it’s a wrap!
1 Like
Why HardHat C2 is so fu****** shakey…
Login Failed! The request was canceled due to the configured HttpClient.Timeout of 120 seconds elapsing.
Yuss, got it! 
Was a frustrating box at first, but it got more and more satisfying (and linear) towards the end.
1 Like
… oe just by trying out all things on this website. A terminal funcionality looks always tempting
This box is insane!
yeah… anyone got hints on what to do when you have access to H******? Most of the buttons end up just breaking the web interface so I can’t even really mess around with it because I keep having to reload the page and it just breaks
Just curious, did anyone get the websocket RCE to work via websocket communication?
Summary
Handshaking requests and custom packet frames into the websocket is really inelegant and tedious…
Which is the way for the priv-esc without breaking the machine? /etc/passwd does not work but with sudoers I can get root. Is there a better file to use?
1 Like
Which user are you trying to privesc from?
i’ve already pivoted to sergej
I’ll DM you.
Actually, if you are using Kali… there’s an alternate solution that does not involve virtual environments.
You can install python3-pycryptodome on Kali using apt install.
The catch is that, for some reason, the package is now called “Cryptodome” instead of Crypto… so, you need to make a little change in the POCs… where it reads things like “from Crypto import AES”, you need to change it to “from Cryptodome import AES”.
And everything should work nicely.
2 Likes
If you install cryptodome you don’t even have to change the ‘from’ statements.
Cool box. User flag is really hard to get.
Root is easy, but requires a few steps to get it.
User Hint: PoCs are out there, the trick to integration is understanding how to bridge the gap in how they communicate. A theme will develop for interesting write permissions, get used to it.
Root Hint: A similar attack vector as User is in play here, albeit much easier. Make sure you spoof the right type of user, as being too greedy will lead to a dead end. Cue the theme music.
Congrats to everyone who has popped the box, I definitely enjoyed the PMs and they were the difference between solving this box and giving up on it, so those of you who helped me, you know who you are, and thank you.
2 Likes
Rooted this machine, and it was interesting to say the least. Here are a few hints to help you along your journey
User:
- The exploit is readily available and out there in the wild. Once you’ve identified what you may need to do, it should be easy enough to find the available exploit. A few parameters will need changing first to get it to work
Root:
- Basic linux enumeration will uncover the intended path
- Again, the exploit is already out there but requires a few parameters changing first in order to gain access
- Make to explore everything, as there may be a way to launch a bash-oneliner
- For the final stage, again, the exploit is already out there… (a common theme emerging here) but requires a few changes to get it work and may require a slightly different modification
Feel free to message me if you’d like any further pointers 
Considering how many of the exploits are already out there, I also think a medium rating is quite fair in this case.
1 Like
After rooting the machine is really can’t bring myself to understand how or why people are so convinced this is a hard rated machine disguised as a medium, this is very much a medium box. It make me wonder how many people are too dependent on being hand held through a machine versus deepening their understanding and knowledge of whats going on and applying it to exploit the machine. A nudge every now and then aren’t too bad but relying on people handholding you only hurts you in the long run
2 Likes
quick question, .ilya’s /ssh directory is very empty…is that supposed to be the case?
Hit the box after a reset & see.