Yes I did.
I generated new openvpn file and connected again.(Make sure you are connecting to seasonal) After that I was able to ping the machine
1 Like
Still struggeling with the Pin Exploit. Thought that I got everything right, through the LFI, but all generated Pins wonāt workā¦
and why canāt one use the LFI itself to get a shell? Couldnt locate any log file and proc/self/environ didnāt showed the user agent at allā¦
No way through LFI to shell?
I suggest you to emulate the same environment you would have on the box, also using the same āapp.pyā. You would find the only piece of information of public bits you are probably missing
Man, iāve tried emulating this environment in many different ways, still canāt get the correct pin. Even when im using the exact copy of app.py, I double checked all the info there (port, secret_key and etcā¦) still canāt get it to work, am i missing something? Is there any other files that I should look at?
You can DM me with the code, and I will check what you are missing.
For anyone still stuck on the PIN, thereās a very helpful blog post if one were to google-fu regarding werkzeug pin cracking. The post in question takes into account the multiple possibilities of machine-id, md5 vs sha1, etcā¦ and generates a list of possible PINs. If one were to enumerate the box hard enough to include sufficient permutational parameters, the PIN is crackable.
As one additional hint, the blog post is very new, and my heart goes out to the pour souls who wouldnāt have been able to find this post for about the first week after the machine came out.
3 Likes
Another additional hint for brave one, who want to crack pin.
When you start standalone flask app at you local machine for debug, youāll have wrong names. Look closer, how app starts. Who start it, and how. Then reproduce this method locally and see how pin changing.
thx
i found the latest blog post about werkzeug pin cracking and finally my script worked
the key is modname and appname. not always flask.app, FLASK
When you reproduce it locally you will notice that it generates two pins. By adding some debugging prints in the code, you will notice that the appname itās different for the first oneā¦ you should try to use this name instead 
I think iām in the last stage.
- I managed to get a foothold
- i managed to move quite horizontally within the sytem
But i feel like iām missing something for the root part 
Debugging connection was closed reason: websocket disconnected 
Use sudo -l, when there is something, it is most of the time vulnerable 
idk why but it works now
may need reset
How to set DNS record for su*******.htb? Is there any way to set a record in /etc/hosts that auto-resolves all .htb domains?
Thank you
ya logre terminar la maquina me llevo tiempo pero estaba a la altura
DM me
Hi,
I rooted the box today but I think I didnāt pass one of the steps correctly.
Can I DM someone who has finished the box, to share the steps I made. To see if I benefited from a change made by someone else?
thx
I am trying to generate PIN, to use the console , but the PIN is always incorrect.
Need some help to know exactly which attribute is incorrect while I am generating PIN
Hi,
I managed to gain RCE with a shell as an unprivileged user. However, Iām having trouble finding credentials to connect via SSH as another unprivileged user that I need to escalate my privileges further. Iāve tried various methods, including searching through configuration files, attempting to crack password hashes, and checking for any plaintext passwords, but I havenāt had any luck so far.
I would appreciate it if someone could provide me with some hints without spoiling 
Thanks in advance!