Official Love Discussion

I don’t know if I’m on the right track here. I think I have a valid path for user foothold but I need to confirm before going down the rabbit hole :slight_smile:

Feel free to DM.

Any tips/suggestions for root? basically a windows noob. I’ve ran winpeas which I know basically tells me the priv esc but I really can’t work it out on this one :neutral:

Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.

Off to root now. :smiley:

Got this. To gain Foothold there are many ways! At least i just found two new exploits in this weak php app.
Root was also a nice way, i can prefer to do it manual and dont use metasploit. Was a nice experience!

If anyone need a nudge, just let me know.

Type your comment> @quangvo said:

I know the exploit for the root part. Try vary different types of msfvenom payload but I couldn’t get the reverse shell back to my machine. I did m****c /I to install the malicious file but nothing happen.
Any one have the same problem ?

There are 2 paths to get you root a met******* way or manual way.
If you know the exploit then a simple google will find what you need.
your on the right path get the right payload for your msfvenom 2 commands and your done.
Or get a meterpreter decent shell and search for the exploit.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)

@rancilio said:
Any tips/suggestions for root? basically a windows noob. I’ve ran winpeas which I know basically tells me the priv esc but I really can’t work it out on this one :neutral:

WinPeas output will have highlighted the way to go in red. your looking for something that is set to 1.
Google it and your find the way.
If you have a met******* shell just do a search for it.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)

Type your comment> @olamlo said:

I don’t know if I’m on the right track here. I think I have a valid path for user foothold but I need to confirm before going down the rabbit hole :slight_smile:

Feel free to DM.

If you tell us the track your on perhaps we can tell you if its right.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)

@cutterslim said:
Finally got system…this being my first machine to learn on, I did not find it easy. I would describe easy (at least for a beginner) a machine that has less rabbit holes to run down (to limit time sinks).

User: I had a few nudges. Unsure how long I’d have spent banging my head going after the wrong thing without these nudges. Things finally clicked, but for the wrong reasons, I was able to view the server access log, and I could see what other pen testers were doing that made me think of how to get my payload over to get that 1st shell

Root: spent too many hours going yet another rabbit hole (went after exploit that requires another windows machine to mount attack). When I finally ran my enumeration script on the victim machine, it gave me a wall of text, and the misconfiguration part was near the top so I kept missing it (realized I should have redirected output to a file for easier reading). I finally got the misconfig message by stopping scroll while the script ran.

Not an easy machine to learn on, but thankful for all the nudges that saved me hours of going down rabbit holes (i still spent a good 3-4 hrs a day since this machine came online). I learned a lot, but would not recommend this to a beginner unless said beginner is resilient to frustration (i feed off frustration).

It depends on your current knowledge wether you find this box easy or not,
Its a pretty basic one once you have initial foothold which is fairly easy too.
There are multiple ways to root the box so it is a good one for begginers to learn on.
Rabbit holes keep these boxes fun, frustration is part of the job but keeps it from being too easy.

![Foalma321] (https://www.hackthebox.eu/badge/image/74636)

Type your comment> @SulfurPT said:

Every time I try to run the file on the users Desktop I get the error:

This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.

Tried to reset the machine, tried multiple file methods with msfvenom… i don’t know what more to do… anyone with the same? What am I doing wrong?

I’ve found the problem, don’t use apache to transfer the file, just use python server… ffs… anyone know why theres a difference between apache and python server to transfer files?

Type your comment> @jps3 said:

I feel stupid for asking … but is there a forced limit on how much data will be transferred to the box from ours? I could only get a foothold if limited to under 300 bytes which precludes a real reverse shell as far as I can make it work. And from within that foothold cannot successfully transfer anything, say the nice recon script. Have had to do it methodically and manually via the simple foothold. Which seems to get removed periodically. The limit also precludes successfully transferring anything via either the same protocol or the old standby win file sharing one to use m-----c.exe. From others’ accounts it seems they breezed right through transferring typical foothold reverse shells, and so on. WTF?

I’m both laughing and crying right now. And feeling both stupid and (to much lesser degree) clever.

All of my issues with the box were due to connection to HTB VPN having been going through a privacy VPN at my router, which I do by default. I had not updated the firewall/routing exceptions in ages for the HTB VPNs. As soon as I did that and reconnected, all of the weird/oddball network limitations went away. Multiple /facepalms and /headdesks here for not thinking about that sooner.

Stuck at secret page, don’t know where to go now. Nothing is happening after entering file path.
Any suggestion please

did it take over an hour to finish scanning for anyone else? My nikto scans on this box are taking an incredibly long time. one has taken over an hour and is still running…

Type your comment> @spaaze said:

Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.

Off to root now. :smiley:

Found that how this echoes works, tried to access some files but didn’t get anything. what to do now?

Type your comment> @sam007 said:

Type your comment> @spaaze said:

Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.

Off to root now. :smiley:

Found that how this echoes works, tried to access some files but didn’t get anything. what to do now?

Look back at your “map” from the beginning and see what is cannot be seen remotely.

Rooted!
I was stuck at the beta page and got help to find the creds.
I understood what that page does but cannot understand how did we figure out to put THAT URL there and that it will give out the cr**s.
Could someone who completely understands how it works dm me about it?

Type your comment> @gs4l said:

Rooted!
I was stuck at the beta page and got help to find the creds.
I understood what that page does but cannot understand how did we figure out to put THAT URL there and that it will give out the cr**s.
Could someone who completely understands how it works dm me about it?

It is a combination of trial and error, and using what information you have available.

Box rooted.

Foothold: Standard HTB enumeration. No brute force of wordlists needed. Use what you got to get you more.

User: Standard HTB escalation path to get user.

Root: Your tools can point you in the right direction.

Interesting thing… I logged in as pe using evil-winrm so I had a more stable shell. Using evil-winrm I was unable to run the m**c command to trigger the payload I created via a popular framework tool. No error back, it would just “run” but I’d never catch it on the other end.

The same command ran flawlessly through a regular rev shell.

Is there something I don’t understand about RM/evil-winrm?

1 Like

Interesting box. Foothold took me longer than I would like to admit, but it was definitely a good learning point for double checking things. Root was much more straightforward when using the script that several others have already mentioned in the thread. Feel fee to DM me for nudges if you need it.

Banging my head against the wall on this one, especially since everyone is talking about how easy and in your face this one is. I have had no success uploading a shell/reverse shell to the machine or using LFI/RFI.

I assumed the machine was running X***P, which was confirmed through an error message. I haven’t had any luck accessing any of those files.

Unfortunately, the vegetable hint is not ringing any bells and I am not seeing anything from nmap results that are jumping out at me.

Can someone please offer a nudge? If you would like more details on what I have done, I can do that.

Thank you!

Just rooted ! very nice box !

Initial Foothold : after finding the point where you can go further, try to do the stuff you are checking with all possible ‘ways’ .

Root : Simple, if you can do usual privilege escalation for windows…!

DM me for nudges … :slight_smile: