Can’t seem to find the right path for the db config file. Tried what I can find through Google but nothing is coming back? Nudge?
Very bad question here. Do I need a VIP subscription to connect? I am able to spawn my own virtual instance, but cannot ping it. Also cannot connect to the release****.vpn…
Am willing to go VIP, just did not need until now.
Apologies for the waste of time, appreciate some advice nevertheless.
@mrenus said:
Very bad question here. Do I need a VIP subscription to connect?
In theory no. On the access page there are a range of VPNs to pick from.
Go to Login :: Hack The Box :: Penetration Testing Labs and select “Free” then download the VPN connection pack.
I am able to spawn my own virtual instance, but cannot ping it. Also cannot connect to the release****.vpn…
I don’t know enough about the release VPNs sorry. I didn’t think you needed to be VIP to use it though.
Am willing to go VIP, just did not need until now.
Apologies for the waste of time, appreciate some advice nevertheless.
Type your comment> @mrenus said:
Very bad question here. Do I need a VIP subscription to connect? I am able to spawn my own virtual instance, but cannot ping it. Also cannot connect to the release****.vpn…
Am willing to go VIP, just did not need until now.Apologies for the waste of time, appreciate some advice nevertheless.
To the best of my knowledge, you need to be VIP to connect to the release arena (spawning your own machine). However, you can connect to the free machines without VIP access (this will be one of them). This is a shared machine, so you won’t be working it on your own.
I may be wrong, but that is how it used to be. Also, there are no bad questions. At some point we have all been new to this site and needed some help with things.
Type your comment> @obfucipher said:
Type your comment> @hum4N3rd said:
Hello, I’m stuck. I found a vulnerability. I have read the database configuration file and the classic /passwd, but now I’m stuck. Some advice?
Sent you a message
I’m in the same position as the other guy. Can you give me a nudge too?
Type your comment> @benjamin2000 said:
I know the vuln, but can’t seem to figure out the absolute path to the database config file. Can anyone help me out?
Rooted. For anyone struggling with this, Sometimes applying the right kind of FILTER will get you what you want. props to @obfucipher for the hint.
Also don’t forget to url-encode your payloads ;), this set me back a few hours.
Type your comment> @garlicgeorge said:
Type your comment> @obfucipher said:
Type your comment> @hum4N3rd said:
Hello, I’m stuck. I found a vulnerability. I have read the database configuration file and the classic /passwd, but now I’m stuck. Some advice?
Sent you a message
I’m in the same position as the other guy. Can you give me a nudge too?
Sent you a message
Just finished user, gonna do root later. I’m wondering why the specific filtering technique is necessary in the foothold exploit. I can access some files without the filtering technique, but to access the interesting files, it seems like the filter is necessary. Does anyone have an idea why? Any hints would be appreciated 
Rooted! Thanks to @obfucipher and @W0bamt for the nudges on getting foothold that unnecessarily stumped me
For root; math will lead you to an important destination
Type your comment> @mrenus said:
Very bad question here. Do I need a VIP subscription to connect? I am able to spawn my own virtual instance, but cannot ping it. Also cannot connect to the release****.vpn…
Am willing to go VIP, just did not need until now.Apologies for the waste of time, appreciate some advice nevertheless.
No need for VIP to connect to release. Switch server (EU to US or vice versa), been there done that.
Ah, and don’t forget to download the connection pack again after switching.
Hey guys,
I would love for someone to give me a little kick in the right direction to the db.
I cannot for the life of my find it, I tried every single path I could find online for this application and also used encoding / filter, even localhost.
Thanks.
Rooted! Cool machine, liked both the user and root stages, lots of fun!
User: Enumerate the box thoroughly, check for common weakness and use it to check out the files you should have found during your enumeration.
Root: Check out what you’re allowed to do and analyze the command thoroughly for dangerous code.
I finally had some time to look at this box - based on comments here, I thought it was going to be a lot easier than it was.
It is a fun box, but I’d say it was on the harder side of easy (unless I just messed up the early stages).
Initial:
Enumeration/Recon is important. Check what exists, and look closely at how you interact. Then its a bit of tweaking to a well known attack against what you’ve found. For me, this was the hardest part of the box.
Getting User:
Once you have the ability from the above, you can enumerate further and find a way to access. Then take what you have and try it with the other things you might have found. This gets user.
Privesc:
Enumeration, find out what can be done, examine it in detail, abuse it.
kicking myself here on foothold. Have the exploit, have user names, but can’t seem to get the filter to work quite right to get the needed info. Have googled and read tons of information about vuln and the filter, feel like I’m missing something.
Rooted with and without shell (although incorrect flag, I think it is broken now)
For the foothold, if you, like myself, tried the payload and filter but no results, think of where are you running the command.
Root: Easy without shell, and needs some Googling for the shell. Just read what you have and think of evaluating the situation.
Type your comment> @salt said:
Rooted with and without shell (although incorrect flag, I think it is broken now)
I think it’s because it just left RA, I had to do it again in the LAB to get correct flags.
Type your comment> @cm359 said:
Type your comment> @salt said:
Rooted with and without shell (although incorrect flag, I think it is broken now)
I think it’s because it just left RA, I had to do it again in the LAB to get correct flags.
Noticed that, but the thing is, it is still showing the RA subnet IP even if I’m connected to the Lab vpn!
Type your comment> @50m30n3 said:
kicking myself here on foothold. Have the exploit, have user names, but can’t seem to get the filter to work quite right to get the needed info. Have googled and read tons of information about vuln and the filter, feel like I’m missing something.
Nevermind, got user. Always gotta enumerate more and make sure you’re using the right tool for the right job.
Can’t submit user flag though - says it’s wrong. I guess it left RA but I can’t access it outside of RA VPN.
Anyway, have user hash, off to root.
@50m30n3 said:
Type your comment> @50m30n3 said:kicking myself here on foothold. Have the exploit, have user names, but can’t seem to get the filter to work quite right to get the needed info. Have googled and read tons of information about vuln and the filter, feel like I’m missing something.
Nevermind, got user. Always gotta enumerate more and make sure you’re using the right tool for the right job.
Can’t submit user flag though - says it’s wrong. I guess it left RA but I can’t access it outside of RA VPN.
Anyway, have user hash, off to root.
Well that was easy.
uid=0(root) gid=0(root) groups=0(root)
bountyhunter
Foothold - The tips pointing you in the direction of OWASP is all you need. Look at what’s there and think about some classic ways to go.
User - make sure to enumerate EVERYTHING. If, like me, suspected things were not giving what you need, collect yourself and look around again, maybe you’re not trying to look at the right thing and maybe your first round of enumeration didn’t find what you needed. After you find the key and read it, user falls into place.
Root - This was incredibly easy. Enumerate to find what’s available to you and then make sure to read thoroughly. Line by line. Maybe recreate some stuff locally until you get what you need.
Happy rooting
Need a nudge from someone please, could I get a PM to discuss further?
Got the OWASP exploit, got user but no pass.