I have learned to count from 1 to 4 and was able to find an interesting key, which doesn’t seem to fit in any hole… i would be glad for a nudge.
Edit: rooted
well, despite my faltering start, I’ve completed the box!
The very last step was a bit of a guess inspired by an old Stack Overflow thread, and a helpful error messages from the chef. I found this box to be a very worthwhile to persevere with as there so many facets to it - good stuff, @helich0pper !
Thanks again to @camk for picking me up after I fell at the first hurdle.
Can someone help me a bit in DM, please? I’m trying to get root, I’ve found an encryption key and something to decrypt with it, which gets me something what looks almost like a password, but has some binary content at the end, so I can’t decode it as a text. Am I on the right path, or totally off maybe?
Type your comment> @RummyExpress said:
Can someone help me a bit in DM, please? I’m trying to get root, I’ve found an encryption key and something to decrypt with it, which gets me something what looks almost like a password, but has some binary content at the end, so I can’t decode it as a text. Am I on the right path, or totally off maybe?
Try different modes
Type your comment> @hackpadawan123 said:
Type your comment> @RummyExpress said:
Can someone help me a bit in DM, please? I’m trying to get root, I’ve found an encryption key and something to decrypt with it, which gets me something what looks almost like a password, but has some binary content at the end, so I can’t decode it as a text. Am I on the right path, or totally off maybe?
Try different modes
I’ve been trying, and there is only one which does not fail at all, and there is a readable output, but the last couple bytes can’t be decoded as ASCII
Type your comment> @RummyExpress said:
Type your comment> @hackpadawan123 said:
(Quote)
I’ve been trying, and there is only one which does not fail at all, and there is a readable output, but the last couple bytes can’t be decoded as ASCII
I have sent you a dm to not spoil anything here.
I haven’t seen many boxes with the variety of different challenges this one has. The breadcrumbs really help keep on target, but it’s still a great workout.
The last step is a doozy though. If you got something that looks right but doesn’t work, you’re very close. Try modes that require information that you don’t have, then guess till it works.
Completed, definitly one of the funniest box.
If you need help you can send a DM.
Thank to @hb86125295 for helping me.
I was able to find usernames via enumeration processes, but have been unable to move forward as it seems I am hitting rabbit holes. Could someone DM me with a hint based on where I am at please.
Type your comment> @MactheDice said:
I was able to find usernames via enumeration processes, but have been unable to move forward as it seems I am hitting rabbit holes. Could someone DM me with a hint based on where I am at please.
Try intercept and examine requests, maybe there’s something unusual?
This is a great machine to bridge the gap between Medium and Hard from my perspective as a recently-minted OSCP. Excellent work by @helich0pper. Nothing too complex, but requires a lot of attention to detail and more intermediary steps. There is a clear logical progression while fitting multiple pieces together. Here’s a few hints (never done one of these posts, so please let me know if I gave too much away anywhere):
Foothold: Poke around the application, mess with some values in your proxy and see if you can induce unexpected behavior. Once you find a problem, it’s a good idea to write a script to make it easily repeatable. Be careful not to gloss over details. Again, writing a script can make testing easier when you’re working on getting the way in to work.
Lateral Movement: There’s another open port that can help once you’ve found what you need.
Privilege Escalation: There’s a useful file related to the user’s notes that you can find on the system by following standard enumeration procedures. The information there will put you on the right path. You can get what you need for the last step via the command line or by revisiting an earlier step. This can be very simple and direct - the other hints have described some very roundabout methods for this part. Keep it simple.
Fun box indeed - took my time with this one which was worth it.
Big kudos to @camk for your assistance on this.
And a big thank you to @helich0pper for creating this awesome challenge
hi all, i am struggeling with the last step in getting the admin pw right. could someone assist ? I do have all I need I think but the modes I tried didnt work out properly.
update: thanks to everybody who replied. got it now!
very nice work @helich0pper . enjoyed this box a lot. the only thing I didnt like too much was the final step where I got stuck at. thanks @xploiter121 for helping me out when I lost my path on the way to root.
Type your comment> @h0l1st1c4l said:
hi all, i am struggeling with the last step in getting the admin pw right. could someone assist ? I do have all I need I think but the modes I tried didnt work out properly.
For some modes you may need some info you don’t have. Maybe it works without it as well. If you need more detailed help, let me know via dm
Are there HTB{} flags in this box?
@thecog said:
Are there HTB{} flags in this box?
I haven’t done this box, but probably not.
Machine flags tend to be in a file called user.txt or root.txt.
Type your comment> @TazWake said:
@thecog said:
Are there HTB{} flags in this box?
I haven’t done this box, but probably not.
Machine flags tend to be in a file called user.txt or root.txt.
Alright. I have RCE and user… I’m just not sure what I’m supposed to submit…
@thecog said:
Alright. I have RCE and user… I’m just not sure what I’m supposed to submit…
The contents of user.txt. Normally this is a file in the user account or in a Desktop folder.
Still stuck on initial foothold I think…possible entry point about bypass on token, I’ve testing some tools for jwt but not sure what I’m getting…any hint ?? I had gobusting several times this machine but no luck in any other finding that could help me for low priv shell. Sorry if there is a spoiler in this thread, this is my first post.