Official Sink Discussion

Type your comment> @kichung said:

Is the foothold related to modifying request? The not* help me to debug it, but I can not figure how to leverage this attack technique to be something usefull.

NVM, got the way in.

This is an incredible box, with a believable, modern devops setup and interesting exploitable mistakes.

rooted box. for everyone still stuck, there are two exploits with Hxxxxxx, one of them is the entry, once you are in, you will need to read code to find the next step.

Awesome box ! I had been waiting for quite some time to see the initial vuln here. I really had lots of fun, except maybe on the second part because I was too focused on something so I forgot an important part of what had to be done.
The very last part had me very confused for a while. I’m happy though because it didn’t take too much time for me to realize what was going on.
Thanks a lot @MrR3boot !

Hi everybody, can i write to someone for further explanation about the H****** exploitation?

rooted. what a fun box - thanks @MrR3boot!

PM if you need a nudge.

Has something changed ? I wanted to do the box again to try something different and I cannot reproduce the foothold. I know some cookies have been removed but it seems like the vuln I exploited perfectly a few weeks ago just isn’t there anymore. I mean, I had saved the request, so I copied and pasted it, changed the cookies, and nothing happens.

I am stuck. I found the s****** documentation. I dont know how to find the access token. I would really appreciate if someone can DM me with right nudges :expressionless:

Hi all! :smile: Would anybody who has done foothold already be willing to confirm whether or not the box is still working as intended?

I’ve tried quite a number of different requests, and have also received a nudge confirming that what I’ve been doing is more-or-less the right way, but sadly no luck so far.

The previous comment from @dragonista makes me think there might be an issue with the first step at the moment, but I can’t be sure as I haven’t yet made it past that point. :smile:

Edit: All good! The machine seems to be working correctly. :smile: I was doing something wrong.

find a link to understand how to create correct c***** to exploit the h*** r****** s******** is not easy.

Rooted! I’m a newbie in HTB so this was my first challenge to insane box. I was a bit worried about whether I could beat this box in my own way but managed to do that. I learned a lot of things especially about how to use *** and *** (because I’m not an IT engineer) in the middle part and late part. The hardest for me was the vary late cause the system gave me an output which was not expected for me.

Foothold: Everyone already have a hint from n*m* of this box. Even without that, you can easily detect a vulnerability on this box by googling.
User: Nothing to say
Root: You may need to fight with some docs If you are not familiar with *** like I was so. In the very late, if you can be a strong witch, the goal is in front of your eyes.

thanks @MrR3boot!!

I’m stuck at the foothold can anyone give a nudge plz…

@Spectra199 Look at burp and figure out what response you’re getting. The response and the nmap scan result combined should get you a exploit CVE idea online.

oh finally!
this is my first Insane… and yes it was hard box
finally got the user after hard work.
Foothold: some times server responds with unexpected behavior…and there will be your golden fish!
User: it’s real-lfie target search in every thing!
pm me for nudges!
thanks @ghostin8 for your help!
and @MrR3boot for this great box… keep it up! :wink:

Struggling to get the ha**** r****** s******** to work. I’d appreciate a nudge to help me identify where im going wrong…

Type your comment> @dragonista said:

Has something changed ? I wanted to do the box again to try something different and I cannot reproduce the foothold. I know some cookies have been removed but it seems like the vuln I exploited perfectly a few weeks ago just isn’t there anymore. I mean, I had saved the request, so I copied and pasted it, changed the cookies, and nothing happens.

Oopsie, it wasn’t working so I put it aside and forgot about that box. I did it again just now and everything was fine. Not sure what happened as I just copied and pasted stuff from my notes. Sorry if some of you got confused !

i can’t ssh to the box idk whats wrong with it, ssh isn’t suppose to work ??

USER PWNED!!! Thanks @KRyptonZ for hints! PM me if you need nudge for user!
Now and f!ck!ng root pwned with my brain! Thanks for good machine @MrR3boot :3

When I try to get from the c*****, it doesn’t always work, like 1 in 10. but it works from the n***. Also, when putting the payload together, my own text never shows up neither in the c****** or in the n***. Anyone knows the reason? Thanks!

Finally rooted! My first insane box that I solved used the intended method! (Got lucky on Anubis when it first dropped). The foothold was honestly one of the most confusing parts, not super familiar with s**gli*g. Actually being on the machine I couldn’t really find anything from enumeration scripts, but the source code of the repo tipped me off to a new command to learn and use! Lot’s of good stuff in there to take us to root! Great box, I had a lot of fun! Happy to help nudge others if needed, just PM me!

1 Like