Official Laboratory Discussion

@dragonista said:

I could really use a hint for the root part. My brain might be fried after all I had to go to get there and now I’m clueless lol. I ran several enum scripts, looked in every folders, tried different approaches, nothing’s worked, I really have no idea what I could be missing !

Enumeration is the key and most of the enum scripts should have found the interesting thing. If not a manual find will flag it, as it doesn’t normally appear in Linux. When you find it, examine it, see what it does, hijack it, get root.

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ty.

Type your comment> @davidcp said:

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ty.

As a test if you have noted the name referenced in your nmap scan output, have you tried curl -H 'Host: «name»' 10.10.10.216? (Pardon if obvious but your question read to me as if this might be the stumbling block here.)

@davidcp said:

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ok first - this is not an easy box really. I know it is rated easy but it isn’t.

I strongly suggest you work through the starting point boxes before you move on to this, or even some of the stuff at https://academy.hackthebox.eu/. The reason I suggest this is that you may need some practice on the methodologies and most of the machines in the live category don’t really provide this.

Failing that, look at what output nmap has given you. Go to the places it tells you are open. For example, if it says a web server is running, visit it in a web browser.

If nmap says its using a domain name, add that to your hosts and visit it in a browser.

Finally rooted !

It took me quite some time to get the foothold, but at the end, it was very interesting to reproduce everything on my local machine. I feel like it’s a very good practice for beginners like me and even though the difficulty level is not really “appropriate”, maybe HTB rated it as easy because they want beginners to take/understand that approach of working ???

Anyway, thanks to @0xc45 for the nice box, and also to @Rudex and @Hyp3rDrive for the nudges. I should definitely read everything more carefully !

Feel free to pm if you need a nudge.

Definitely the hardest easy box I’ve done, just down to the amount of effort required to get foothold. Still relatively new here and I worked on this box for easily 12-15 hours over the course of a week (albeit I spent a lot of time writing python to practice my vuln automation). I was so fried by the time I got to root that I was staring directly at the answer for an hour before I called it a night. Woke up the next morning and knew exactly what to do. If you’re struggling at any point, read through this whole thread, all of the answers are here in some form or another.

Some additional advice that I haven’t seen in the thread:

  • Don’t inherently trust POCs, if they don’t work out of the box, then look for another or try and map out what’s happening and write it yourself.
  • Software Versions are important
  • If you’re building a new VM, snapshots are great right before you install anything that you may make a mistake on… Reverting a snapshot is way quicker than reinstalling an OS.

If you want help from a noob, feel free to reach out, I can try help point you in the right direction!

Type your comment> @TazWake said:

@dragonista said:

Man, the 502’s been there for like 45 minutes…

If you have the time, please report this to HTB. Even if they are fairly dismissive (as when I reported it :smile: ), it will give them metrics which highlight the problem.

Funny enough, when i tried to do that, I believe yesterday, the support page was unnaccessible, lol.

I can’t submit the root flag. I tried three times with three different flags and it doesn’t work, so I submitted two tickets, one regarding that 502 issue, and another one for the flag. That’s weird though, I tried three servers, waited a whole night, reseted the machine, but… neh.

Anyway, regarding the machine, now that it’s rooted, thanks to @TazWake who held my hand for the last step (literally, I’m ashamed I missed that lol), I can say that it’s definitely not an easy machine even though the root part is like… one of the first thing you learn in hacking ? x)

There’s plenty of help and hints available for the way up to user, for root I’d only say that maybe it’s been a nightmare for you to get there, but don’t forget difficulty is always relative to your skillzZz, right ?

@TheFlanman91 said:

  • If you’re building a new VM, snapshots are great right before you install anything that you may make a mistake on… Reverting a snapshot is way quicker than reinstalling an OS.

I know right ? I went through the whole installation process three times… :smiley:

@dragonista said:

I can’t submit the root flag. I tried three times with three different flags and it doesn’t work, so I submitted two tickets, one regarding that 502 issue, and another one for the flag. That’s weird though, I tried three servers, waited a whole night, reseted the machine, but… neh.

Thank you for doing this. I know it is a bit tedious but the more people who submit tickets, the more HTB will be able to understand where problems lie.

