Official Laboratory Discussion

11213141517

Comments

  • @quangvo said:

    Can someone please help me .... ?. I stuck for many days

    I got a reverse shell (highly unstable one), but it's just a dumb shell and there is nothing much I can do with that, I have tried several ways to upgrade to a full interactive shell but I have no luck with that. I need help to move forward

    It kind of depends on what you mean by "dumb shell" vs "full interactive."

    If you can issue commands on the filesystem, read folder contents etc., then you have a shell good enough to find the information you need to get a stable shell on the box.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake The connection is highly unstable (keep getting 502 error), I tried several ways to get a more stable shell but so far no luck ...

  • edited March 15

    Type your comment> @quangvo said:

    @TazWake The connection is highly unstable (keep getting 502 error), I tried several ways to get a more stable shell but so far no luck ...

    If you've leveraged the G***** vulnerabilities to obtain a shell, have a think about where you actually are. The "unstable" nature of the shell you're talking about is - for me at least - a result of what it is you've actually landed a shell in.

    As TazWake said though, don't worry about trying to improve the quality of the shell, it'll be sufficient. Just work out what you're in and enumerate until you find a way out.

  • Type your comment> @eMVee said:

    Got stuck in the process, can anyone give me a nudge in the right direction?

    1) Found the G***** page
    2) Started a reverse shell via g********.py
    3) Got a user g++ (added the plus instead of *, cause it changed it to bold)
    4) Found out i'm in a c*******r (probably d****r)
    5) Looked for the manual online for G*****
    6) Found a user d***** with a command, the connection lost again
    7) Started a new reverse shell via g*****
    ***.py
    8) Tried to follow the instructions to G***** D++s S******y - H++ 2 r+++t **** p******d (used the + symbol instead of * because of the markdown bold and italic options)
    9) Did not get any feedback after following the instruction from the official documentation as mentioned in step 8...

    So I was thinking, my reverse shell is not correct, or I am doing something wrong with following the instruction from the official documentation. Or another way is there to break out the freaking thing

    Please give me nudge, I'm a bit lost in this part

  • Type your comment> @htbapibot said:

    Official discussion thread for Laboratory. Please do not post any spoilers or big hints.

    Hi, I have the root ssh private key, id_rsa and autorized_keys. But i just cant get a ssh connection going?! Kinda stuck if anyone could give some advice I would really appreciate it.

  • i can't do anything!! is there someone tell me how to use this web please

  • @qqx said:

    i can't do anything!! is there someone tell me how to use this web please

    I am not sure what it is you are struggling with so I cant really help in the context of this box.

    However, if you "cant do anything", then it might be worth looking at one of these two:

    https://academy.hackthebox.eu/module/details/77
    https://www.hackthebox.eu/home/start

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited March 20

    This is my first hackthebox :D

    I got a reverse shell and have given myself admin in the G***b and found the privkey , but I'm getting
    Load key "***": invalid format despite file saying it's OpenSSH private key

    Is the privkey a red herring or am I doing something wrong with it? Just looking for a small hint.

    EDIT: hmm well I managed to get it to work... but I have no idea why the step that I did was needed

  • @synap5e said:

    This is my first hackthebox :D

    I got a reverse shell and have given myself admin in the G***b and found the privkey , but I'm getting
    Load key "***": invalid format despite file saying it's OpenSSH private key

    Is the privkey a red herring or am I doing something wrong with it? Just looking for a small hint.

    EDIT: hmm well I managed to get it to work... but I have no idea why the step that I did was needed

    Let me guess: You had to add a newline to the end of the file? For some reason, certain ssh clients require the key file to end with an empty line.


    Hack The Box
    GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • @HomeSen said:

    Let me guess: You had to add a newline to the end of the file? For some reason, certain ssh clients require the key file to end with an empty line.

    I didn't know what the issue was, so I ended up finding a program that would import the key OK and then exported it from that. Newline works though :joy:

  • Rooted! I was able to gain foothold without spinning up my own thing, I found a R*** module and imported it into a framework and got rce that way. Getting user was new to me - and took me too long before getting it. Root was okay, did a little bit of RE in Ghidra and after that, owning the box was easy.

    Initial Foothold

    Others are saying they started their own instance of what's running - I didn't go down this road. I did a bit of research and found an exploit that I could import into a framework and after that, got a shell. Great, on the box.

    User

    This took me forever when it was right in front of me. Half my problem was I have never heard of this particular tool (look at where you land after getting a shell). Once I got a basic understanding and knew what I could do to someone, I am in as that person. He has a very sensitive file laying about - can you find it? Once you do, you will know what to do in order to get user. Go get your flag!

    Root

    This was pretty easy for me once I found it. Your off-the-shelf enum scripts should pick this up, but wont stick out with pretty colors. This kind of file is easily exploited if the person isn't careful - you need to be absolutely, not relatively, sure what you're doing when making these. I opened this thing in the NSAs favorite tool and right away found the way in. A little file here, adding it there, and running it and boom, popped root.

    I can understand peoples frustrations around the difficulty of the box. From one side, it was beginning to lean on the medium side while at the same time being just within the easy marks.

    I am always open to helping; however, please ensure you explain what you have tried first before asking for hints!
    Also, reps go a long way!

    Certifications: ITIL, eJPT, eCPPT (In Progress)

  • I am stuck at reverse shell, i got a shell but it is not interactive and doesnt gives me any output, can anyone help me?

