Official Breadcrumbs Discussion

Official discussion thread for Breadcrumbs. Please do not post any spoilers or big hints.

«13

Comments

  • Good luck guys

  • Nice box so far.
    I found the vulnerability and read the password, but didn't work with any user.
    I think I need to re-enumerate again to find my way in.
    Will resume tomorrow

  • Can I have a hint for foothold or a hint towards foot hold I used B... to view stuff and then went to the directory and found the ...ks

    Hack The Box

  • edited February 21

    This last step to root is really making me scratch my head. The rest of the box before this was so interesting and cool, but this last part sucks. Does anyone have a nudge? I see the "hint file" and I understand how everything is working, but I'm missing some piece that must be hinted at in this "hint file" but I'm not picking up on it.

    Any hints?

    EDIT: Wow. That was kinda dumb. But I got there in the end; too much overthinking and too deep down rabbit holes.

    Some small nudges:

    User: Evaluate the full functionality of the web application from top to bottom. Play with requests, see if you can get it to reveal some information it shouldn't. Then use that information to evaluate the web server much more "completely". Lots of steps on this one, so stay tenacious and make sure you understand everything that the server is doing!

    Root: Again, many steps. Follow the "breadcrumbs" that have been left for you in obvious places. Gather creds, then find other services you couldn't access before. There may be a "map" on your machine that will give you the path to some more credentials. Then this is the tricky part: just try a bunch of different "modes" and see what sticks.

    DM me if you need nudges!

  • Good box up until the end.... There are a couple rabbit holes here and there. If you find the breadcrumbs stick to it. Nothing really new that you haven't seen before on other boxes.

    godylocks

    If you like my advice, please give me some respect! Thanks!
    Message me on discord: godylocks#5721

  • edited February 23

    EDIT: Got a shell, still no user flag... gonna try 'n automate the initial process because of the fragment I found on the server, already got a new user but still puzzled, don't wanna go through each and any rabbit hole again with the new intel...

  • Fun box, thanks @helich0pper

    jamesa

  • Very nice box, i've only got user but this is a marathon so i'll pause a bit here.

    To me this is a very good OSCP/OSWE box, there's nothing too crazy but it's a very nice check of all the basics all chained together.

    lebutter
    eCPPT | OSCP

  • Type your comment> @lebutter said:

    Very nice box, i've only got user but this is a marathon so i'll pause a bit here.

    To me this is a very good OSCP/OSWE box, there's nothing too crazy but it's a very nice check of all the basics all chained together.

    Agreed & still puzzled how some guys & girls can do it in under 1h, wish I could learn that. Maybe in 10 years lol HAHA

  • i managed to get some creds using the vulnerability and the requests, but those creds didn't work on the website, any hints?

  • Wow, in case there are others out there like me where the basic initial enumeration of one of the most common ports on almost all the boxes isn't there, reset the box. Don't be like me and spend hours and hours working on the wrong stuff. Just reset and try again. Also, if someone disabled that service once they rooted, just why? Thank you for wasting a day a half of my life lol.. you win I guess.

  • Working on root now. I'm having a bad time with 1234. Rabbit hole?

  • Got User with 0 hints, it feels amazing. This is the best box ever hall-of-fame never take it down AAA+++

  • I may have found an unintended route to root :D :D

  • edited February 24

    Hi everyone. I started this box 2 days ago and found user without hints which felt very good :blush:
    I am now stuck onto root (I found same thing as @tacoLlama but can't find anything on it) any hints on root ?
    EDIT : found root. You just need to enumerate to correct files/folder :)

  • Has anyone been able to tackle the 1234 issue manually? there's "forbidden" automation tools that can do it, but I am interested in how to do it manually

  • Rooted !

    What a fantastic box, each step is pretty realistic. Thanks to @helich0pper for this one :).

    PM if needed

  • Type your comment> @Meise said:

    i managed to get some creds using the vulnerability and the requests, but those creds didn't work on the website, any hints?

    i found other files but still have no luck, if someone can pm me i would really appreciate that

  • Very fun box with basically no guessing needed, all the “Breadcrumbs” are there :)
  • jw0jw0
    edited February 28

    Challenging box, nothing really exceptionally special but a bunch of rabbit holes and misdirections. It was good fun and very aptly named.

    User: Just follow the breadcrumbs. Yes you need to pretend.

    Root: Once you've found the K, reverse and see whats important. check whats been recent for A as J. Tunnel and map

    Hack The Box

  • edited March 1

    So far so good. I got lost on make*******() since I don't really know about that and don't have that bit. I can look at the things, decode them, and seemingly should be able to make a new one.

    :dizzy:

    Nevermind, rubber ducky debugging strikes again. I found the file I was missing, which was clear as day on initial enum.

  • nice box. i've rooted it. thanks @helich0pper PM me for hints

  • Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • Type your comment> @acidbat said:

    Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

    Find the answer to your question?

  • Type your comment> @htbprctc334 said:

    Type your comment> @acidbat said:

    Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

    Find the answer to your question?

    Not yet - could be a rabbit or something I haven't figured out yet :P

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • This was an awesome box! Everything you need is right in front of you, though you may need to dig deeper.

    I did have an issue with one of the services. For some reason, it was returning an error, but after a reset, the problem was fixed.

    If you need a hint feel free to PM me.

    Really great box @helich0pper!

  • Type your comment> @acidbat said:

    Type your comment> @htbprctc334 said:

    Type your comment> @acidbat said:

    Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

    Find the answer to your question?

    Not yet - could be a rabbit or something I haven't figured out yet :P

    rabbit it is

  • edited March 4
    Type your comment> @acidbat said:
    > Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

    I just added it for a more immersive experience:)
  • Type your comment> @helich0pper said:

    Type your comment> @acidbat said:

    Do I need to bypass the IP Address Ban message that I see on the page or is it a rabbit hole?

    I just added it for a more immersive experience:)

    Cheeky :D - Nice work :)

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • edited March 4

    Just a tip so people don't loose a few hours like me : when it's time to "pretend", during the initial foothold phase, you might have to reset the box to make it work. Someone might have done something that makes it impossible for you to pretend to be your target.
    Might be a bit cryptic but I don't want to spoil.

Sign In to comment.