Official dynstr Discussion

Damn this box was the hardest medium box this is some hints for you

foothold: the service which this machine provides is like famous service we know! , you can use google dorks for searching about some “endpoints” in the text!

user: it’s easy just analyze what you have and start trying!

root: it is something obvious but RTFM!, and understand what it does and try to exploit it!

for nudges pm me :wink:

Finally rooted this box. I agree with @Spectra199 - hardest Medium box I ever played. Great fun and learned a lot - thanks @jkr.

Some hints:

Foothold: Once you find the endpoint, try enumerating it anyway you can. Use your ‘standard’ techniques

User: Enumeration is key. You’ll probably find what to do pretty quickly, but once there, it doesn’t work. Retrace your steps and enumerate why it does not work - and how you would go around solving it.

Root: The answer on WHAT to exploit is not too hard, HOW is much harder - at least it was for me. Consider this: An error message might be just as useful!

DM me for hints. I usually check my forum messages daily 2000-2200 European time.

Hey guys, i’ve got foothold and found that private key but when i try to log in the server requires a password, i tried some things like adding an A record but did not work. If anyone can help me i would really appreciate it!

Absolutely interesting machine.
A nice learning experience.
Thanks @jkr !

Hi HTB community, can somebody help me with getting the user? I am on web user, I know I must do something connected with **update but it is not really clear to me. I need some explanations. If you can help me, please PM.Thanks a lot

Rooted!
Foothold: Google how the endpoint works and understand how can you exploit
User: recover all informations, but pay attention why something is not working (recall the main theme of the box). Enumerate enumerate enumerate.
Root: at this point is downhill with the usual approach, a couple of tricks to pay attention and you’ll get root shell.

Thanks for the box!

@Xcatolin said:
Hey guys, i’ve got foothold and found that private key but when i try to log in the server requires a password, i tried some things like adding an A record but did not work. If anyone can help me i would really appreciate it!

See what is blocking you from accessing with the key. Once you know that you can just “add update” it

Rooted!

What a fun box! Reading over the forum now and there seems to be a lot of good hints here already but here it goes:

Foothold: Just use your standard techniques when it comes to messing around with the API. Go through the webpage. Google is your best friend. Go ahead and make a fuzz about it.

User: I found two different ways in but both required a relative of nslookup. Google is your best friend when learning new tools.

Root: Again two different ways to get what you want. Just read through it. Go wild reading the manual.

If these aren’t helpful. Feel free to message me. Good luck!

Hi Friends,

I think I know the Path but somehow I don’t get any further. I got the RCE and want to escalate privileges to user. So I use to make my update add stuff with nste and sometimes it worked sometimes not. But no matter if it worked or not i was not able to s** with the thing I pulled out of the sce dump. Any nudge would help, please feel free to PM.

Hi guys,

Im having this trouble in the root part bcs when i tried to “beat” the bash script the permissions of the .v****** file changes to this:

-r-------- 1 root bind 33 Jul 8 01:28 .v******

Why i can’t read this file? should I be able to read it after run the modified .v****** file?
Need some help with the bash file for root execution

I just don’t get it. I have found the end point and I am able to get a good response. I am trying to find a way to exploit it but I am unable to understand what to do here. Any nudges? PM on discord please.

I enjoyed privilege escalation it was fun :smiley: But for initial foothold I had to take a break to get it working.

@xeqtr said:

I just don’t get it. I have found the end point and I am able to get a good response. .

Are you talking about getting the initial foothold here?

I am trying to find a way to exploit it but I am unable to understand what to do here.

So imagine this: You have an api that can make calls. If you could convince the api to make a call to the OS which did something that helped you, you’d be able to progress.

Any nudges? PM on discord please.

I am rarely on discord, but it feels like a better plan to ask on discord if you want answers on discord.

Type your comment> @Dirks0n said:

Hi Friends,

I think I know the Path but somehow I don’t get any further. I got the RCE and want to escalate privileges to user. So I use to make my update add stuff with nste and sometimes it worked sometimes not. But no matter if it worked or not i was not able to s** with the thing I pulled out of the sce dump. Any nudge would help, please feel free to PM.

I am stuck there, too. I got everything puzzled together but no **h :frowning:

@htbuser01 said:

I am stuck there, too. I got everything puzzled together but no **h :frowning:

Sometimes you need to add a blank line between the first and second command.

WTF guys, if you want to transfer loot, either

  • establish an outbound connection from the target to upload it to your box
    or
  • at least put everything into a subdir “htb_username” of your python3 -m http.server

If you serve it from the target to be downloaded, all other players have access to it. And it’s visible on nmap.
Major spoiler, I shouldn’t have had those keys by now…

anyone facing error in nsupdate .response to SOA query was unsuccessful

Learned a few from this box. There are several advice on the box. Reiterating some

Read the home page carefully. ( I didn’t and assumed few things, hence wasted time)
User : remember DNSstr is the name of the box. also read what is in the webroot directory
Root: it is obvious what you are exploiting. Just read that file carefully and don’t over engineer.

Wow, that box was HARD. I really wasn’t expecting something so tough, too bad for my ego lol.
Great box though, I learned something at every step of the way.
Thanks @jkr !

Jeez, this one is kicking my ass, hard. My lack of knowledge in DNS is showing.
Just got user after a few hours of trying to understand the whole thing…

Onto root, now !

Edit : Ok, root was way more simple xD