Wow, I’m really struggling on this one. There doesn’t seem to be anything to grasp on, the normal injections don’t work on the login page and gobuster gives me nothing. Any nudges?

Type your comment> @purplenavi said:

Wow, I’m really struggling on this one. There doesn’t seem to be anything to grasp on, the normal injections don’t work on the login page and gobuster gives me nothing. Any nudges?

Hey. If you’re talking about initial login page, then I’m sure that common payload will let you in.

@silverfox983 said:

I have the flags but both are not working for some reason? I am entering the hash with no HTB{} format just raw hash

If you read through a few of the threads here you will see that this is an occasional problem.

HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.

However it also means that sometimes the hashes don’t load properly and it creates issues.

The main suggestions seem to be:

  1. reboot, repeat the pwnage, get the new flags, try them
  2. report it to HTB via a JIRA ticket and see if they can fix the issue

Holy CRAP, the foothold part (specifically, the uploading) made me feel stupid. The answer was right in front of my eyes, I already knew what it was, but it just didn’t click for far too long. Good on the creator for reminding me about it.

Haven’t done much yet other than that, just wanted to make a post reiterating that it’s literally not as hard as one might think. You just need to know how files work.

EDIT: It may, however, take a bit of trial and error to figure out. But don’t worry too much.

EDIT 2: Done, both user and root. PM me if you need a push in the right direction.

Really fun box, probably my favorite so far! The root part was completely new to me and took me quite a while to figure out, but it seems like an incredibly useful method.
Big thanks to @TRX !

That was an adventure! Rooted. The hardest part, for me, was getting past the login page. Despite it being easy and trivial for some folks, and while I’d read about those attacks and understand exactly how they work, I’d never had to actually do one before, so I wasn’t sure what was the best way to go about it. Much thanks to @muemmelmoehre and @gunroot for letting me know I was on the right track and not just in a rabbit hole.

I was also outsmarting myself burping sweets while trying to get past the login page, so I had totally missed the indications that what I was doing was working. Hours later I figured out what I’d missed.

Once I got that foothold, the rest was pretty easy.

Really enjoyed and learnt a lot from this box, thanks to the creator!

Rooted! Quite a tricky box, but a very good one.
So many hints in this forum, but if you need an extra nudge feel free to message

The exploit for root is so simple yet so genius.

Root: learn about linux priv escalation techniques/scripts

good machine

just rooted the box, I must say it could be an OSCP exam machine. The way from www-data to root is extremly cool. Great machine!

i clearly must be missing something here: why can i only access the h*** service via a (particular) CLI but not with a generic GUI (i.e. br*****)?

Rooted! Thnks to TRX for the learning experience!! Nice foothold got really stuck on user, I didnt know that command and I even didnt notice creds the 1st time I looked into the file… but it’s cool

USER: use creds to find more creds

ROOT: common technic with unusual tool

[ edit or remove if you think it’s got spoilers =) ]

Got www-data and all, but can’t figure how to get user.

If I understand well, I need to use a tool to enumerate with the creds I found, leading to more creds… but I can’t find the tool !

Goin’ mad here :’(

Got it.
I should’ve taken @TazWake 's hints more literally :slight_smile:


I’m stuck in the foothold, I guess it is related to m***-h**** but still I don’t manage to login, can anybody give me a tip? I read most of the tips in the forum and still a stuck, perhaps I’m totally bias…

Finally Rooted.
What a box. Like many people, I overwhelm on the user and the root part.

For the foothold, you need to get to the basics. Owasp’s Top 10 and all those things.

For the user, you need to enum, to find creds, to find a tool to use, to find the creds you need. Don’t overthink. If a tool doesn’t isn’t here, maybe a cousin of his is there.

For the root, enum again. Find a vulnerable program with the right tools. How does it work ? Does it call other programs ? Are they usable ?

ah, did this just retire as I am working on it?

@zeroes said:

ah, did this just retire as I am working on it?

If you were working on it yesterday, then yes.

Anyone done this recently? Walkthroughs don’t work for login page bypass or upload bypass. The website appears pretty broken as well (compared to videos).