Official Laboratory Discussion

Type your comment> @quangvo said:

Hi, Iā€™m stuck at G***** page, can anyone give me any hints to get foothold, user credentials ? >:(

Just enumerate some more on the page. Look for what you can do on the G***** pageā€¦ And if you have access, find that important number to enumerate more information about the G*****

Got stuck in the process, can anyone give me a nudge in the right direction?

  1. Found the G***** page
  2. Started a reverse shell via g*****_***.py
  3. Got a user g++ (added the plus instead of *, cause it changed it to bold)
  4. Found out iā€™m in a c***r (probably dr)
  5. Looked for the manual online for G*****
  6. Found a user d***** with a command, the connection lost again
  7. Started a new reverse shell via g*****_***.py
  8. Tried to follow the instructions to G***** D++s Sy - H++ 2 r+++t **** pd (used the + symbol instead of * because of the markdown bold and italic options)
  9. Did not get any feedback after following the instruction from the official documentation as mentioned in step 8ā€¦

So I was thinking, my reverse shell is not correct, or I am doing something wrong with following the instruction from the official documentation. Or another way is there to break out the freaking thing

I got stuck here, can anyone help me to move forward ?

  1. I got reverse shell with g** user
  2. Found out that I am in a dumb shell (I tried to upgrade it to an interactive shell but havenā€™t had any luck)
  3. g*****-**** console didnā€™t give anything back but Switch to inspect mode

So I was thinking because of the shell I got was a dumb shell so I cannot access to the console ??. And the reverse shell is highly unstable, every time I execute some specific command it always return 502 status code for me.

Is anyone else having constant 502 in the g***** page?

@kyichu said:

Is anyone else having constant 502 in the g***** page?

I think it is fairly common. It has been mentioned loads of times in this thread. The general tip is wait for a bit and if it feels ā€œtooā€ long, report it to HTB.

thanks for this box. This was really interesting and I was struggling in the first attempt with foothold to get user. After I started to review my notes after some days I was clear about the path to move forward :slight_smile: Afterwards I was kicking my ā– ā– ā–  since I was already at 99% before I gave up :wink:

Enumeration is key on this box. Anything else is already there if you use latest Kali. No need to use additional tools, scripts, etc. at all (except one to maybe simplify/automate your enumeration ;-)).

Oof. That was a fun, definitely learnt a few things. Need to go back and understand how the foothold was actually gained though, as I just used something out-of-the-box from msf.

Foothold - As others have said - enumerate lots, check software versions for known vulns, google. I spent a long time staring at that main website because I forgot to do a certain type of enumeration, but fuzzed my way there in the end.

User - Not sure whether I did this the right way, but this took me the longest time by far. Once you have a foothold, try to find out ā€˜where you actually areā€™. Once you understand that, just have a look around. An old enumeration script ended up pointing me in the right (?) direction.

Root - Again, enumerate, youā€™ll find something interesting.

Canā€™t say I had any of the problems with 502ā€™s Iā€™m seeing people talk about though

Can someone please help me ā€¦ ?. I stuck for many days

I got a reverse shell (highly unstable one), but itā€™s just a dumb shell and there is nothing much I can do with that, I have tried several ways to upgrade to a full interactive shell but I have no luck with that. I need help to move forward

Rooted. Fun box but wouldnā€™t it was easy.

Foothold:

  • Nmap and google are your best friends here, get the software version and search for known vuln and eventually you will find the right article
  • You may encounter some dependency issue, if you do use g*****-r**** c****** instead of r**** c******

User:

  • Enumerate, there are some pretty good scripts out there. Read the output carefully. if you canā€™t crack it, you can change it. Donā€™t forget to reset the machine if you choose to change it

Root:

  • More enumeration, there is a very interesting file read what it does and manipulate

Feel free to PM for nudges and to remove if too many spoiler

@quangvo said:

Can someone please help me ā€¦ ?. I stuck for many days

I got a reverse shell (highly unstable one), but itā€™s just a dumb shell and there is nothing much I can do with that, I have tried several ways to upgrade to a full interactive shell but I have no luck with that. I need help to move forward

It kind of depends on what you mean by ā€œdumb shellā€ vs ā€œfull interactive.ā€

If you can issue commands on the filesystem, read folder contents etc., then you have a shell good enough to find the information you need to get a stable shell on the box.

