Official Proper Discussion

Official discussion thread for Proper. Please do not post any spoilers or big hints.



  • Any tips on bypassing this biotch? someone assist with custom script...not trying to give to much of the py away lol

  • Man I got the lock and the bearings but can't make a key that fits.. wow this baby is tough more insane not hard, gonna work with me? Wanna take a long shot at it and crack it down who want's to join?

  • Tough damn box, got web user creds and can do some things... but.. clearly not doing the right thing.

    Could someone give me a nudge please and thank you.

    :P not looking for the answer btw, just a tipping tip :)

  • Just got user on this one. Men, this is as hard as fun!

    Thank you @xct and @jkr, loved this so far! Expecially how the path to follow is pretty obvious but the actual exploitation definitely isn't.

  • Yeah lol, I finally ended up getting it too. Rough box.

    Interesting methods. I'm sure there are more than one way to do them though.
    Looking forward to reading up on them after rooting.

  • Finally got user. I need to add this to my checklists...

  • Someone can give me a little direction, please? I got an idea what it might be, but I'm not sure how to approach it, don't want to spoiler. Yeah this machine seems a lot harder compared to previous machines this month.

  • Love it so far! It's been a while since I've seen the initial vulnerability done as something that wasn't a throwaway challenge. maybe the user/root will be a CTF nightmare, but rn this is a great time <3

  • Type your comment> @riceman said:

    Love it so far! It's been a while since I've seen the initial vulnerability done as something that wasn't a throwaway challenge. maybe the user/root will be a CTF nightmare, but rn this is a great time <3

    Yeah, loved it as well! I can't even remember another box with this type of vulnerability (the user foothold), but I bet it's pretty common in the real world.

  • Now that you said it I'm starting to recall very very slightly... still missing a blib.

  • edited March 21

    user own.
    Took me 4 evenings !
    Thank you for those who helped me (special thank to @bashketchum ).

    Thank you @xct and @jkr, you're good! I think it's the box I liked the most so far; definitely learnt a lot!

  • Came back after a few days away. user was glorious. getting that to work was an awesome feeling. I'm pretty close to root, I just haven't nailed it yet. This one is an easy favorite of mine.

  • Finally rooted, more then a week later. Definitely loved it! Learned so much from this one.

    A lot of you are sending me PM: it's ok, I'm happy to help, but mind that I have a job, and this habit of sleeping every now and then, so please be patient. Also I'm not willing to just spoil the box: ask for specific question, not just "What should I do?" or "Why this isn't working?". And be prepared for cryptic hints, not solutions ;)

  • After a week full of action and "try & error" got user access to the box but BTH-Portal unfortunately doesn't accept the content of "user.txt" as flag :(


  • edited April 4

    Took me a lot of time and a small hint, but I got user. What a fantastic box! Trying to get root now but I'm very new to Windows PrivEsc. If anyone can help me out, that would be great!

    User hints (trying not to spoil anything): The obvious path is indeed the path you need to take. The way to get access is what you initially thought: be sure to thoroughly research the way you intended to gain access. You might have missed something :)


  • Struggling to get root on this. I've tried whatever in my knowledge to go ahead, but i think that i'm again banging on my lack of skills in binary exploitation...any nudge would be really appreciated...

    echo start dumb.bat > dumb.bat && dumb.bat

  • Rooted this box. Great experience and a lot of fun. Thanks @jkr and @xct! The learning has been through the roof!
    For root:
    There's more than one way to solve it. Both require the same path.


  • Managed to get the root flag without a shell. Really fun box, thanks @jkr and @xct. I learned heaps.
  • Hello, I've managed to crack the hash but I'm not able to bypass the filter. Could anyone give me some nudge in this step pls :)

  • edited May 28

    Hello, I'm at the last step to get the foothold but every type of connexion I make to this machine seems to be closed instantly. I'd be really grateful if someone could help me in pm !

    Edit : Managed to get foothold and later after some research root. The foothold issue was maybe due to the box malfunctioning in some ways.


  • I can get foothold/user, and can go see where the two exe's of interest are, and how they are connected. But I do not understand what I am looking at, my Win-fu is lacking. How would a Unix person conceptualize what is going on there and how to think about potential vulns? (Tried seeing if I could RE them but that did not work well, so do not have any insight into wtf is going on between those two.)

  • edited June 1

    stucked in foothold any one please help me

  • Amazing box! Loved every step
    User: once you have something to read in front of you, read it carefully.
    Root: all you need is there, just connect the dots, maybe a windows box can help understand what's going on :)

    Hack The Box
    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • edited June 8

    Starting this one. Wish me luck guys ! :smile:

    Foothold : some web service with obscure protected salted encoded input for use in a kali tool to walk databases. Need to produce an error to get salt. Next access point is the same method but with a different attack. Same way. Produce an error on service.

    EDIT : I don't know how to inject payload. http is not allowed. :neutral:
    EDIT2 : No way to RFI in s---a. s--client in local shell works properly :neutral: Does theme accept backslashes and slashes ? I have issue with backslashes. Slashes doesn't work either. Can someone say me what is correct ? When I use nc on port 445, i see the request, so the problem is targeting include header. Any ideas, pals ?
    EDIT3 : Well I don't understand the s-- url format. I runned a php script on another machine with same result. Tried doubling antislashes with no success :cry: Running s--client is ok.

  • @kshitizkr6003 said:
    stucked in foothold any one please help me

    See my comment :smile:

  • Hello guys,

    I reached the panel. I know what the vulnerability in the panel is and how to exploit it, but the payload I created does not work properly. Can you help me?

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Hi,

    I got the user flag it was a pretty grueling process for me :neutral: Took me 4 evenings !

    Now the root user is next.

    Hint for user
    • Scan the directories on the site in detail (gobuster, dirb, wfuzz)
    • At the end of the scanning process, you will get a directory. (l******s)
    • Source codes on the site can direct you to different pages
    • All you need in this process is you and python ( maybe smbserver :wink: )
    • Feel free to PM for help.

    I would like to write more but I'm afraid of spoilers

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited June 27

    Not entirely sure I understand the path to foothold. I intercepted and played with it instantly which revealed the formula. However, I always get a 500 internal error if the arg is not id+desc ... Is this a server restart or am I missing something


    Foothold: Don't forget to parse_quote if you see 500

  • edited July 8

    Hi! Step by step I am going through this machine, and I get stuck on every step for some time. Currently I am at the theme park trying to get on the ride (is this the way to avoid spoilers?) I can get something through using the famous dance, but nothing executable. Is there a need to bypass the "filter" for RCE, or is there some other way to gain access to the machine?

    EDIT: nvm, got it. That was fast.

  • Hi! After several weeks of hard work with @camk's support, I got the root flag back. Thanks to @jkr and @xct and @camk :-) for this machine. I learned a lot of new things.

Sign In to comment.