What a fun, rewarding, multilayered machine to pwn. There were multiple roadblocks and multiple a-ha moments and “why didn’t I already try that?” This required a little bit of enumeration that is usually not necessary to find the entry point. I learned a few new things and was reminded to not always ignore the obscure when you get stuck.
@melka said:
@artikrh said:
@p3tj3v said:
That was a fun box… learned quite a few things…
Not sure if I rooted it correctly… but did find the flag
thank you @trickster0There was a previous box which had the exact same technique to get root. Ippsec made a nice and informative video about that, I suggest you take a look.
And another one still active with almost the same technic (well, same principle, different program)
this has been fixed by a patch. Check Login :: Hack The Box :: Penetration Testing Labs
@mpgn said:
@melka said:
@artikrh said:
@p3tj3v said:
That was a fun box… learned quite a few things…
Not sure if I rooted it correctly… but did find the flag
thank you @trickster0There was a previous box which had the exact same technique to get root. Ippsec made a nice and informative video about that, I suggest you take a look.
And another one still active with almost the same technic (well, same principle, different program)
this has been fixed by a patch. Check Login :: Hack The Box :: Penetration Testing Labs
Do you know what the unintended ways were? I would love to know if you wanna PM me them - I only noticed one vector.
Now the user holding the user.txt file isn’t a member of the groups lxd and libvirtd anymore. Another way to get read the flag is required.
Anyone find the intended way? I have access and got user, but stuck on root.
I’m in the same boat @Magavolt . It kinda sucks that many were able to get an easy 50 pts for this, but nobody even seems to know what the intended method was. It makes the box lose a lot when it comes to enjoyability. I’ll keep at it until I get it the correct way though.
found the two creds, the higher UDP port, and the service bindend on localhost (so unable to contact…).
Any hint at this point?
Do I need to brute force login or do I have to just find location where this credentials are?
Has anyone solved the root privilege escalation after it has been patched?
Can anyone spare a hint on the second login? Nothing I’ve tried seems to be working. Also found another page, but it doesn’t give any output with anything I do to it.
@cdf123 said:
Can anyone spare a hint on the second login? Nothing I’ve tried seems to be working. Also found another page, but it doesn’t give any output with anything I do to it.
If nothing works, back to basics and try common username 
HINT: Once you learn how to login, you start to assume some things. These assumptions will have you at a roadblock when you shouldn’t be. There is mischief going on, remember? Things won’t always be the way you think even if they once were. I hope this helps without spoiling.
I’m still working on priv esc, but I’m sure the same rules apply, lol.
@blackhood said:
HINT: Once you learn how to login, you start to assume some things. These assumptions will have you at a roadblock when you shouldn’t be. There is mischief going on, remember? Things won’t always be the way you think even if they once were. I hope this helps without spoiling.I’m still working on priv esc, but I’m sure the same rules apply, lol.
Got the root. It is really a mischievous god/machine
Holy effing smokes batman!!! This ■■■■ box is one long F*xx around. ■■■ this was stupid and horrible and really fuxx up. I loved every freaking second of it! This box was epic!! Thanks @trickster0 !! That name definitely fits. You’re a ■■■■, but I owe you a drink for this one. I hope a respect will do. Well done my friend!!
Someone mentioned ippsec’s video walkthrough of one box that is similar to this. Can anyone give me a link where this video resides?
@Higgsx said:
Someone mentioned ippsec’s video walkthrough of one box that is similar to this. Can anyone give me a link where this video resides?
That was an unintended method and has been patched.
I enumerated one UDP port,extracted some information but nothing interesting has been found. found creds, found picture but I can’t go further. I checked everything I think. Scanned full TCP/UDP ports nothing more interesting ports shows up. Can anyone give me a little advice how to go further? I tried stego but as I guess there isn’t stego stuff to do.
@Higgsx said:
I enumerated one UDP port,extracted some information but nothing interesting has been found. found creds, found picture but I can’t go further. I checked everything I think. Scanned full TCP/UDP ports nothing more interesting ports shows up. Can anyone give me a little advice how to go further? I tried stego but as I guess there isn’t stego stuff to do.
I see multiple TCP/UDP ports, 1 login page, I’ve performed a walk and I’m stuck. Can anyone give me a kick in right direction.
I got access to the other login page, but can’t seem to bypass it- - tried everything from brute force login to trying to look for other pages. Would appreciate a hint to move in the right direction 
nvm got it