NoMad

About

Username
NoMad
Joined
Visits
55
Last Active
Roles
Member

Comments

  • Rooted! So I kinda big-mouthed some weeks ago about getting user soon... Turns out I was stuck in that forward-shell (muh TTY :disappointed: ) long after I got the required loot, because the box was broken / somebody changed credentials. Root was w…
  • Learned something new: Don't trust Firefox DevTools. I wondered why the length in gob***** was non-zero, but then blindly trusted Firefox which didn't show anything in the response data. I feel betrayed.
  • SRVHOST/SRVPORT should be switched with LHOST/LPORT. I don't use metasploit, but I found this website about metasploit behind a NAT: https://onehostcloud.hosting/metasploit-meterpreter-nat/ SRVHOST is the bind address for the exploit to accept conn…
  • Would be easier to help if we got any details about your VPN setup and Lab network... But let's troubleshoot some basics first: Open the port that your exploit opens on your attacker box (nc -lvnp VPN_PRIVATE_IP:PORT) * Connect to it from a known-…
  • Footholded! This box makes me think I will never ever in my lifetime achieve anything on hard/insane boxes on my own. Not a dent, not even a scratch. Couldn't have done it without all the hints in this thread, that's for sure. Together with my atte…
  • Rooted! Foothold was the hardest part for me. User was easier than thought (I rarely use this technique, was surprised it yielded results). Root was a piece of cake. Literally the first thing I check on every UNIX. Took me ~2 days (and first 3 page…
  • I was able to read the root flag, but wasn't able to get proper command execution working. Also wondering now if those things I last week found were meant to be found. Can someone DM me?
  • WTF guys, if you want to transfer loot, either * establish an outbound connection from the target to upload it to your box or * at least put everything into a subdir "htb_username" of your python3 -m http.server If you serve it from …
  • Spent a good 2 hours researching for techniques to bypass that one function... As it turned out, DuckDuckGo may be excellent to have some privacy, but the search results can be quite bad. With Google, I did 2 searches and the answer was in the Top 3…
  • OMG this box took me so long! I first tried it a couple of weeks after release, no luck (and no skill). Today, I started off fresh and did it within an hour and a half. Most of which was spent on writing a nifty program in C only to realize I suck a…
  • Rooted! Nice box. Ask me for hints while it's still fresh in my memory... I should take more notes ;)
  • # iduid=0(root) gid=0(root) groups=0(root)# hostnamejewel.htb took me quite some time... First time I had to use burp (didn't feel like parsing html), debugging locally was a waste of time (CVE easily googled by app language + looking at source). …
  • rooted at last. Skipped user tho... I don't think that was the intended way, so I googled and sure enough I didn't find the "easily greppable thing" most people are talking about. CC @egotisticalSW
  • TL;DR Just use an SSH tunnel. I'd recommend to proxy traffic through your VM so you can use GUIs on your Host for HTTP/S, FTP, SSH and so on. No install or server config needed, SSH got your back. Just add a dynamic tunnel in PuTTY, use localhost:l…
  • @Arty0m same... I really need to get into the habit to take proper notes and automate this stuff so I won't push it back for "later". Because "later" apparently means a month to me. Anyhow, I am so glad I didn't go through the e…
  • Foothold: Luckily there are no rabbit holes (at least I didn't encounter any). I didn't even use nmap, the target is obvious. User: Fighting with eclipse to test locally was the hardest part... I hate that IDE and that language! But testing locally…
  • rooted. As always, I was just missing the courage to go down that rabbit hole during user. Thanks to you folks on the forums for keeping me motivated. So here are some hints to keep others motivated... @joeldejo Foothold: Try another exploit, you…
  • Fun Challenge! Even though I knew some bits about the script language, It took me ages even to get some output back. Having done that, I had learned enough to pop the flag in seconds. The vulnerability and exploit path are a piece of cake to figur…
  • I'm stuck after user flag. Normally, I'd just drop the box but everyone says root was easy so I have to know... Anyone willing to help out via PM? Edit: Rooted! Thanks @NetIceGear @Mavi93 and the dude who spoiled the vector to me through ps. I'll t…
  • Thanks @AnonyBit for helping me with root. For those stuck on LFI: Do more research what LFI is and what it can do. Start from zero and verify one assumption at a time. In other words: Try harder :lol:
  • (Quote) Absolutely, I've spent an hour reading up on what I'm doing and what to do with that, which made understanding and using the vulnerability in that environment super easy. Once I understood what's going on, it was a walk in the park. (total b…
  • Finally got user! I was stuck for half a day because of a typo, and half a day because I assumed things... @kzelman You're almost there. You might want to take a step back and consider how you got there. Enumerate thoroughly and you'll find your de…
Avatar

Howdy, Stranger!

Click here to create an account.