@TazWake good to know. Anyone else had this issue and resolved it?
It isn’t mentioned very much on this thread, but lots of people experienced this on Laboratory which uses similar technology. I suspect it is a result of some service not starting cleanly when the box initialises.
I don’t have a good suggestion but based on the Laboratory thread you could try:
Reset the box and then wait 10 minutes. This should give it time to make sure every service is started.
Raise a jira ticket with HTB.
Try a different VPN to see if its a problem on the specific server assigned to your instance.
Can anyone that has completed this box message me please? I got user a few days ago, but forgot to save my notes before shutting down my VM. Now, I can’t seem to reproduce the steps I used before. None of my PoCs work for getting a user shell.
Rooted this morning. Was pretty easy compared to the Laboratory machine.
Only spent ages trying to get the first root because the names in the files don’t seem to mean anything. Like, I would’ve expected the ini****_****_******** to have lead to it and not the s***. I guess I have to keep in mind that password reuse is a thing and people put their secrets in weird places.
Like others have said, after that the second root is a common one. Had to do a few times though because it didn’t work the first time.
Overall, nice room but, I wouldn’t really rate as a medium (unless you count the variable naming).
I’m studying hacking for pentesting about 3 months ago and spent time to discover Kali and tools. Now I’m entering this wonderful world of hacking . I’m pretty a noob in the area. Well, I would thank the author of this box. It’s the first I managed to resolve (almost) without cheating. All I can say is there is many complicated rabbit holes that I was not able to force like SSH. Getting user is easy as it’s just searching on web. Root is also easy just thinking we are in a jail and not in the real system. I learned very much with this box :
Rooted!
Actually, I found the creds by pure luck but I can’t find it anymore unfortunately
I really wanted to know what are the enumeration steps that leads to find the creds without any nudges…
Rooted, this was quite a simple box to be honest, maybe because recently I did an easy box using same approach
Foothold: Enumerate what you’ve found, and understand versioning. Search for vulnerabilites. There are several tools in the Web, personally I’ve used the very same of an easy box done recently that allowed reverse shell (that needed to be improved) as user g**
User (?): Using classical enumeration tool found interesting credentials that at first glance didn’t appear to be useful, but experience of recents boxes suggested to investigate further and actually I could use them (password reuse is a bad habit). Managed to grab user hash (even though I was not that user, that was odd). At this point I was a little confused as I thought that I reached the goal, but I realized that I needed to try harder.
Root: With some google-fu managed to free my self and obtain what I needed. Decided anyway to do a step further and complete escalation process.
I got user flag and currently stuck as g** user. Trying to find a way to privesc but having issues seeing the path. Nudges? DMs are open if you are worried if it will be to much of a spoiler
EDIT: Never mind, i rooted it and got the flag. This box was interesting and taught me something new!
root@ready:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ready:~#
Rooted!
Overall a really frustrating box because I hit rabbit holes hard. Finally rooting after the “middle” hop took less than 5 minutes. 5-6 hours of wasted enumeration hurts… but oh well I guess you live and you learn.