Craft

sliu799 · December 23, 2019, 11:38am

Hi Good peps, I have just logged in that repo, found and add my local key, and it shows authenticated to the server and port ***2 in verbose debug log but everything freeze after that message…What have I missed or am I heading the wrong direction…?

rfalopes · December 23, 2019, 2:17pm

Hello! Way i cant see the api?

rfalopes · December 23, 2019, 2:26pm

Type your comment> @DeZ0 said:

Nice box! Congrats @rotarydrone

Very real-life, nice for OSCP-like training, and you learn some useful things for blue-teaming.

Some hints:

The first thing you need to do is editing the hosts file to include the domain craft.htb, in this case you have to include several entries This is something you should do with all htb boxes.

User → Explore the API and its source code. You should see a common vulnerability in the code: A function which never ever should be use with any user input. After that, you need to exploit that specific vulnerability to get code execution in the machine. After that, you need to enumerate to get out of jail (you should be able to realize that you are “in jail”). You will need to learn and play with MySQL in order to get out!

Root → Explore the repo again with some new credentials. After that, you will need to learn how to open the “vault” to get the root password!

If someone need a nudge, PM me

How i edit the hosts file?

r34ll0c · December 23, 2019, 3:53pm

Rooted! Very nice box!
PM for hints, I usually reply fast

dirtyred · December 23, 2019, 4:55pm

Type your comment> @rfalopes said:

How i edit the hosts file?

vi/vim/nano / etc/ hosts

guihle · December 23, 2019, 7:19pm

Got the creds and token, but don’t know hot to do RCE.
Can someone give me a nudge? Thanks

Edit: Now I know it got something to do with a certaing Method and probably SI***n, but still don’t get it to Work.

J0s3 · December 23, 2019, 10:08pm

Thanks to the creator for this machine
The user was the most complicated to take out but once he has the root it was easy

rfalopes · December 23, 2019, 10:27pm

I need to reset the box to get user? Because the 5minutes of t*k**?

N0tAC0p · December 24, 2019, 3:57am

One of my favorite boxes rooted thus far. Real life applicable, but challenging. Shout out to @rotarydrone for the box, well done, looking forward to any other box you may create in the future.

PM me for hints/nudges, more then happy to help

fashark · December 24, 2019, 5:51am

rooted.
PM if u facing any difficulty.

katatafish · December 24, 2019, 1:49pm

Finally rooted.

Pretty cool box. Sort of real world-like.

My advice for anyone.

Initial Foothold:

Took me ages to figure everything out. The hints in this thread give you everything you need. However, some python know how will be required to make sense of everything you need. “Look into the past to see how things have changed”

Initial Shell:

The ■■■■ RCE just didn’t want to work for me and boy did i try hard to get it. Syntax is super important here, confirm you can run any code at all first and remember to try multiple reverse shells.
Once in, this was annoying, i knew which queries i needed to run to get the info i wanted, but spent waaay too much time trying to edit stuff within the “jail”. For anyone that went through the same thing i did… wouldn’t it be easier to create files elsewhere and somehow retrieve them and then execute?

User:

Similar to foothold type enumeration. You’ll know what i’m talking about when you see it.

Root:

Wasted my time doing typical priv esc stuff when the answer was right there… However, i learned some new stuff around those pesky t***** and how they apply to hosts.

All in all, an awesome experience.

Happy for PMs if anyone else is stuck. Happy holidays all!

MrBLK · December 25, 2019, 11:43am

I’m stuck. I found creds for d*** user and ssh-key but I couldn’t find how to get user or shell. Can someone give me some hints

SohaibSEG · December 25, 2019, 1:49pm

rooted with love <3
i lost lot of time on user
i didnt know that i need to change some permission on ssh private key
anyway good learning experience

6d6a6c · December 26, 2019, 1:12am

rooted!

guihle · December 26, 2019, 1:56pm

Got user, finally.
But I’m not getting how to use this V**** T****.
Can someone give me a Nudge?

foxlox · December 26, 2019, 6:55pm

rooted!

very good machine, also this a real machine

feel free to ask

slixperi · December 26, 2019, 9:27pm

serious performance issues right now on the machine. can only intermittently ping the box and the target port did not show up on all initial scans.

kirzaks · December 26, 2019, 9:31pm

root@craft:~# id
uid=0(root) gid=0(root) groups=0(root)

Wow! Awesome box. Thanks to author for that! And reference to the Silicon Valley was fun

133794m3r · December 27, 2019, 11:12pm

Nevermind I was typing my own IP address as off by one. Remember kids always check your typing. Because that can be your mistake. Take a break and then look at what you’ve done.
Seriously, I need to check for typoes. It makes me feel even dumber than I usually do doing these flags.

I feel like I should change my sig to “Easily defeated by inability to use keyboard.”

But overall, machine was a ton of fun. had me wanting to pull out my hair, feeling like a gigantic idiot. And once again turns out I’m overlooking the obvious.

ddlucad96 · December 28, 2019, 11:33pm

Hi, I have an issue getting user.
After finding the s** p****** k**, if I use it on the one not at the usual port, I get asked for the k** password. If I input the one of the user g******* the connections hangs. If I run s** with the -vvvv flags it hangs at:
debug2: channel 0: open confirm rwindow 2097152 rmax 32768.
I’ve tried connecting from a VM and another host, from 2 different networks, having the VPN configured to use udp and tcp and also both the solutions described here https://wiki.debian.org/SSH#SSH_hangs

Can someone help me?
Thank you

EDIT: Solved, thanks to @kiaora