Official Love Discussion

Type your comment> @jps3 said:

I feel stupid for asking … but is there a forced limit on how much data will be transferred to the box from ours? I could only get a foothold if limited to under 300 bytes which precludes a real reverse shell as far as I can make it work. And from within that foothold cannot successfully transfer anything, say the nice recon script. Have had to do it methodically and manually via the simple foothold. Which seems to get removed periodically. The limit also precludes successfully transferring anything via either the same protocol or the old standby win file sharing one to use m-----c.exe. From others’ accounts it seems they breezed right through transferring typical foothold reverse shells, and so on. WTF?

I’m both laughing and crying right now. And feeling both stupid and (to much lesser degree) clever.

All of my issues with the box were due to connection to HTB VPN having been going through a privacy VPN at my router, which I do by default. I had not updated the firewall/routing exceptions in ages for the HTB VPNs. As soon as I did that and reconnected, all of the weird/oddball network limitations went away. Multiple /facepalms and /headdesks here for not thinking about that sooner.

Stuck at secret page, don’t know where to go now. Nothing is happening after entering file path.
Any suggestion please

did it take over an hour to finish scanning for anyone else? My nikto scans on this box are taking an incredibly long time. one has taken over an hour and is still running…

Type your comment> @spaaze said:

Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.

Off to root now. :smiley:

Found that how this echoes works, tried to access some files but didn’t get anything. what to do now?

Type your comment> @sam007 said:

Type your comment> @spaaze said:

Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.

Off to root now. :smiley:

Found that how this echoes works, tried to access some files but didn’t get anything. what to do now?

Look back at your “map” from the beginning and see what is cannot be seen remotely.

Rooted!
I was stuck at the beta page and got help to find the creds.
I understood what that page does but cannot understand how did we figure out to put THAT URL there and that it will give out the cr**s.
Could someone who completely understands how it works dm me about it?

Type your comment> @gs4l said:

Rooted!
I was stuck at the beta page and got help to find the creds.
I understood what that page does but cannot understand how did we figure out to put THAT URL there and that it will give out the cr**s.
Could someone who completely understands how it works dm me about it?

It is a combination of trial and error, and using what information you have available.

Box rooted.

Foothold: Standard HTB enumeration. No brute force of wordlists needed. Use what you got to get you more.

User: Standard HTB escalation path to get user.

Root: Your tools can point you in the right direction.

Interesting thing… I logged in as pe using evil-winrm so I had a more stable shell. Using evil-winrm I was unable to run the m**c command to trigger the payload I created via a popular framework tool. No error back, it would just “run” but I’d never catch it on the other end.

The same command ran flawlessly through a regular rev shell.

Is there something I don’t understand about RM/evil-winrm?

1 Like

Interesting box. Foothold took me longer than I would like to admit, but it was definitely a good learning point for double checking things. Root was much more straightforward when using the script that several others have already mentioned in the thread. Feel fee to DM me for nudges if you need it.

Banging my head against the wall on this one, especially since everyone is talking about how easy and in your face this one is. I have had no success uploading a shell/reverse shell to the machine or using LFI/RFI.

I assumed the machine was running X***P, which was confirmed through an error message. I haven’t had any luck accessing any of those files.

Unfortunately, the vegetable hint is not ringing any bells and I am not seeing anything from nmap results that are jumping out at me.

Can someone please offer a nudge? If you would like more details on what I have done, I can do that.

Thank you!

Just rooted ! very nice box !

Initial Foothold : after finding the point where you can go further, try to do the stuff you are checking with all possible ‘ways’ .

Root : Simple, if you can do usual privilege escalation for windows…!

DM me for nudges … :slight_smile:

Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?

Type your comment> @NO53LF said:

Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?

Yes. Without giving away too much, you can do the entire box without needing any hashes at all. If you need more then feel free to DM me.

Type your comment> @Hazard said:

Type your comment> @NO53LF said:

Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?

Yes. Without giving away too much, you can do the entire box without needing any hashes at all. If you need more then feel free to DM me.

Appreciate it but think I’ll try to figure out where I went wrong… I mean that’s a cruel trick lol, I know those are hashes for valid users from reading the thread. Back to the drawing board.

Type your comment> @foalma321 said:

@rancilio said:
Any tips/suggestions for root? basically a windows noob. I’ve ran winpeas which I know basically tells me the priv esc but I really can’t work it out on this one :neutral:

WinPeas output will have highlighted the way to go in red. your looking for something that is set to 1.
Google it and your find the way.
If you have a met******* shell just do a search for it.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)

thank you, I managed to get root. This is what I thought the priv esc was originally but couldn’t get it to work first time so moved on to other ideas. Glad I tried again. thanks :slight_smile:

rooted

Type your comment> @NO53LF said:

Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?

Well took a break and came back today and found another way to use this OWASP Vuln to get a foothold through a Bypass method… Not sure if this was intended as when I looked into it the Vuln was only disclosed a couple days ago but none the less it worked!

Well… Spent 4 days, all i have is a list of suspicious dirs and a**** creds, which i obtained via common vulnerability from top10 list, but i cant login with them, other possible ways leads to nothing for me. Can someone give me a nudge in PM, please?

UPD. Rooted. Ty for box

After playing a lot of Linux machines, I decided I need to expand my Windows-skills. Love is an excellent box to learn. I had a lot of fun playing the box and got to root without too much trouble.

Here’s some hint from my perspective:

General
The box looks realistic to me. There are a lot of possible rabbit holes to get lost in and a lot of things to do and try. Don’t get discouraged.

User
Be sure to enumerate everything, even when the service returns an error. Once you find the vulnerable piece, standard CVEs should help you get to user. However, simply copying and pasting doesn’t work. You need to think about what you do and make some small adjustments.

Administrator
I never did PrivEsc on a Windows machine before so it took me several hours. What helped me was Tib3rius’s course: “Finding and exploiting Windows vulnerabilities and misconfigurations to gain an administrator shell.”. Be structured about your privesc methods and don’t be afraid to use scripts to help you find what you need. Once you have it, the route towards PrivEsc is fairly simple.

What a fun and great box, I really enjoyed this one!

Those encrypted passwords of users and admin are too hard to crack.