Official Passage Discussion

Rooted. Found the clue on how to get to root on here, no idea how else you are supposed to find it. Guess i’ll wait for ippsec’s walkthrough on this box to find out the proper enumeration method, lol.

Man, I feel so dumb. I was so preoccupied with getting root I didn’t even consider that I need to privesc again first. I hope that isn’t spoilers but I feel like a nimrod.

Rooted!!!

Easiest box I solved in a while but its not about how hard or easy the box is, this box will definitely teach why manual enumeration is better than automated post enumeration scripts. User1 to User3 was easy journey if you do not rely on automated scripts.

User1: Straightforward just look what you see first when starting a box
User2: This needs a bit of exploration in your new home from User1
User3: Well automated tools doesn’t help have a keen look at your new home, if you see something configured weirdly its probably can help you escalate
Root: Again needs keen look (manually), this needed quite a bit of searching but when you find the right ref everything else just lies apart.

And lastly whatever you have learnt from this box make a habit to look in similar ways for other boxes too

Rooted. Fun box, That end bit was new to me.
Thanks!

I am stuck on root stage. Can anyone help me? I found ib*s but I am not sure, is it true way?

any help?! … i’m stuck with the last part of rooting … i got this error “Permission denied (publickey)”

@Wh1rlw1nd said:

any help?! … i’m stuck with the last part of rooting … i got this error “Permission denied (publickey)”

That implies you dont have the right key to SSH in. If you get other messages as well, then it could be as simple as the key doesn’t have the right permissions so isn’t being used.

A little confused here, got foothold and now www shell. I have found the hash for the 2 users and got the a1 password for p. I’m stuck at this point, not too sure how to proceed. I know p needs a publickey for ssh based on ssh failed results and config file.

@OmegaGator said:

A little confused here, got foothold and now www shell. I have found the hash for the 2 users and got the a1 password for p. I’m stuck at this point, not too sure how to proceed. I know p needs a publickey for ssh based on ssh failed results and config file.

Have you tried switching user?

I keep getting errors when submitting flags

@framik said:

I keep getting errors when submitting flags

This is a common issue. HTB uses dynamic hashes and sometimes they don’t work. The hashes should change after every reset and be different on different VPNs - this means that hashes should be used as soon as you get them and that sometimes the process which registers the new hash in the scoring server will break.

If it is a box that is being hit with resets, it becomes imperative that the hash is used immediately as a reset will render it invalid.

Your choices are really:

  • Wait a while, repwn the box and get a working a hash.
  • Report it to HTB via a jira ticket and get them to fix the problem.

This isn’t something that can be fixed by the forum or by tips from other users.

Yup yup. Just wanted to make it know. I reset the box multiple times. Stopped it and started it. just coudlnt get it change.

If I found a file that contains some lines of strings that look to contain some of the same parts (encrypted strings), should I try to investigate these or am I going down a rabbit hole?

Just rooted. Pretty fun box, and well rated for its difficulty. Learned something new about certain transport mechanisms. Major props to @ChefByzen for making this one.

Hints:
foothold: basic web enumeration and google, you don’t need to fuzz the webpage or brute force a log in
user1: search around and remember you may not be able to read things as they are
user2: sometimes sharing things at home can be dangerous
root: enumeration and google is all I can really say. You can find something close by which can point you in the direction you need to go

My pms are open if anyone needs a nudge, but Im not sure how often Ill be able to check

When I have the recipe to create a file as r***, how do I use it to go forward? My mind is completely stuck here…

Never mind. Rooted :smile:

whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
passage

Rooted! Great and nice box! Thanks @ChefByzen

From a technical point of view, I think this box is really good and @ChefByzen did a great job here.

However, for me the root part seems like you either find it yourself or you don’t. I think it’s hard to miss and I would not have made it without a hint.

Some nudges here are really helpful: I would add that you do not need to dive very deep into the place where you are supposed to stay according to the nudges.
It’s more of a subtle thing you will find which leads you to root (most probably) after you google it.

I think there is no shame in asking for a hint here.

I can’t get root, looks like something is wrong.

@mehulsharky007 said:

I can’t get root, looks like something is wrong.

I mean to say that there is no b c**** s****** running.