  • Type your comment> @Sph00b said:

    Must I bruteforce that certain page or is there a smarter way?

    No Don't BruteForce otherwise it will block you. Try the easy method and search for vulnerabilities.

  • @loveleshgangil said:
    Type your comment> @Sph00b said:

    Must I bruteforce that certain page or is there a smarter way?

    No Don't BruteForce otherwise it will block you. Try the easy method and search for vulnerabilities.

    Try to get inside in an easy way.... SIgn up

  • Type your comment> @sa74n said:

    I am stuck at reverse shell, i got a shell but it is not interactive and doesnt gives me any output, can anyone help me?

    Use metasploit

  • I am not able to register a user with G******, I'm using the correct domain extension with email, however.....I get an actual 422 error. Reset box numerous time now

  • @CodeGhost said:

    I am not able to register a user with G******, I'm using the correct domain extension with email, however.....I get an actual 422 error. Reset box numerous time now

    I dont remember having this issue but I do remember it took a long time for all the services to spin up, waiting 5-10 minutes after a reset.

    In general, on HTB if one reset doesn't solve it, there is a good chance resetting the box will never solve it. Repeated resets, especially on a box with slow services, just makes the problem worse.

    If two resets doesn't solve the problem then consider one of the following:

    • Your approach is incorrect and you need to rethink it
    • You need to raise a helpdesk ticket (which can take 24+ hours to resolve)

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • MY GOD, all those 502, 422 and 429 errors made this machine 10 times harder than it should.

    Because I was getting a strange 422 error when I attempted to register a user, I went down a rabbit hole and with no cool drugs to make the trip worthwhile, only my ever-increasing rage and frustration to help me power through.

    I tried to brute force a user and that, of course, got me banned :/
    After that I went on a graphql site seen trip, only to find out that I just needed to register regularly half a day later …

    I thought that I was going to lose my mind with this machine, but then I found a french-omelette-cheese-recipe in the damn Gitlab and I knew that it had already happened.

    Cherry on top, another user put the same root payload in the same place that mine at the right time to mind f*ck me one last time.

    Ahhh this is going to leave a mental scar; I’ll probably get an eye twitch every time I see a Gitlab from now on.

    Any way, jokes aside, I got root. PM if you need help. The tips here helped me a lot.

  • why gobuster is not scanning this website

  • edited April 3

    Good box, I definitely went down some bad rabbit holes from the get go. Took me far too long to go from foot to user; I even saw what I was supposed to do early on but got sidetracked. However, I'm stuck on the user->root. It's one of those obvious things... but I just can't see it for the life of me. PMs appreciated if anyone has any tips.

    Edit:
    I'm a moron I just got it.

  • Many of you are talking about deploying a similar environment locally but I managed to obtain a reverse shell and ended up in a d***** c******** as user g** without doing so but no flag so my next step is to find a way out of the c********. Is it a rabbit hole or someone managed to do the same and obtain root access ?

  • Been reading through comments about a G**** page...but I for what ever reason cannot seem to find this. I have used ffuf and dirb big.txt to scan through the web directories.

    The directories i am finding dont seem to have anything that I recognize, or theyre full of media items that I used a secret dinosaur program to try and find hidden files, but that also has not helped.

    Can I get a nudge in which direction to start looking?

    ps I also looked at the service version of the webpage on google but exploits dont seem to work with ms. F

    I am at a loss and wonder if this is one of those boxes involving something I have never heard of.

  • @ninja92001 said:

    Been reading through comments about a G**** page...but I for what ever reason cannot seem to find this. I have used ffuf and dirb big.txt to scan through the web directories.

    The directories i am finding dont seem to have anything that I recognize, or theyre full of media items that I used a secret dinosaur program to try and find hidden files, but that also has not helped.

    Can I get a nudge in which direction to start looking?

    Double check your nmap output. If it isnt there try running nmap with -sC -sV options.

    Alternatively, inspect certificates closely.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @ninja92001 said:

    Been reading through comments about a G**** page...but I for what ever reason cannot seem to find this. I have used ffuf and dirb big.txt to scan through the web directories.

    The directories i am finding dont seem to have anything that I recognize, or theyre full of media items that I used a secret dinosaur program to try and find hidden files, but that also has not helped.

    Can I get a nudge in which direction to start looking?

    Double check your nmap output. If it isnt there try running nmap with -sC -sV options.

    Alternatively, inspect certificates closely.

    Thanks. I used sv in nmap but not sc so I was completely lost on this. also the certificate thing was a new one for me. Thanks again.

  • Finally rooted!!
    Definitely not an easy machine, getting user flag after getting a foothold is what gave me headache.
    pm for nudges.

  • Hello everyone. When I am trying to open the Web page, I am getting Server not Found. Did anyone got this issue, if so how to overcome?

  • @TridevReddy said:

    Hello everyone. When I am trying to open the Web page, I am getting Server not Found. Did anyone got this issue, if so how to overcome?

    Are you using an IP address or hostname?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I keep getting 502 on G page :-\ have resetted the machine but not solving...

  • any1 can help me? im stuck to get root from user

  • @jagoannyaMAMAH said:

    any1 can help me? im stuck to get root from user

    Checking permissions on executable files, then a very basic reading of the file, is a good way to get the path from user to root.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.