and finally…
Last login: Mon Jul 22 07:53:36 2019 from 10.10.10.110
root@craft:~# id
uid=0(root) gid=0(root) groups=0(root)
Type your comment> @conan said:
When i try to enumerate the tables i run command “show tables” but there is only one table “brew”
Read through the lines. How is it fetching the rows, can you make this differently?
Edit: Should save my advice for when I’ve actually finished it, sorry!
Type your comment> @tbbt said:
Type your comment> @conan said:
When i try to enumerate the tables i run command “show tables” but there is only one table “brew”
I think that’s a rabbit hole, but take my words with a grain of salt as I haven’t finished this box yet.
its definitely not a rabbit hole
Box was very interesting 
Really nice box @rotarydrone - and for once, I didn’t have to ask @Leonishan for help - (although @Leonishan 's forum post ended up helping anyway). Good illustration of vulnerabilities that you see posts on Stack overflow warning about but are still likely to be ignored.
I am able to execute commands, but need a little nudge to move on. Anyone willing to help me, please PM me, don’t wanna spam everyone
/e: Alright, got user. Now onto root…
/e²: Got it.
this was an amaaazing machine, i OVERCOMPLICATED things immensely with socat reverse proxies and whatnot, because i couldn’t get good data from the server. I got o the point where i found several internal hosts which weren’t supposed to be accessed going the intended way.
Type your comment> @Ketil said:
this was an amaaazing machine, i OVERCOMPLICATED things immensely with socat reverse proxies and whatnot, because i couldn’t get good data from the server. I got o the point where i found several internal hosts which weren’t supposed to be accessed going the intended way.
I am looking at reverse proxies right now… is that not how to proceed?
Very Fucking Funny box!!!
My hints:
user: enumerate in pages with sources. then try to read a about some vulnerabilities with the lenguaje programming. then, You don’t need scape from nothing even use al sources. After that, start again from the beginning.
Root: put an in the files on home. Read documentation about it.
Thanks for this box!
A very well designed box. It’s also a lot of fun. I also learned a couple of things, so I’m supper happy with it. Thank you for the box!
@tbbt, its an option
{edit: added a @}
Perhaps I’m missing something, but everything I try to enumerate returns an error or doesn’t resolve. There’s a link that should obviously lead to somewhere of great interest, but I can’t make any requests to it to see what’s available or browse to it. And dirb gives an error for every request it makes.
This is one of the few boxes that I will comment on. Pretty sweet ride. Took me more than hours to complete than I am willing to admit. This is not a typical CTF-like box. Think more like a real life scenarios, with real developers, maybe making mistakes and whatnots.
I went down a really deep rabbit whole in the beginning. Gaining a shell that I think I shouldn’t have been. I thought that was it, I got root and everything but then, where is the user/root.txt? Dammit, such a fool.
Most of the important stuff are in the gogs. Go through everything. I do mean EVERYTHING. It is not that much any ways.
After that you should be able to get USER.
For root just go through the machine that you have just gained access to; the purpose, the services running, do your enumeration thoroughly. You should check for left over stuff as well.
hint: One of the file will unlock every secret you need.
Hope I didn’t spoil too much
Should I be exporting $v***t_addr to a local ip? Service doesnt work and I’m getting 403 for all requests, including login
Switching it to a local ip works but the O** doesnt work for root
edit: Never mind, not sure what happened but restarting fixed it for me.
Rooted 
Pm if need a nudge 
Hi everyone, when I try to access apii.craft.htb / api it gives me an error that I can’t resolve the name. how can i solve
@nemen add https://
Type your comment> @TGZed said:
@nemen add https://
I’m already in https but it doesn’t work. could it be that i have to insert something in resolv.conf?
i got the creds and tokn, able to read the source, but stuck with the attack vector, does it related with the inj**ion?, anyone can PM please?
edit: got rce, thanks to @pp123