This was my first box in HTB (Gonna go VIP soon to do the retired ones) and as a result first live box as well!
Really wanna say a huge thanks for this forum for the hint to Priv Esc (look at the name of the machine).
Thanks guys! On to more hacking!
having trouble getting the priv esc, I escalated but then cant find the files to the user that I escalated to
Rooted 
Nice fun easy box! Like many comments before mine. All the hints are in the forum.
User: Nothing crazy needed, Work with what is given to you through basic enumeration and remember what itās like to count like a computer.
Root: The usual enumeration will give you some hints. The name of this box may have something to do with it.
Thank you for the box! Feel free to DM for any extra nudges.
rooted, nice box! Thx!
One of the easiest boxes Iāve ever seen around here. The application itself could give you both user and root flags.
Hi, Iāve got the user and the root flag, but when I tried to submit them, itās give me an error ''incorrect hash for Cap", does anyone have the same problem
Fun box. The initial foothold is only easy when you realise where it is.
Type your comment> @sariakaFox said:
Hi, Iāve got the user and the root flag, but when I tried to submit them, itās give me an error ''incorrect hash for Cap", does anyone have the same problem
Since HTB uses a rotating hash or randome hash for each machine spawn I would suggest to reset the machine and try again.
If problem persists then change your VPN region followed by try again.
If all above fails, then talk to HTB support to solve the problem.
Its a common thing that has happened over time.
As someone who often struggles finding footholds, this was a fun/relaxing box. There are plenty of hints in this thread to get you where you need to go. Root was new to me but easy enough to figure out what to do based on hints.
DM for nudges!
Quirky box! For me achieving root happened a lot faster than the user foothold, and honestly felt more like real hacking. Getting the user is really about being observant & curious, which to be fair is an important security skill, tooā¦
Great box! Definitely an easy box but was a fun adventure in figuring out how the app was working. The name of the box really does the best clue about what to look for!
Rooted. As a side note, did anyone get the last flag by enabling a dangerous mode on a certain file and visiting it? I think most individuals attained root by utilizing a suid, but I found another (possibly unintented or box-breaking) way to do it. PM for more details.
Get root, but I didnāt understand why this code worked, get it by luck, but I would like to understand, if someone can explain it in DM.
Really easy machine, but itās a different approach.
DM for nudges
Ah ah ah I was so angry with myself about the user part. It took me shamingly too long and I almost failed because I had filters enabled and was too careless to notice ><
The root part was done so quickly I almost missed it 
That is indeed an easy box, and yet I feel in both steps you need to apply and use very important tools and concepts, so really worth doing, even for experienced people.
Thank you @InfoSecJack !
Iām struggling way to hard with the user flag and even with all the tips I cannot get a foothold. Did some rudimentary enumeration and tried to focus on analyzing the traffic between my workstation and the target. Unfortunately I cannot figure out how to manipulate the application to get the necessary information. Therefore a detailed hint via direct message wold be much appreciated - new to āhackingā and willing to learn.
Ahaā¦ finally got the foothold.
For everyone frustrated with this boxā¦ donāt be. I see it being super easy if your enumeration procedure follows a certain path. If you use different toolsā¦ you might be stuck for a while.
The real kicker was that I tend to use dirb for my website enumeration. Try gobuster onceā¦ it talks to you a little more. Pay attention to what itās saying and look to see if you can crawl that directory a bit.
My personal take home from this is to really re-evaluate my enumeration procedures. I understand the process, but I wasnāt using the right tool for the job.
I really get discouraged when people say, āā ā ā ITāS SUPER EASY!!!ā because some of us are still lost and it makes us feel like we need to just quit. Itās not helpful from a learning standpoint. I was WAY closer than I thought.
Pwned! Thanks @InfoSecJack! Very good box! Feel free to PM me for little nudges:wink:
@MorpheusDark said:
I really get discouraged when people say, āā ā ā ITāS SUPER EASY!!!ā because some of us are still lost and it makes us feel like we need to just quit. Itās not helpful from a learning standpoint. I was WAY closer than I thought.
I get that, I tend myself to tell if I found the box very easy or super hard. And I reading those āā ā ā easy box did it while watching a movie lolā when Iāve spent the last four hours scratching my head to get a foothold 
! But like many others said, an easy box can be very hard if you donāt know what to do, and the opposite is true, so I just try to take it as a āI still have things to learn !ā. But yeah, Iāll be moreā¦ considerate, in the future 
Rooted! Nice box, but also a bit strange. Donāt really have any big clues that arenāt already here in the thread, to be honest.
For user Iād like to add that the initial attack vector is similar to a common problem with insecurely accessing files on web apps, but also not really. Look at the contents of everything you can find.
Learned a new way of getting root. Was totally confused by getting root at first (actually made me laugh out loud, haha), because I didnāt really understand why the technique worked and what is going on. Some googling filled that knowledge gap, thanks also to some hints here.
About the difficulty discussion: As others have already said, donāt be discouraged by people saying it is super easy. Is the box easy? Both yes and no.
The ways to get both user and root are easy compared to other boxes in the sense that you donāt need to execute complex techniques, exploits and so on. A handful of steps are enough.
However, finding these steps is not necessarily easy. They are not very straightforward, in my opinion. Thereās definitely a bit of luck involved here in looking in the right directions. If you donāt look where you need to, you will get stuck. Especially the user way is kind of āout thereā, not really technical and almost a bit CTF-y. Not unrealistic, but also very easy to miss or disregard. I think it kind of tries to simulate a real life attack path that is not really possible to execute on this platform.
Also take the other comments regarding this topic into account. Especially the comment by @Hilbert is spot on in my opinion!
Cool. I just got root as well. Super fun. I get it now.
** Hints (I hope not spoilers) **
User:
Gobuster works better than DIRB in my honest opinion. Watch itās output. Can you crawl that directory? What procedure is it using to generate filenames?
Root:
This web app knows too way much for itās permissionsā¦
Above all, donāt get discouraged and have fun! If you canāt get quicklyā¦ it doesnāt matter, your common places to check just differ from the next hackerās. Keep turning over stones and youāll find somethingā¦