@TazWake The connection is highly unstable (keep getting 502 error), I tried several ways to get a more stable shell but so far no luck ā€¦

Type your comment> @quangvo said:

@TazWake The connection is highly unstable (keep getting 502 error), I tried several ways to get a more stable shell but so far no luck ā€¦

If youā€™ve leveraged the G***** vulnerabilities to obtain a shell, have a think about where you actually are. The ā€œunstableā€ nature of the shell youā€™re talking about is - for me at least - a result of what it is youā€™ve actually landed a shell in.

As TazWake said though, donā€™t worry about trying to improve the quality of the shell, itā€™ll be sufficient. Just work out what youā€™re in and enumerate until you find a way out.

Type your comment> @eMVee said:

Got stuck in the process, can anyone give me a nudge in the right direction?

  1. Found the G***** page
  2. Started a reverse shell via g*****_***.py
  3. Got a user g++ (added the plus instead of *, cause it changed it to bold)
  4. Found out iā€™m in a c***r (probably dr)
  5. Looked for the manual online for G*****
  6. Found a user d***** with a command, the connection lost again
  7. Started a new reverse shell via g*****_***.py
  8. Tried to follow the instructions to G***** D++s Sy - H++ 2 r+++t **** pd (used the + symbol instead of * because of the markdown bold and italic options)
  9. Did not get any feedback after following the instruction from the official documentation as mentioned in step 8ā€¦

So I was thinking, my reverse shell is not correct, or I am doing something wrong with following the instruction from the official documentation. Or another way is there to break out the freaking thing

Please give me nudge, Iā€™m a bit lost in this part

Type your comment> @htbapibot said:

Official discussion thread for Laboratory. Please do not post any spoilers or big hints.

Hi, I have the root ssh private key, id_rsa and autorized_keys. But i just cant get a ssh connection going?! Kinda stuck if anyone could give some advice I would really appreciate it.

i canā€™t do anything!! is there someone tell me how to use this web please

@qqx said:

i canā€™t do anything!! is there someone tell me how to use this web please

I am not sure what it is you are struggling with so I cant really help in the context of this box.

However, if you ā€œcant do anythingā€, then it might be worth looking at one of these two:

This is my first hackthebox :smiley:

I got a reverse shell and have given myself admin in the G***b and found the privkey , but Iā€™m getting
Load key "***": invalid format despite file saying itā€™s OpenSSH private key

Is the privkey a red herring or am I doing something wrong with it? Just looking for a small hint.

EDIT: hmm well I managed to get it to workā€¦ but I have no idea why the step that I did was needed

@synap5e said:

This is my first hackthebox :smiley:

I got a reverse shell and have given myself admin in the G***b and found the privkey , but Iā€™m getting
Load key "***": invalid format despite file saying itā€™s OpenSSH private key

Is the privkey a red herring or am I doing something wrong with it? Just looking for a small hint.

EDIT: hmm well I managed to get it to workā€¦ but I have no idea why the step that I did was needed

Let me guess: You had to add a newline to the end of the file? For some reason, certain ssh clients require the key file to end with an empty line.

@HomeSen said:

Let me guess: You had to add a newline to the end of the file? For some reason, certain ssh clients require the key file to end with an empty line.

I didnā€™t know what the issue was, so I ended up finding a program that would import the key OK and then exported it from that. Newline works though :joy:

Rooted! I was able to gain foothold without spinning up my own thing, I found a R*** module and imported it into a framework and got rce that way. Getting user was new to me - and took me too long before getting it. Root was okay, did a little bit of RE in Ghidra and after that, owning the box was easy.

Initial Foothold

Others are saying they started their own instance of whatā€™s running - I didnā€™t go down this road. I did a bit of research and found an exploit that I could import into a framework and after that, got a shell. Great, on the box.

User

This took me forever when it was right in front of me. Half my problem was I have never heard of this particular tool (look at where you land after getting a shell). Once I got a basic understanding and knew what I could do to someone, I am in as that person. He has a very sensitive file laying about - can you find it? Once you do, you will know what to do in order to get user. Go get your flag!

Root

This was pretty easy for me once I found it. Your off-the-shelf enum scripts should pick this up, but wont stick out with pretty colors. This kind of file is easily exploited if the person isnā€™t careful - you need to be absolutely, not relatively, sure what youā€™re doing when making these. I opened this thing in the NSAs favorite tool and right away found the way in. A little file here, adding it there, and running it and boom, popped root.

I can understand peoples frustrations around the difficulty of the box. From one side, it was beginning to lean on the medium side while at the same time being just within the easy marks.