Official Laboratory Discussion

Good box, I definitely went down some bad rabbit holes from the get go. Took me far too long to go from foot to user; I even saw what I was supposed to do early on but got sidetracked. However, I’m stuck on the user->root. It’s one of those obvious things… but I just can’t see it for the life of me. PMs appreciated if anyone has any tips.

Edit:
I’m a moron I just got it.

Many of you are talking about deploying a similar environment locally but I managed to obtain a reverse shell and ended up in a d***** c******** as user g** without doing so but no flag so my next step is to find a way out of the c********. Is it a rabbit hole or someone managed to do the same and obtain root access ?

Been reading through comments about a G**** page…but I for what ever reason cannot seem to find this. I have used ffuf and dirb big.txt to scan through the web directories.

The directories i am finding dont seem to have anything that I recognize, or theyre full of media items that I used a secret dinosaur program to try and find hidden files, but that also has not helped.

Can I get a nudge in which direction to start looking?

ps I also looked at the service version of the webpage on google but exploits dont seem to work with ms. F

I am at a loss and wonder if this is one of those boxes involving something I have never heard of.

@ninja92001 said:

Been reading through comments about a G**** page…but I for what ever reason cannot seem to find this. I have used ffuf and dirb big.txt to scan through the web directories.

The directories i am finding dont seem to have anything that I recognize, or theyre full of media items that I used a secret dinosaur program to try and find hidden files, but that also has not helped.

Can I get a nudge in which direction to start looking?

Double check your nmap output. If it isnt there try running nmap with -sC -sV options.

Alternatively, inspect certificates closely.

Type your comment> @TazWake said:

@ninja92001 said:

Been reading through comments about a G**** page…but I for what ever reason cannot seem to find this. I have used ffuf and dirb big.txt to scan through the web directories.

The directories i am finding dont seem to have anything that I recognize, or theyre full of media items that I used a secret dinosaur program to try and find hidden files, but that also has not helped.

Can I get a nudge in which direction to start looking?

Double check your nmap output. If it isnt there try running nmap with -sC -sV options.

Alternatively, inspect certificates closely.

Thanks. I used sv in nmap but not sc so I was completely lost on this. also the certificate thing was a new one for me. Thanks again.

Finally rooted!!
Definitely not an easy machine, getting user flag after getting a foothold is what gave me headache.
pm for nudges.

Hello everyone. When I am trying to open the Web page, I am getting Server not Found. Did anyone got this issue, if so how to overcome?

@TridevReddy said:

Hello everyone. When I am trying to open the Web page, I am getting Server not Found. Did anyone got this issue, if so how to overcome?

Are you using an IP address or hostname?

I keep getting 502 on G page :-\ have resetted the machine but not solving…

any1 can help me? im stuck to get root from user

@jagoannyaMAMAH said:

any1 can help me? im stuck to get root from user

Checking permissions on executable files, then a very basic reading of the file, is a good way to get the path from user to root.

Hey there, i think i found the right exploit and i modified something in order to make it work, i’m still stuck in the part where it download the shell, i’m trying to use the lfi/rce of the service, someone can give me some hints?

Type your comment> @HomeSen said:

@synap5e said:

This is my first hackthebox :smiley:

Let me guess: You had to add a newline to the end of the file? For some reason, certain ssh clients require the key file to end with an empty line.

MOTHER F***ER ! that was my problem the whole time? A newline char?

Wow. thanks!

Type your comment> @TazWake said:

@jagoannyaMAMAH said:

any1 can help me? im stuck to get root from user

Checking permissions on executable files, then a very basic reading of the file, is a good way to get the path from user to root.

thanks man, I appreciate it.

Foothold and getting user was enough headache

Stuck with ROOT
After ran all enum tools p*** l*****.sh LE*.sh
Not sure what process i should exploit

@mar0ne said:

Foothold and getting user was enough headache

Stuck with ROOT
After ran all enum tools p*** l*****.sh LE*.sh

Chances are they have shown you the path to root, but the problem is that it will be hidden in the noise.

find on its own will be enough.

Not sure what process i should exploit

Dont think about exploiting a process as such. Look at some thing you can run as root. Look at it in detail and you can see the path to getting root.

Type your comment> @TazWake said:

@mar0ne said:

Foothold and getting user was enough headache

Stuck with ROOT
After ran all enum tools p*** l*****.sh LE*.sh

Chances are they have shown you the path to root, but the problem is that it will be hidden in the noise.

find on its own will be enough.

Not sure what process i should exploit

Dont think about exploiting a process as such. Look at some thing you can run as root. Look at it in detail and you can see the path to getting root.

I think i saw it something relative to log** but didn’t works

Finally rooted this. What a ride. Willing to PM nudges if needed

This was the hardest “easy” box I’ve come across but not by design.

There were some stability issues as well that made it difficult to get a grip on things. I’m reasonably certain there’s some people who try to brute force things on HTB. Tsk Tsk. That’s not what this site is about.

Looking back I’m not sure why it was so hard. I guess because the attack vectors I’d found did not work as expected and required tweaking. It’s technically not that complicated but was hard to execute for certain reasons.
Foothold was tougher than it should have been but not by design. For some reason the obvious method of getting in didn’t work for me until I made some adjustments. This initially put me off making me think I was barking up the wrong tree.

User. Even after stealing the info I needed to become user I had trouble, again on my end, making it work. Again it seemed like I’d gone wrong somewhere but I needed a little new line char to fix the issue.

Root was a textbook standard beginner type exploit but you need to have your reading glasses on to find it. Tip: enumerate in detail and don’t just look for the easy stuff. It’s right there in the output of your fave enumeration tool.

I must enjoy the pain.

@mar0ne said:

@TazWake said:

@mar0ne said:

Stuck with ROOT
After ran all enum tools p*** l*****.sh LE*.sh

Chances are they have shown you the path to root, but the problem is that it will be hidden in the noise.

find on its own will be enough.

Not sure what process i should exploit

Dont think about exploiting a process as such. Look at some thing you can run as root. Look at it in detail and you can see the path to getting root.

I think i saw it something relative to log** but didn’t works

I don’t think that is the thing I am talking about. Linux permissions are a useful thing to understand and what the various bits in a permission allow you to do. If one is sticky, it can help.

When you can find that one file, if you look at it closely, you can see the path to getting root on this box.

Hey @TazWake I just wanted shout out some respect to you for taking the time to handhold so many of us.