Ok, I’m bit stuck at root. I’d appreciate a nudge.
I found a screenshot of the root.txt in a user’s directory, is it intended?
Type your comment> @Nism0 said:
Ok, I’m bit stuck at root. I’d appreciate a nudge.
Okay! Refer recent vulnerabilities on privilege escallation!
Spoiler Removed
Type your comment> @Nism0 said:
Ok, I’m bit stuck at root. I’d appreciate a nudge.
Just google one thing, that you will eventually find while looking for privesc.
Finally found the password with a helpful nudge from @Karthik0x00 . Turns out I had the correct password in my custom wordlist but my fuzzer breezed right through it. I have a hunch about what went wrong but I’d rather not discuss it publicly. Is anyone available to PM about the networking side of things?
Just rooted, thanks to @Karthik0x00.
Cool bug for getting root, but I’d not figure this out by myself.
Kudos for those who did that by themselves!
Rooted the box, it was a new way for me compared to how I might normally do that privesc.
Enumeration is key, no need for brute force at all. foothold to user 10 minutes, user to root 2 minutes.
As with most cases getting foothold is the toughest part.
Fun box
Rooted! feel free to dm for any nudges
Nice box but ran into a lot of problems along the way, needed some help to get back on track…
For User if you found u****.p** in one place maybe look for another one 
Will be happy to give nudges if you need one!
I could use a nudge if anyone wants to help… I have my foothold and I can read the filesystem (I see the two flag files) but I can’t figure out how to escalate my privileges. Please DM!
Thanks heaps for the fun box!!!
User was pretty fun , root took me a while cuz I stepped way too far and went down a rabbit hole of hezza! Got there in the end tho!
Many thanks
@arthurakay said:
I could use a nudge if anyone wants to help… I have my foothold and I can read the filesystem (I see the two flag files) but I can’t figure out how to escalate my privileges. Please DM!
Do a bit of research into a vulnerability disclosed towards the end of last year. It had a very specific set of circumstances where it worked and this box has those circumstances.
This has been a pain in the a$$. Spent hours looking for username and then pass. Initial foothold is just enum… didnt get anything? enum again
Got user and root. I was wondering when that priv esc was gonna be implemented in an htb box 
pm for hints and please give me some
So I tried to replicate the bug that lead to root on my debian vm, where the vulnerable app is in the right (read: vulnerable) version. I met all the circumstances, but I got error, that such user doesn’t exists. Does anyone know why is it so?
BTW - some of you guys wrote that user to root took several minutes. Have you seen that bug before in the wild so you were just aware of it? Or how did you figure it out?
@Nism0 said:
So I tried to replicate the bug that lead to root on my debian vm, where the vulnerable app is in the right (read: vulnerable) version. I met all the circumstances, but I got error, that such user doesn’t exists. Does anyone know why is it so?
It also needs you to use a specific version of the application, its not as simple as the configuration file.
Type your comment> @TazWake said:
@Nism0 said:
(Quote)
It also needs you to use a specific version of the application, its not as simple as the configuration file.
As i wrote it is in the right version.
@Nism0 said:
As i wrote it is in the right version.
Ok, I’ve got nothing. Something has obviously been patched on your system but what that is, can’t be easily guessed without access to your system.