Finally rooted.

Pretty cool box. Sort of real world-like.

My advice for anyone.

Initial Foothold:

  • Took me ages to figure everything out. The hints in this thread give you everything you need. However, some python know how will be required to make sense of everything you need. “Look into the past to see how things have changed”

Initial Shell:

  • The damn RCE just didn’t want to work for me and boy did i try hard to get it. Syntax is super important here, confirm you can run any code at all first and remember to try multiple reverse shells.
  • Once in, this was annoying, i knew which queries i needed to run to get the info i wanted, but spent waaay too much time trying to edit stuff within the “jail”. For anyone that went through the same thing i did… wouldn’t it be easier to create files elsewhere and somehow retrieve them and then execute?


  • Similar to foothold type enumeration. You’ll know what i’m talking about when you see it.


  • Wasted my time doing typical priv esc stuff when the answer was right there… However, i learned some new stuff around those pesky t***** and how they apply to hosts.

All in all, an awesome experience.

Happy for PMs if anyone else is stuck. Happy holidays all!

I’m stuck. I found creds for d*** user and ssh-key but I couldn’t find how to get user or shell. Can someone give me some hints

rooted with love <3
i lost lot of time on user
i didnt know that i need to change some permission on ssh private key
anyway good learning experience


Got user, finally.
But I’m not getting how to use this V**** T****.
Can someone give me a Nudge?


very good machine, also this a real machine

feel free to ask

serious performance issues right now on the machine. can only intermittently ping the box and the target port did not show up on all initial scans.

root@craft:~# id
uid=0(root) gid=0(root) groups=0(root)

Wow! Awesome box. Thanks to author for that! And reference to the Silicon Valley was fun

Nevermind I was typing my own IP address as off by one. Remember kids always check your typing. Because that can be your mistake. Take a break and then look at what you’ve done.
Seriously, I need to check for typoes. It makes me feel even dumber than I usually do doing these flags.

I feel like I should change my sig to “Easily defeated by inability to use keyboard.”

But overall, machine was a ton of fun. had me wanting to pull out my hair, feeling like a gigantic idiot. And once again turns out I’m overlooking the obvious.

Hi, I have an issue getting user.
After finding the s** p****** k**, if I use it on the one not at the usual port, I get asked for the k** password. If I input the one of the user g******* the connections hangs. If I run s** with the -vvvv flags it hangs at:
debug2: channel 0: open confirm rwindow 2097152 rmax 32768.
I’ve tried connecting from a VM and another host, from 2 different networks, having the VPN configured to use udp and tcp and also both the solutions described here SSH - Debian Wiki

Can someone help me?
Thank you

EDIT: Solved, thanks to @kiaora

Hello guys,
Anyone online to give a hint or two on how I can make my exploit work? Tried 2 days a lot of things and I cant figure out why it’s not working =/

stuck at trying to get a reverse shell - I’m sending commands but not even receiving my ping back. any nudge will be greatly appreciated.

Is this app running inside an alpine d****r image or is just me? :smiley:

rooted! this was my first box and i’m really happy i made it to root. Don’t think i would have made it without this forum though

root@craft:~# id
uid=0(root) gid=0(root) groups=0(root)

Ping me if you need help!

Rooted! Super fun box, it’s only missing a bit of Jian Yang :wink:

Foothold: Enumerate, look at recent changes, spot, exploit, profit.
User: You don’t need to get out of the jail per se. Just look at what you can find there.
Root: RTFM, quite literally!

Got the user going for root. Foothold took me 3 days because couldn’t get a reverse shell or the shell was killing instantly. After that everything was pretty straightforward

Rooted the machine couple of days ago, thanks to @kiaora and @OrenIshay for help me understand what I did wrong with the exploit =D
Very nice machine, had a lot of fun searching for the pieces of information needed, indeed very realistic challenge =)

so having trouble navigating to two subdirectories on this box. Not connecting to *.craft.htb. what am i missing?

im so stupid… sorry everybody for my previous comment. Im at a loss for words