach out, I can try help point you in the right direction!

Type your comment> @TazWake said:

@dragonista said:

Man, the 502’s been there for like 45 minutes…

If you have the time, please report this to HTB. Even if they are fairly dismissive (as when I reported it :smile: ), it will give them metrics which highlight the problem.

Funny enough, when i tried to do that, I believe yesterday, the support page was unnaccessible, lol.

I can’t submit the root flag. I tried three times with three different flags and it doesn’t work, so I submitted two tickets, one regarding that 502 issue, and another one for the flag. That’s weird though, I tried three servers, waited a whole night, reseted the machine, but… neh.

Anyway, regarding the machine, now that it’s rooted, thanks to @TazWake who held my hand for the last step (literally, I’m ashamed I missed that lol), I can say that it’s definitely not an easy machine even though the root part is like… one of the first thing you learn in hacking ? x)

There’s plenty of help and hints available for the way up to user, for root I’d only say that maybe it’s been a nightmare for you to get there, but don’t forget difficulty is always relative to your skillzZz, right ?

@TheFlanman91 said:

  • If you’re building a new VM, snapshots are great right before you install anything that you may make a mistake on… Reverting a snapshot is way quicker than reinstalling an OS.

I know right ? I went through the whole installation process three times… :smiley: