Official discussion thread for Jab. Please do not post any spoilers or big hints.
Good luck everyone!
That was interesting.
Might need some help on this one. Got any tips to keep in mind?
In the interest of fairness as seasonal is competitive, feel free to reach back out after the box has been live for 24 hours.
Congrats on completing the box btw! Props, you got mad skills tbh
user on this one was tough
Hey. Anyone else having an issue of a static root flag that is invalid on seasonal?
Got user, found some ideas for privesc but would rlly appreciate a bit of a nudge if anyone is up and willing to share
Any hint for getting user?
got some user list and stucked with it. any help
https://www.hackthebox.com/achievement/machine/1502564/589
Neat box, feel free to contact me for nudges anytime.
What is a good library to talk xml with the service? Tried the python thing, which errors on the self-signed certificate. Tried a console variant that generates a segmentation fault.
Note that it is not needed for this box, but I tried a way to enumerate the vcards of the other users.
There’s the XMPP Console for that bird-thingy…
Yes thanks, I have used that. The thing is: How to read vcards of 2600+ users?
Hints:
User:
- Box’s Name itself is a big hint what you have to explore.
- Use a good Application to interact with the Service.
- Don’t Forget AD basics.
Root:
- You might have Encountered the Exploit about it if your initial enumeration phase.
- Now you just have to make a connection to exploit it.
Feel Free to DM if you need some help.
Thanks for your helpful hints via dm on this one, really appreciate it!
Nice box.
User: Usernames are always a gold mine. Be sure to leverage them. This is AD so be sure to find the low hanging fruit AD attack and don’t make things complicated.
Root: This is similar to a previous HTB box but don’t use our favorite meta framework as it will not work for some reasons. Go back the basics and find some useful scripts.