Just came here to say what a great machine this was. A very immersive experience, had a lot of fun!
Very nice box, thanks to the creator. I would say the most difficult part is the foothold.
The hints already posted are good so I wonât add more, but DM if you need one.
If I used SecList word-list, is that new enough? Because I still found nothing in directory but /ims, /asts, and /ja**ript, I kind of frustrate right now.
Canât get the initial foothold yet (5 days trying).
Any hint ? (DM if you can help me please!)
Hey Guys
Any hints on foothold?
Iâve found the sub-domain p*** and tried to inject with various vectors (xss, ssti, xxe) without any success.
Will appreciate any nugdeâs
Devzat is a really amazing machine that wonât annoy you.
HINT
User: Enumerate everything on the domain that you got, make sure you check the behaviour of the website and try to image the backend code that will lead you to shell.
shell will lead you to ssh and you might need ssh for further exploitation,
Root: What you find in the initial enumeration which was not necessary, is necessary here.
DISCORD: luckythandel#6053
Definitely a fun box. Follows some good processes and responds well to methodological attacks.
At the very start, I was distracted by the âfunâ application - I probably spent longer there than I should 
but it isnât a race and I like tic-tac-toe 
Once I got over that, its enumeration. Lots of enumeration. Checking all the things you need to enumerate. Then you find a thing you can export locally. Dump it and read through it. This reveals a vulnerability you can exploit to make the box do things. From here you can get a shell, fairly easily.
After you have a stable shell, its more enumeration. You can find something vulnerable to a CVE, expose it and attack it. This allows you to connect as the right user. Here, I found it easiest to add ssh access, so I could reconnect as needed.
Next, some more enumeration. Find some files, read them. Look at the differences. Then it explains how the game was useful.
1 Like
Ok so I am new and I hit a major wall on this virtual environment here. I want to drop a link for anyone that keeps getting unknown host errors. I feel pretty dumb right now but this just fixed all of my issues. Back to running through machines. I have spent days trying to figure this out.
Read about the DNS in this link: https://abstractentropy.com/htb-starting-point/#:~:text=Hack%20the%20Box%20and%20DNS%20Sometimes%2C%20especially%20with,address%20used%20to%20initially%20access%20the%20web%20page.
1 Like
The root part was a pice of cake after the joyful pain of foothold and user part. Really enjoyed this box.
Root flag obtained. Spoilers are my issues, and what got me over the finish line.
I try to ssh via localhost as catherine, but I get host key verification failed.
Grabbing her ssh key and copying it on my end to ssh in doesnât work either. I get Permission denied (publickey).
edit: do I need to upload id_rsa key from my Kali box to the /.ssh/authorized_keys folder for Catherine? I tried using netcat from the machine, but itâs not installed. Iâm starting to think my problem is Iâm doing the ssh key process incorrectly. And the other thing is, it seemed like /.ssh/authorized_keys wasnât a directory from the get go when I attempted. So part of me is wondering - can I even upload my ssh key on the target machine properly if the directories that should exist by default arenât there?
edit4: wow⌠I need to memorize the command python3 -c âimport pty;pty.spawn(â/bin/bashâ)â. That was the nudge I needed to fix my SSH woes.
1 Like
What tool does everyone recommend for subdomain enumeration/brute-forcing? Burp?
Rooted. At least read root.txt.
Once I found the hidden area, it took me a bit to retrieve some helpful information (thanks to @clure and @TazWake for answering my question). Once I understood that information, I was able to get a shell pretty easy.
That was the majority of the work. After that, it started falling pretty quick and root was just a matter of enumeration and following the hints. Great box!
DM if you need a nudge.
I use gobuster for subdomain / vhost scanning
And usually feroxbuster most other scans
" catherine: Kinda busy right now 
"
She is a typical b*tch at work
I never really know what one means on funbox until now⌠it is a funbox, thank you
root:$6$DKdyL4hqyhhxcâŚ
- Foothold: enum and play with the cats until they let you in
I really enjoyed that part because I felt progressing all the time - User: by far the hardest part and although I figured out what to do and had some initial success I didnât find the creds for hours⌠To save yourself from a hassle when you suppose to choose donât just use the # but actually type the name in - then it will give you the right results
- Root: by the time I arrived here I actually enumerated 3x back and forth the user so it was obvious what to do and took only 5 min., the box was just leading you with clever hints all the way here
Finally rooted it. Kudos to the creator for this awesome box.
1 Like
awesome box. I liked the crumbs along the way.
foothold - enum every little web thing, youâll come across a fun app. It tells you what it runs on, though that matters later. Jab it a solid test - then once youâve confirmed the vuln, jab it with different permutations. Think of this as a production box - itâs not gonna have your usual hooks.
user - there is def a dead giveaway clue somewhere in the box if you are looking at the right places. However, even with it, this one is on me for not really knowing a whole lot about this tech. Once I brushed up on it, it was easy to get what I needed out of it. The terminology is def different and reminded me of learning about RDBMS in the past.
root - follow the clues and connect the dots. IF you have everything it asks for, itâs a straight shot to it. prompts with # arent always the endgame thoughâŚ
Thank you for the box @c1sc0 . Itâs a nice medium box not complicated. 
FOOTHOLD : Look at your posts and try a nice service for sharing messages. Find the virtual server to go further and do your scanning to find a special folder that contains code. You need to enter some commands before the code becomes available.
USER : Watch the ports again. There a special service and a CVE to gather the password for user.
ROOT : The easiest part. At conversation patrick gives all the information. The conversation app is running as root and has a special command for scanning.
I enjoyed that box I got frustrated at last step of getting userbut only because of my own stupid brain that assumed something and even when reading docs I couldnât manage to understand how to extract data I want. After a quick brake I got it, after that root was quite easy.
Hey mate,
Iâm having the exact same issue, what did you do to end up solving it?
I tried copying both the users id_rsa and authorised_keys files on to my local kali box and attempted to get an ssh connection using the -i flag but had the same Permission denied (publickey) error.
As you said in your first edit, Iâm on the same sort of though-process. Do I need to copy my keys to the server as opposed to the other way around?