Official Writer Discussion

I hit a blind man with a stick and here I am still waiting while I read something h4h4

This is extremely timeconsuming. I think I know what I want to exfiltrate but I don´t know where it´s stored. And it takes forever to read avery byte. User in 2 hours… I am impressed.

Type your comment> @f1rstr3am said:

This is extremely timeconsuming. I think I know what I want to exfiltrate but I don´t know where it´s stored. And it takes forever to read avery byte. User in 2 hours… I am impressed.

Maybe being blind is not the right way to read files :wink:

As you have found the permission, try different ways of reading files :wink:

Type your comment> @f1rstr3am said:

I had strange timeouts yesterday so I gave up not knowing if it was HTB infrastructure or perhaps a WAF doing its job. Today I realised that my manual approach using a tool did not work but when I dumped file from Burp Suite and let it work with that it seems to work. I can´t see why but I am obviously missing something in the request. Gonna go back later and learn from it, now I at least have found something to work with.

Last night I gave up scanning for anything, this morning scanning I’m finally seeing open ports!

I am trying to exploit what I found in the web code. But get stuck on the payload. Can someone give me a hint?

Type your comment> @Kalimoe said:

I am trying to exploit what I found in the web code. But get stuck on the payload. Can someone give me a hint?

If you are trying foothold from this, I don’t think this is the right way.

Got user. My hint would be not to bother using the automated tool for this one. It takes far too long

Got user but stuck on privesc. Do I have to do anything with the other vhost?

Type your comment> @Kevoenos said:

Got user but stuck on privesc. Do I have to do anything with the other vhost?

How did you get the user then? :slight_smile:

Got creds for a service. Don’t know where to go from there. I would gladly take a hint :confused: PM me!

Type your comment> @FQuen said:

Got creds for a service. Don’t know where to go from there. I would gladly take a hint :confused: PM me!

Enumerate which files you can edit :wink:

Type your comment> @jsarmz said:

Type your comment> @Kevoenos said:

Got user but stuck on privesc. Do I have to do anything with the other vhost?

How did you get the user then? :slight_smile:

Probably the unintended way, by bruteforcing… I’ll try it the intended way first then.

Finally Rooted :smile: my first machine done a few hours after release!

User was quite complicated, since my enumeration process did not pick up everything. The tool I used for the foothold did help in some way, although I ended up copying the generated payload and used it by hand at the end.

Root was fun - the initial foothold is right there, however the system does bite back so it is absolutely crucial to understand what happens on the system :wink:. I ended up taking multiple steps to get root.

Very fun machine overall (although it took me more time for user than I expected), although I am not sure if there are multiple ways to exploit it since there are some services that I did not use at all in the end.

Was able to use an OWASP top 10 vuln and found I can read various files on the server. Does not seem like I can find the ones I need to, however :slight_smile:

Nice box, rooted.

Privesc to root : can’t have a proper reverse shell !!
(user j*** not in group m*******)

well, rooted. Funny box

Rooted Is Nice For
User: Look To OWASP 10
Root: look in cronjonb and P****** The User k*** not in group m******* The j*** is In Group

Rooted. Priv esc was a lot easier than foothold imo, although I got trolled for a while by my shell after getting user j**n

root@writer:~# id
uid=0(root) gid=0(root) groups=0(root)

Rooted, forgot the basics.
Thank’s sharkmoos