Official Laser Discussion

13»

Comments

  • edited September 2020

    @Caracal said:

    Don't give up buddy, if you found something answering you are close to the graal.

    Thanks, I won't completely give up - I just needed a break (and passage helped!).

    Yeah, at the moment I can send to the $thing and I can see a different response if I hit the wrong $thing or send the wrong data to it, but I cant seem to get the code to display the content of the response. Tiny bit frustrating but I think I've gone blind to any errors I've made.

    Hopefully, fresh eyes tomorrow (or a day or two) will help.

    EDIT: progress at last!

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • can someone give me hints to get user? i got connection back but dont know what to do :|

  • edited September 2020

    Haven't started this machine yet, but looking at first bloods, it took 4min to get user ..
    That must be the first for an Insane level machine..

    Edit; yup just realized that was what everyone talked about on page #1 :P

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Such an excellent box! really enjoyed it.

    PM for nudges, hints or sanity checks

    ¯\_(ツ)_/¯

  • @acidbat said:

    Edit; yup just realized that was what everyone talked about on page #1 :P

    Yeah - sadly that door got closed...

    I have to admit it took me about 3 days to get user on this box. A mix of a typo I never noticed for a long time, it being really challenging and some things I just needed to learn, made it quite a steep journey.

    I still haven't got round to rooting it - I had a look, couldn't see the easy button then got distracted by work.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • I just got to read that documentation around g**C, i know nothing about that. Can i reasonnably think I'll get somewhere ?

    lebutter
    eCPPT | OSCP

  • edited September 2020

    @lebutter said:

    I just got to read that documentation around g**C, i know nothing about that. Can i reasonnably think I'll get somewhere ?

    Definitely! You're on the right track. I suggest having another read of the Usage section of the decrypted file and then searching for a certain Python module (g*****-****s) that will help you generate some code to use.

    nathantemplar

  • edited September 2020

    Yes that's what i did yesterday evening, it was easier than i thought. Still no user in sight though lol

    lebutter
    eCPPT | OSCP

  • @lebutter said:

    Yes that's what i did yesterday evening, it was easier than i thought. Still no user in sight though lol

    Then I'm not sure how much this will help but if you've defined the service correctly using p******f you're almost there. You just need to write some code to interact with the g**C server. The main components are a channel (for the connection), a stub (to call the specific method) and content to pass to that method, the form the content should be in is hinted at in the document.

    It's difficult to explain without giving too much away, you're welcome to PM me for a bit more of a nudge.

    nathantemplar

  • Thanks amigo, I think i got that to work, i stopped for the day after getting the client/server talk to work, foudn out the format to use etc... I'll carry one with the next stages tonight, good to know the user flag shouldn't be too far after that !

    lebutter
    eCPPT | OSCP

  • Finally completed it, i think that's my first insane box, what a marathon box, it never ends...

    What's really hard is that at 2 points it requires a bit of guessing, so you may be doing the right thing, it's easy to stop if no positive outcome appears... while you're actually doing the right thing and just missing a bit of random trial and error.

    lebutter
    eCPPT | OSCP

  • Rooted...
    ...but with an enormous load of help from a friend who's definitely way better skilled than me.
    I thought it would have been a good thing to try teaming up in order to learn better.
    I'm not sure that it was a success, because i do not have understood all the passages, especially the g**c part, where I've got almost totally lost, and i just followd him on the thing.
    Root was different. Here I got a grip on the path almost immediately, but i totally missed the "reflective" part.
    I would like to say that i've learnt a lot, but it's not completely true. I trailed a lot and I still have to understand too many things.

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • This was such a great box! Thanks @MrR3boot & @R4J! User was very long, very fun, but in my comfort zone. Did remind me of travel, which was great, as I also really liked that box!
    Getting root was less involved, but outside my comfort zone, so it took me some time and a helpful nudge from @nathantemplar! Thanks!
    If someone wants a small nudge or a sanity check, feel free to send me a pm!

    ArtemisFY
    OSCP

  • Thanks for the feedback and Good work!

    MrR3boot
    Learn | Hack | Have Fun

  • How one supposed to proceed with "blind" part of the journey?

  • My dream to send picture of my butt on my neighbour printer will finally come true !

  • edited November 2020

    Ok I need a hint here.

    I've discovered the g*** client and the a***** s*** on p*** 8**3

    I've found the vulnerability with velo**** and someone tipped me to use go**** to perform the POST request on stag*** coll******.

    So I have a python script sending the g***** request (this one take so much time...) then the RCE request and sometime it works but most of the time it doesn't...

