I did got the foothold. Itâs not even that hard (could maybe be medium even, though I havenât tried the privesc just yet) just rtfm and google around. Itâs a little frustrating that it didnât work right but if youâre having issues just reset it a few times or wait I guess, lol.
I solved the 500 by going to Login :: Hack The Box :: Penetration Testing Labs, the old site, and starting an instance from the âall machinesâ page instead of using the app vhost and launching it in release arena.
As for getting the foothold and user: figure out what you can control, figure out what your limitations are, establish something that works. One thing leads to the next, so donât go off in a totally different direction if you get stuck. This machine really points you where you need to go, which is nice; Iâve enjoyed this one a lot.
I think this box is what covid came fromâŚ
lol thanks @infosecjack this mother was a monster but you hit my itch and I hardly slept since release. mmmm that got root bed time vibez!
if they had to throw 500 internal server error all over, what is the benefit of box being inside release arena. if i solve this box, am gonna give it the lowest score for sure.
sometimes that 500 is a bad cookie or something.
No, there is definitely an issue with the box.
Deleting the cookie from your browser helped me resolve 500 errors. Resetting does not seem to help
maybe there was an issue on the backend sending the response object. itâs something totally unrelated to request cookie, and only manifesting in release arena. trust us guys weâre not crazy lol. maybe it was resolved by now or ephemeral, idk i already finished this box.
got root. Dm if need help with steps you did.
Rooted right now. Really a nice a machine!!
For 500 response errors, delete your cookies, if you have deleted them restart the machine.
User: donât overthink it is all in front of you, be sure to look on all pages available. If you know how it is built you can control it. Donât trust your eyes and trust what have you seen until now. Fight your limits, the backend technology provides you all the the bricks you need.
Root: it is not too different, think to what the server evaluateâŚ
DM me if you need hints.
one of the best box i played recently, excellent to explore this kind of vulnerability.
Amazing box, really enjoyed playing with the payloads
Oh dearâŚseems like an epic fail on enum for me. I only see a small number of endpoints and have tried the usual attacks on them but not getting anywhere. Gobuster turned up nothing that I couldnât get with manual review - any nudge for what Iâm missing?
Rooted.
Foothold/user: analyze carefully what is in front of you. A specific issue will allow you to do nice stuff that will help you âsecretlyâ recover something. Iterate this issue and finally youâll land on target.
Root: enumeration is key, once you uncover something look beyond what you see. Analyze everything something odd should not be âallowedâ! For me this was the first time I used this kind of scenario within HTB so it was cool to learn something new.
Thanks for the box!
Rooted. User part was new to me. Root was a bit easy or I would say straightforward
Nice box. Learned a lot.
Phew! What a box, what a thrill, what a ride!!!
It took me a LONG time to exploit this box. Foothold, user and root were completely new to me. Thanks a bunch to the creator of this box - I enjoyed it a lot!!
No new hints from me, reading through previous posts should give you all you need.
DM for hints!
Just rooted. Really great box, learned a lot. DM me if you need some help.
I am stuck with privesc , any hints?