Cache

Rooted. Cool box, i learned a few things. Overall, I think Admirer was a bit harder than this one, but both were good experiences.

1. Enum and Foothold is the most challenging part of this box
2. Due to issues I had with the low priv shell, I ended up doing the work to get to the ‘lateral’ user first, got a better shell and then was able to back up into the user holding the flag based on enum.
3. root isn’t difficult, just knowing who you are and some quick research if you are not familiar with the privesc.

Thanks to @Dark0 for the nudge on the foothold.

@sparkla said:
Do I need the second user for root? Please P.M. if it’s a spoiler

This depends on what your current user is. I got the “second” user before gaining access to the first one

Would love a pm hint on enumeration. I found the n**.h*** but assuming that is rabbit hole.

Is P****** P***** supposed to be off by default or is someone messing with those who haven’t made it in yet? I’m finding enumeration on the H** side to be very difficult because it seems like the service is constantly being altered, and finding any way of authenticating to do one of the exploits I’ve found looks like an exercise in futility.

@ph03nix0x90 said:

Is P****** P***** supposed to be off by default or is someone messing with those who haven’t made it in yet? I’m finding enumeration on the H** side to be very difficult because it seems like the service is constantly being altered, and finding any way of authenticating to do one of the exploits I’ve found looks like an exercise in futility.

It is supposed to be available. But yes, people tend to constantly break the machine by using ready-made scripts, instead of using a way easier (and more stable) option for gaining RCE on the server.

Spoiler Removed

Google is your best friend when it comes to find a flaw on your victims.

User: Go back to your notes

I am going to chalk this up to working from home and not giving this 100% attention. But I spent over an hour looking for the lateral move before I figured out it was literally the very first thing I found

It’s interesting to see people talk about user and lateral movement. Depending on how you did the box, you could do either user first after you get a foothold. You don’t have to go in a specific order. However one holds the flag and the other is on the path to bigger things. You can definitely get root first and then back track.

Hi,
I suddenly found the /por**l directory is enabled, it was disabled yesterday… which is the original state?

Rooted, need help, let me know.

Rooted.

Very fun box, I learnt a couple new things and have some new tricks up my sleeve now.

I’m interested to hear how others got root first. I think I took intended paths.

Is the portal supposed to be enabled or disabled? Yesterday disabled, earlier today enabled, now disabled again. Had a working exploit but now I don’t know if it’s the intended way…

I Thank you all for your time on the machine… @AwkwardUnicorn @limelight @itachi982 @sk4 @fr0ster @jiggle @D8ll0 @DaWoschbar @skunk @41fr3d0 @Dark0 @SneakyHedgehog @3l33t @Termopan @hg8 @beorn

I hope you have used intended way to exploit root because that is fun?? (mount method is also great and valid but really easy)

And please give your precious review of machine on HTB site.

found the portal, bypass-ed the authentication… trying injection to extract vital info which can bring me further… anyone can provide nudges??

Type your comment> @lancelai said:

found the portal, bypass-ed the authentication… trying injection to extract vital info which can bring me further… anyone can provide nudges??

DM

uid=0(root) gid=0(root) groups=0(root)

Rooted Finally!!!

PM me for help …

Spoiler Removed

how can i get user1 and user2? please

Type your comment> @madm4n said:

i got 3w-data , and stuck. can not find anything useful

switch user, you have already found the creds earlier on which is useful now, but not useful in user flag.