    I think that I'm missing something here and the time it worked was because I've used another user path but i can't figure out what I've forgotten...

    If someone can DM me to provide some help that would be great :)

    Thanks in advance

  • Type your comment> @kenokeefe said:

    Ok I need a hint here.

    I've discovered the g*** client and the a***** s*** on p*** 8**3

    I've found the vulnerability with velo**** and someone tipped me to use go**** to perform the POST request on stag*** coll******.

    So I have a python script sending the g***** request (this one take so much time...) then the RCE request and sometime it works but most of the time it doesn't...

    I think that I'm missing something here and the time it worked was because I've used another user path but i can't figure out what I've forgotten...

    If someone can DM me to provide some help that would be great :)

    Thanks in advance

    you can DM me if you still need help

  • edited November 2020

    Finally rooted !

    Thank you @ArtemisFY for your help.

    Foothold is very interesting, I've learnt a lot of things but damn I've hated that g***** request...

    Root is kinda straightforward if you know how to look (it's my first reflex when I've got a shell) and have already use s**** in the past.

    My first insane box, kinda proud of myself

  • So, I managed to get some data, and then some more.
    I managed to generate a "definition" and the according code from it. But whenever I try to send out simple stuff, I get back different exception responses from the box (with neither really making any sense). Any chance I could get a sanity on my definition from someone who already solved it?


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • I have my script, but I am struggling to enumerate things blindly. How are you supposed to move further if you can't see anything you are doing?

  • past user and on the way to root thanks to some very patient help from @TazWake and @ElVi7MaJoR. this box definitely deserves its Insane rating :)

  • edited December 2020

    User was a nightmare
    If someone is blocked with velo**** on the GET request on stag*** you might need to check that the header has as first character a space

    Root too was quite a pain and hard to find.

    If someone need hints feel free to dm me

  • rooted. what a great box. took me a long time from start to finish, but I learned a lot along the way. I really like these multi-step boxes where each thing you unlock leads to the next. thanks @Xelinion for the advice on the root stage - your encouragement helped a lot.

    thanks @MrR3boot and @R4J for the box!

  • Wow, not sure how much time i've spent on laser, time well spent, researching and learning a lot. With more or less effort and pain, i have overcome all steps by myself.
    But now, i'm stuck, i think i'm in the right path... but i'm starting to doubt it.

    I'm able to read the document, i've made a client to call service through g*** and i get response from server.

    I get some errors during my tests that points me ("M**K" and "p****e" referenced in exceptions) towards the posible attack vector.

    I've created some classes trying to get rev shell after the server unp****e them... but all i can get is a recurrent "Module is disabled" exception... and i'm not able to bypass it and no clue to continue... i think i need some help with that ¿any nudges?

    Even stucked and without finished it, laser is already one of my favourite boxes in htb. Thanks @MrR3boot and @R4j for this nice work!

    rulzgz

  • Type your comment> @rulzgz said:

    Wow, not sure how much time i've spent on laser, time well spent, researching and learning a lot. With more or less effort and pain, i have overcome all steps by myself.
    But now, i'm stuck, i think i'm in the right path... but i'm starting to doubt it.

    I'm able to read the document, i've made a client to call service through g*** and i get response from server.

    I get some errors during my tests that points me ("M**K" and "p****e" referenced in exceptions) towards the posible attack vector.

    I've created some classes trying to get rev shell after the server unp****e them... but all i can get is a recurrent "Module is disabled" exception... and i'm not able to bypass it and no clue to continue... i think i need some help with that ¿any nudges?

    Even stucked and without finished it, laser is already one of my favourite boxes in htb. Thanks @MrR3boot and @R4j for this nice work!

    Oops, forget it. I found an alternative!

    rulzgz

  • edited December 2020

    I've decrypted the large file, and I'm attempting to generate the appropriate tool for the next part, but I'm getting exceptions from the server. Could someone review my code to let me know if I'm on the right track?

  • this is insane! i'm down, finally after a very long time

    [email protected]:/# whoami root [email protected]:/#

    i gain so much knowledge from this box! thanks @MrR3boot & @R4J ! thumbs up!

  • edited December 2020

    I'm stuck at the same place rulzgz was stuck. Just wondering whether trying to bypass the restrictions of unp****e is a rabbit-hole?

    Without the 'c' (G****L) , I just don't find a way to execute something.

    Edit: Got it! The hints above helped to point the way :)

  • Considering just how hard this box was, it is reassuring that the ippsec walkthrough is nearly two hours long!

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

Sign In to comment.