Hints:
User: There is one functionality on the box. Exploit it. You are a hacker, so try to get to things you are blocked from. Once the postman has delivered you the results, then you can try to find information about versions and vulnerabilities. Sometimes other peoples work will not work, so you gotta do things yourself.
Root: There is one functionality on the box. Exploit it, again. Look at how it might work from the inside.
1 Like
Who gives the difficulty rating for boxes? Less then 50 roots in the first 24 hours on this easy box?
1 Like
first of all, this box shouldnât have been rated as easy, re-assessment is needed
user flag:
- you see a web server that does some checks, maybe you can use it for callbacks;
- however you cannot check the interested addresses, maybe you can consider a delivery redirect.
- from the inside info can you now progress, from the source should you check
- an old wound may hurt its back, all you need is a needle to stab.
- from the needle you received some â â â â , maybe the â â â â is up for a crack;
- yet the â â â â is so â â â â , finding the right shape is like a hike.
root flag:
- at the back there are many threads, some are running with excessive rights;
- same way in and same way bad, same way stored but different ways left.
- to leave the place in a different way, into the store would be great;
- whereâs the key to this place? a veggie scroll can help to trace.
- whatâs in the store shall we break? what todo shall we make?
- todo what or what todo? in the store, both are true.
4 Likes
This box is broken, after booting and going to the IP I get this:
If I go to the http://health.htb got the same error:
I can only nmap the boxâŚ
I mean itâs obvious that the box has run out of space and the error is about that, but it is even possible running out of space if the only action taken against the box is a nmap scan?
If any one need help pm me
For anyone struggling with the foothold: in situations where error messages are withheld by the target a local installation can help greatly!
2 Likes
Hello guys!, Have you paper where understand the vulnerability? or any source for testing?
yes itâs ssr* attack goodluck
Can anyone get user? I tried redirection but coulndât get anythin on **** port
Phew⌠finally rooted⌠that was a âfunâ box 
For the user flag:
Find a way to trick the web app to âhealth checkâ itself and you will see the filtered content.
After you do, make sure that you enumerate it well, a common vuln will take you further down the road,
it will be very helpful to try to install it locally so you can fine tune your payload before sending it.
If you are successful you will acquire a new piece of information which can be turned âusableâ.
I found it easier to just reuse the appâs logic instead of using the well known tools.
For the root flag:
Here there is nothing more to say, the hint from @JacobE can give you all the information you need.
Feel free to PM me if you get stuck anywhere 
4 Likes
User: Bore inside, exploit known vuln. I eventually scripted send and receive in python, which helped alot with manual exploitation of the known vuln. I donât think you have to, but I stumbled about blind. Loot what you can. RIP all users with slow laptops. Took 2 hours on my Hardware.
Root: A walk in the park, no hints neededâŚ
Overall a very nice machine!
Rooted! Satisfying box, but initial foothold took some consideration!
Donât get discouraged if the âknown vulnâ doesnât seem promising at first. Maybe it just doesnât understand the dialect youâre speaking? 
When it finally gives you what you want, the kitty will only accept the salted snack if itâs presented in the right way. Perhaps you should test with some other snacks first to make sure youâre feeding it right. Otherwise, that may be the end of the line for youâŚ
Root is easy. No hints needed. :3
Ah yes, another âmediumâ box.
Best advice on the thread if you ask me.
Rooted. learned a lot from this machine.
Rooted, fun box to do, lots of techniques which were enjoyable to discover
Nice box! Thanks @irogir !
FOOTHOLD : a simple service and a special port at scan to pay attention at.
USER : identify service running and search for cve.
ROOT : the check service can be tricked changind data.
I wrote a custom proxy from socket level up to make me comfortable and at home in what would otherwise be a âgated communityâ. Very interesting to do; handle user requests, trick the remote application, and then serve parts of requests back to the user. About ~150 lines of Python, but it taught me a lot about concurrency and handling HTTP (requests and responses) through TCP-sockets.
Iâm now moving on to exploiting; Iâm really excited.
Hi, I have not read any of the hints in this forum but I was wondering if anyone would know where I could download the old version of Gogs to replicate it on my system to test out the sql injection to see if I am doing something wrong as I believe it is the path forward. Please dont spoil, if I am on the right path or not, I would like to try to do this one completely by myself! just need help finding the old software for testing. Thanks ahead of time!