Official BountyHunter Discussion

@lorehaze said:

to privesc I used “/bin/sh -p” , I successfully got the shell, but then running whoami , the output is still the user name, not root.

Could you suggest something?

Well, I’d suggest that whatever you did to make try and make that shell privileged didn’t work.

(note this is dangerously close to spoilers so be careful how you phrase the questions on the public forum)

If you’ve exploited the vulnerability correctly, you shouldn’t need -p.

Hello All

I lost some times around the vulnerability.

I find a tips, and I retry with a bash -c "curl *** "
for the curl POST request
and that works !

why my curl POST requets with the same data values don’t :neutral:
before I tried with Burp, and that didn’t work

thanks

root@bountyhunter:/# id
uid=0(root) gid=0(root) groups=0(root)

Great easy box. Foothold & User was interesting for me as I have never personally used that method. Root was pretty straight forward. Just follow the instructions! :))

DM if you need a little nudge

This was a very fun box. DM me for hints but please provide steps already taken :slight_smile:

What filter evasion do you have to do in order to be able to read files?
can only read pa***d and maybe one other file. Nothing else.

Finally rooted.

Foothold/user: Spent more time than I should have. Classic enumeration pointed me in the right direction but struggled with the exploit, since I was not using the proper filtered payload.
You should use the exploit to access the file that enumeration discovered.

Root: See what can be done and use at your advantage.

Thanks for the box!

Very Easy:
User: A classic exploit
Root: Just i****t

Finally finished this one. Thanks to @htbuser01 and @Element92 for the nudges.

Foothold/User: Think about file extensions as you enumerate and then Burp is you friend. Read up on your OWASP techniques.

Root: Read the “tool” and then think about ways to make it do what you want it to do. I’m sure there are many ways, but I found one that worked for me to accomplish what I wanted to do.

Good to back on HTB! Well, no mean to brag but I really think is too easy to be HTB standard. But I like the fact that this box motivates beginners to encourage themselves.
Hints are already here. But if you get stuck you are welcomed to PM.

This one very easy compare to other box

rooted. That was fun

root@bountyhunter:/tmp/tuxvador# id
uid=0(root) gid=0(root) groups=0(root)
root@bountyhunter:/tmp/tuxvador# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:73:70 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.100/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:7370/64 scope global dynamic mngtmpaddr 
       valid_lft 86322sec preferred_lft 14322sec
    inet6 fe80::250:56ff:feb9:7370/64 scope link 
       valid_lft forever preferred_lft forever

Anyone online message me I am having a hard time rooting, invalid ticket every time

Not sure how to feel about this box, it had a weird overall feeling. I spent a lot of time on the foothold for two reasons :
1°) I’m an idiot, which is on me.
2°) I could read some files, and some others I couldn’t. So I just wasted a lot of time trying to guess what I thought was an unusual file system :frowning:

The root part is very CTF like, not what I enjoy the most even though it’s always good practice because if pushes you to read code and understand what’s going on.
Thanks @ejedev

Thank’s for spoiling the root! Someone leftovers are doing everything for You. I did reset the machine and now I’m trying to make it by myself. DELETE YOUR STUFF !!!

Fun machine… and with a realistic approach.

Foothold/User: Once you identified the web vulnerability… try all possible attacks from diferente sources (portswigger, hacktricks, owasp, medium, etc.) one or two of them will take you straight to exploit succesfully and user eventually.

Root: typical privesc enumeration will take you there. Need to read and try to understand what code does. Then play with it and you will get a ticket to root.

Please make sure to delete your files or restart once you complete the machine. Its not funny to find “unintended hints”

rooted. Thanks to @obfucipher for the nudges. was nice to know i was on the right path every time, just pointing my payloads at the wrong thing or slightly out of line…

Finally rooted the box. Thanks to @htbuser01 for help.

User:
1)I just narrowed down my vision and kept hitting and expecting different results.
2)Start from scratch.And make sure you enumerate the webpage properly(This was my mistake)
3)Undestand what you send.
4)You can read the file.But for the intresting file you need to filter it.

Root:
1)Understand what the code is doing.
2)And search how could you use that part of code to your use.

Hey, I’m a bit lost on this box’s foothold. Can someone PM me for some help?

Very refreshing mahine! kudos to @ejedev for the treat!

Type your comment> @lorehaze said:

Could you suggest something?

did you make sure to add “sudo” to the front of what you are doing?