It is an easy box (user shell can be reached within 5 minutes) and I wonder if someone could run the original PoC script without any modification. It took me a half day to recreate the exploit and figure out what I had to change. I’m not familiar with rops and eggs, not even BOFs. But the cleanest method for me was to rebuild the whole exploit from zero on a virtual machine. It was a nice way to learn what could be wrong and a nice practice.
Anyway I have uploaded a working PoC which is working on x64 based Windows 10 systems. Find it on GitHub.
It is an easy box (user shell can be reached within 5 minutes) and I wonder if someone could run the original PoC script without any modification. It took me a half day to recreate the exploit and figure out what I had to change. I’m not familiar with rops and eggs, not even BOFs. But the cleanest method for me was to rebuild the whole exploit from zero on a virtual machine. It was a nice way to learn what could be wrong and a nice practice.
Anyway I have uploaded a working PoC which is working on x64 based Windows 10 systems. Find it on GitHub.
The one i used worked just fine without modification, except for the payload ofcourse. I’ll PM you a link of the one i used.
Got user pretty easily but stuck with root even though I’m pretty sure sure I know the way to go.
Am I right thinking that the process we should try to exploit crashes after you attempt to priv esc and there’s nothing restarting it afterwards? I can definitely see the service running in the port it usually does right after the machine is reset but a few minutes in and it’s gone, I assume after someone successfully manages to run the exploit. Does this mean everyone else after is screwed unless the box is restarted?
Got user pretty easily but stuck with root even though I’m pretty sure sure I know the way to go.
Am I right thinking that the process we should try to exploit crashes after you attempt to priv esc and there’s nothing restarting it afterwards?
I don’t think so - at least it didn’t crash for me.
I can definitely see the service running in the port it usually does right after the machine is reset but a few minutes in and it’s gone, I assume after someone successfully manages to run the exploit. Does this mean everyone else after is screwed unless the box is restarted?
A lot may depend on what people are doing to the box. Not everyone will be making successful exploits and some people may be trying weird things which cause unintended outcomes.
Ok, who can I PM/who can PM me? I can’t even get user. Yes, I’ve done some work, (nmap only gave me 8080),
You have enough.
can’t connect with the enum tools because I don’t have a user/password combo, and nothing seems extremely obvious to me as y’all say it should be. The only “obvious” thing to me seems to be possibly exploiting “G** M**** S*** 1.0”, which my suspicions tell me is more for root than user.
So, if in doubt, check things.
If you think this is the path to root, rather than ignore it, try it and see. Either you will be proven right and it is the path to root (in which case you might get root or it might just fail) or you will be proven wrong and it is something else.
Either way, your knowledge and ability will improve.
Please let me know if I am wrong. Again, a PM to push me the right way for user would be super helpful. Help a n00b. It’ll be good karma next time you try a box that is a mindf**k
All boxes are hard if you dont know the solution. Just because HTB rates them as easy/medium/hard/insane doesn’t mean that’s how they will be. Some people will find this trivial and root it in 5 minutes, others will take 5 weeks. All this means is we have different knowledge and this makes some things more obvious to some people.
Try not to get frustrated. Its all a learning path and if you take it one step at a time, try things, keep notes, learn from failure (etc), you will eventually get there.
Thanks, TazWake. I’m not frustrated yet. Just a bit stuck.
Cool - and frustration is understandable as well. Everyone gets it. I spent three hours on this box trying to get something working then I realised I had a typo. Some people say “Its easy, 5 mins max” but it took me hours because of this simple issue.
So, first off, go back to your notes. You have something listening on a port. Access it. Look at what it gives you and research it. If you see information dont hesitate to google it. Sometimes googling the phrase + exploit helps.
Gather as much information as possible then think about what you might want to do next.
Compared to other ‘Easy’ machines this was quite different! I think this box would be easy for those who are familiar with certain tools and quite challenging for the who are not, which was my case. Thanks to @MariaB for their help.
A lot of the comments already on the forum will help you. I want to reiterate the tips for foothold, don’t dismiss what is in front of you, enumerate everything but don’t be drawn into a rabbit hole.
For root, I could not find anything on the box to help me move forward but once you understand what to do there are tools out there that an help.
I enjoyed this machine quite a bit. Searching for exploit was PITA because everything tells you “it is one time job”. Apparently it is not.
I also struggled a bit with ssh. I forgot than in Parrot ssh service is disabled by default. I was banging my head against the wall why my p****.*** was not connecting…
Thanks @egotisticalSW for nice machine and @TazWake for your invaluable support and thorough comments.
Got the initial web shell but not able to upgrade it. Tried downloading nc.exe for reverse shell but did not work… can anyone nudge me in the right direction…
I enjoyed this machine quite a bit. Searching for exploit was PITA because everything tells you “it is one time job”. Apparently it is not.
I also struggled a bit with ssh. I forgot than in Parrot ssh service is disabled by default. I was banging my head against the wall why my p****.*** was not connecting…
Yeah, I think this has tripped up a few people. I was fortunate in that a few retired boxes have needed port forwarding like this, so I remembered to turn it on
Thanks @egotisticalSW for nice machine and @TazWake for your invaluable support and thorough comments.
Got the initial web shell but not able to upgrade it. Tried downloading nc.exe for reverse shell but did not work… can anyone nudge me in the right direction…
