Type your comment> @deviate said:

Type your comment> @Ramphy said:

But how? I did everything I could but I did not achieve anything, I need a clue.
I have read many books about different types of things to do when it comes to pentesting, but they are very different situations than what I find here.

Yeah, for this one you need to find some books on how to play hide and go seek.


Type your comment> @Tilia said:

Type your comment> @luixtao said:

Type your comment> @Tilia said:

You would have never figured out that the higher port works as a database, you figure out this reading these posts in the thread. Now a simple question: everything you can get doing basic recon on the box - running dirb, for example, will only give you unavailable “directories” and a couple of available ones, and when you try to access them, you see nothing. There would be no problem if it would not be a nginx server but some node js. And again folks post “that helped me so much”-like comments thinking it is helpful, but it is more confusing I would say. So yeah, I would have probably never figured out that the higher port works as a database unless some of you posted this, because there is literally no any single pointer to this, and it contains literally useless garbage, nor anything useful giving me an idea about how to extract data.

Some guys find this box frustrating, and the main problem of this is that it’s rated as a simple box and requires hard work. You were probably expecting that you would own the box in 30 minutes after its release or so, but no, there you go.

I am sorry if you guys find this post a toxic one. But that’s exactly what happens in my mind right now. It’s not a tragedy, but I can’t find a foothold to get user at least.

When you got the user you realize it’s easier than you ever though.
Just squeeze all the info you can get from the needle. Do not overthink as I did.

I don’t know how I can extract something seeing only a couple json lines – provided name and uuids.

You know, there is one problem I can’t handle - it’s a type of database I haven’t experienced with before. I do not know whether it requires credentials to extract data, i don’t know how to extract it in general, because now I can see only a couple json lines having useless numbers and base64-like hashes.

There are too many questions. You decide to find answers for one of the questions - it will take a long, and this waste of time may seem useless in the result.

Got it.

Type your comment> @Tilia said:

There are too many questions. You decide to find answers for one of the questions - it >will take a long, and this waste of time may seem useless in the result.

I disagree 100% with your argument, there’s no useless time in hackthebox. I’ve never worked with elasticsearch before and even if I never reached to get the user I’ve spent some hours learning about this technology and traveling around that DB through URIs. Ok, everybody wants the hash, but I the thing I really love is learning in the progress.

Follow the hints already mentioned: the image isn’t worthless

Type your comment> @Tilia said:

Got it.

You rock, bro! (or sis!)

Type your comment> @will135 said:

now how exactly is this considered an easy box while Jarvis is considered a medium box? These ratings are all over the place, and have been for several of the past boxes like Arkham and Unattended.

Better, why Luke it’s a medium box?!

Type your comment> @luixtao said:

Type your comment> @el3ctr0 said:

maybe it does look easy, but there is a lot of data that you get after executing _s****** on higher port, it look more like riddle solving , or Im just on wrong path…

Yeah, it is! I mean, I don’t think this pretends to be a “real world” example on how to pentest, cuz nobody saves credentials in that way.

Maybe not a super real world example using quotes, but I have seen this db used to index logs that contain request logs with param data that include passwords in clear text…

any hint to root?

If people can stop hosing the server, that would be great…?

Welp, rooted. That’s quite a few hours of my life that I’m never going to get back…

This may be the first box that I’m going to dislike, mainly due to the user part. It’s just a whole slew of grinding over and over on something that you’ll hardly see in the real world. I usually don’t mind CTFy boxes, but this one definitely touched a nerve.

Anyways, some hints for this:
User: Like others said, port 80 is not useless. The high port may look daunting, but the technique used to dump the information is pretty old. Only one of the in***** are useful…

Root: The entire path to root doesn’t go far from the high port. To begin, you got to keep quiet and listen.

Once you are more privileged, it’s time to go back to the basics.

One final note: It is not recommended to do this box on free servers if you want to get value out of the privesc. The server is slow, it gets reset often, and it’s pretty much impossible to get root without being spoiled (Learned that the hard way unfortunately :()

PM me for more hints, though my patience’s about out with this box.

I think definitely that Im going to wait for IPSEC video, because everyone here is shouting how easy this one is and maybe Im looking it in complicated way, so as IPSEC like to do it in complicated way I will wait for him and see :D, truth is I got a lot of data from e*s but maybe not all, IPSEC, waiting on you buddy ?

Finally got the root shell. I’ve learned a lot about ELK stack. If anyone needs help feel free to PM me. :slight_smile:

Rooted, kudos to the creator!

Really nice box, I learnt a good chunk about ELK and got some hands on experience and new tools for the collection if I ever see something like this in the wild. A little CTF in the user phase, but arguably not that bad. Also loved the language twist; a good reminder that not everything out there will be conveniently readable for you! First HTB machine in Chinese next anyone…? :wink:

Hints then.

Good old fashioned documentation will do if you’re not familiar with the tech. There’s some nice tools out there as well that can help, but you’ll need a little understanding first. Once you’ve got the data, everything you need to move forward is in there. The needle isn’t just for show…

You need to go out to come in again. You may have found approaches earlier that weren’t viable that could be worth a revisit. Then just enumerate and see what you can now access from your new position that you couldn’t before.

Haven’t got root yet, but I still want to give my thoughts on user since i see a lot of people almost getting frustrated.
First thing i thought when i saw the name of the box was, sure this is going to be super CTF-like, just like the rating says. So if you want something more life like, maybe do another box, Jarvis is a lot more “real life”. CTF-like boxes are an awesome way for people to learn how to use their skills in a different way.
Rant over.
User: There are already a lot of hints in this thread, but for the low port, think about ways to get information out of such a file.
Then. If you have a stack of hay and you need to find a needle in it, what is the better approach. Take one hand full and start looking though that? or take the entire haystack and shake it until you find what you are looking for? Think about the service, are there any tools to get the entire picture?
happy hunting :slight_smile:

Rooted ! What a fun box.

I don’t get why people are calling the box frustrating or “Too CTF-style for my taste”. If you read the documentation properly, it’s all there in front of your eyes. Has a satisfying root !
Beautiful !

Also, the EU servers are toxic. I don’t get why people think it’s a good idea to troll over broadcast.

very frustrating box!!! not able to get the user no clue either with elastic search i’ve used all possible ways

Don’t you just love it when people copy the root flag into /tmp and leave it there?

I feel like that just ignores the purpose. I feel like elevating permissions is more satisfying then just getting the root flag and calling it done.

I’m also having a hard time with the node port. I’m reading the documentation but it’s a lot and I’m not sure where to look.

I did find a username and password, but they do not seem to work.


Ok, the box was reset and those supposed username and password are gone so that’s not it. The only thing I managed to find are “banking” details.

I can’t believe there isn’t any tools that automatically dump all the data from the stack, do you guys know any?
Go query by query is cumbersome…

@Uvemode search Gtihub. You’ll find one.