This machine definitely isn’t easy, took me a few days of attempts before I even got a foothold, and I only really found user because apparently google wanted to be kind to me today. Root was very easy in comparison if you do your basic enums.

I’d say this box is still harder then most of the medium ones. Just remember to not rely too heavily on automated tools. Sometimes you need to do things yourself.

I needed a nudge to get started on this one because my searches didn’t find anything that looked helpful, and I went round and round and round overcomplicating things. Now knowing what the answer is, googling the question is easy, so some advice: Think about what you have found, and what you would like to get. And follow the money.

It this is too spoilerish plz delete.

I’m really curious though as to how people managed to root this box in about two hours. Just the setup needed to get it done is already time consuming, plus the time required to figure out what you gotta do… Do people have 2TB of VM ready to be fired up ? I really feel I’m missing a lot on the enumeration/setup phase.

Type your comment> @TazWake said:

@davidcp said:

Hi guys,

I have seen through this discussion that I need to start by using Nmap because it shows you the first piece of information that is going to help me solve this challenge but, to be honest, I do not know what I am looking for. I see the machine has 3 open ports, I see the version of the services that are running on the machine, I see the methods supported by the webserver, but I do not see anything that can help me get the G page everyone is talking about. Any hint would be really appreciated.

Ok first - this is not an easy box really. I know it is rated easy but it isn’t.

I strongly suggest you work through the starting point boxes before you move on to this, or even some of the stuff at https://academy.hackthebox.eu/. The reason I suggest this is that you may need some practice on the methodologies and most of the machines in the live category don’t really provide this.

Failing that, look at what output nmap has given you. Go to the places it tells you are open. For example, if it says a web server is running, visit it in a web browser.

If nmap says its using a domain name, add that to your hosts and visit it in a browser.

I will follow your suggestion.

Thank you!

Type your comment> @dragonista said:

I’m really curious though as to how people managed to root this box in about two hours. Just the setup needed to get it done is already time consuming, plus the time required to figure out what you gotta do… Do people have 2TB of VM ready to be fired up ? I really feel I’m missing a lot on the enumeration/setup phase.

I imagine at least some people figured out the service just by looking at the name and art of the box. Since the name and art are published a couple of days before the actual box is released it gives time to prepare your environment and get familiar.

Man these easy boxes keep getting harder and harder. I get that the initial foothold is pretty well documented, but it requires a lot of setup and moreover without going into spoilers it can be very specific as to how it runs and works in that environment. This is not a box for a new user. That all being said I think this box is one of my favorites, its well setup, and I love the way we find the initial foothold.

I believe I made some progress here -
I’ve replace the sXXXXX_XXy_XXXe that i got using the exploit with the one in my environment in my dXXXXX-cXXXXXX.yXX
Next, i got into gXXlXX environment shell in order to get the train console,
Once I’ve got their - the versions showing once the console in loaded is Different from the one i set prior to that in the first file I’ve mentioned.

Is that makes any sense ? it seems that the exploit is “working” and that example file
is creating once entering each line of the exploit lines.

If this is somewhat a spoiler please remove, hopefully not.
I’ve could use a guidance in next steps to getting RCE.

thanks

Finally rooted.

It’s clearly a r*** o* r**** lovers box and I’m not very comfortable with r*** so the foothold with the g*****-r**** was kind of a struggle for me.

User : be careful with d***** s** k** one line break is missing at the end and I’ve lot 5 minutes on that…

Root : The root is freely given if you take your time reading the informations you’ve found doing the user part

Finally rooted this one. Definitely not an easy box considering the foothold.

Some hints.

Foothold:
Setup a local env so you know what to fetch. Then if you have the right article you should be able to get a shell

User Shell
After getting shell, see what you can change with current shell.

Root Shell
This shouldn’t be to hard. Your enum script should show something with extra capabilities. See what it does by looking inside it.

If you want any nudges, DM me.
Discord: thatjoe#1201

Connection timed out 90% of the time

Probably because htb is blocked in my country

I have a question, the version in G*** is “Community Edition”, why in the ■■■■ when we set up our environment is with Enterprise Edition !!!