Official Late Discussion

Same, flag got renewed last night, take the flags again, thats what I did.

Check your jinja2 statement. There are multiple ways of creating a statement that gets you to a shell, some are MUCH simpler than others.

This was a fun, quick box. Very memorable. But that was a lot of trial and error to get the server to understand what I was sending it exactly to make the foothold work. It’s like a game of telephone.

in many cases there is some problem with unexpected space bar before b**ins when u try to access server. u can upload the text without {{ to see exactly what it doesn’t recognize.i used gimp and monospace. pm if u need some help

1 Like

This hint helped me. Thanks!

Note

In my opinion, this box is awe full. I love teaching something new to beginners but the machine cause a lot of frustration for no reason.
This machine is not for:

  • Beginners getting into infrastructure hacking.
  • People who have low patience.
  • People who own a small desktop resolution (it becomes exponentially harder to pull of the exploit).
  • Touchpad users ( your fingers are guaranteed to have battle scars after this box).

Regardless of the above, I’m great full a platform such as HackTheBox exists but feel a bit disappointed in the quality for “easy” machines as of late.

Hints and tips

Foothold

  1. Start with enumeration. Hint: Use a fast scanner.
  2. Discover what information you can find from the application. What is it build on? What functionality does it have? How do you interact with it? Are there any (sub)domains or folders?
  3. Add those to your host file / notes.
  4. Explore and enumerate further until you are certain you have everything.

User

The upload

This one is all about file uploading, so here are the tips and recap of what everyone already said:

  • Online text2image do not work. Write in a notepad and zoom in as far as you can.
  • Write with a white background and black text.
  • Zoom in as far as you can but keep it within 1 line.
  • Upload without the brackets first to see if the service reads all your text.
  • Use a bold font to highlight the ‘__’.
  • People claim Monospace is good, I had to go with Nimbo TTW Bold. Just zoom in as close as you can for the screenshot and see what works based on trial/error from the results file.
  • Take the screenshot with custom size, don’t do a screen or window shot.
  • If it doesn’t work you might have had 1 pixel too much in width/height. Take the same text exploit at least 2 times if you’re getting errors.
  • I averaged about 150 screenshots before it worked. And my first one was correct afterall… (it’s not too late to run away).

Exploit

Once you’re able to have a basic command run; it’s time to explore. Remember you’re recon phase? What are the other port(s)? How can you establish a connection?
Build your exploit on gaining sensitive information for this to happen.

Root

Try to basics and see what you can find. Make your life easy and use common priv esc enumeration tools to do the job for you.

  • A file pops out. Or is it a process? Or a service?
  • What does it do? Can you modify it?
  • What permissions does this have? What attributes?
3 Likes

This box was frustrating. PrivEsc was a breeze, but the foothold took a million tries to get the right font, size and spacing combo. In the end Proxima Nova Bold was the font for me.

This is impossible.
I have been hammering away at this upload for hours and it just does not work. You change one thing and it starts randomly replacing characters and adding spaces where there are none.
I have tried countless fonts, spacings, font sizes. I don’t know what to do here.

1 Like

Ok I have found the domain of interest and a feature that allows me to upload. Since then, I feel like I am blindly checking uploads. I see people commenting on fonts and such, and im curious what enumeration piece led to that? I see what the webserver is, I do not know (or how to find out) the backend language? I have Wappalizer and it doesn;'t give me much info that would lead to “oh I need to upload something related to font changing”. What enumeration piece leads to that conclusion?

the backend relates to what the webserver is built on (go back to your nmap scan and look), just throw different injection methods at the upload form (big hint has been dropped at the start | check out the Templated web challenge for more help ) (try different fonts some work some don’t, I used gimp with a font somewhere in this thread)

It worked now

  • Use a monospace font
  • There are other ways to get in other than a reverse shell. Rev shell might work but it adds too many characters, in this case points of failure

Hi! This is my first machine outside of the getting started area. I’m completely lost at the password. I’ve spent the last 2 days using hydra trying to crack it but no avail. Does anyone have any advice or is it possible I’m just forgetting something they said in the getting started.

Hey I have acces to some basic commands but I cannot get any rev shell. Pls help me

is anyone else having the issue of not being able to submit user or root flags? i keep getting an incorrect flag error

I had to switch servers

can someone help me with this error

Error occured while processing the image: ‘function object’ has no attribute ‘globals’

Did you find something to read more calmly?

1 Like

■■■■ thanks, I’m glad to see im not the only one

Okay, maybe I’m going crazy, but I have rooted this box yesterday and tried submitted both flags, which both failed. I came back today to reset the machine and try again, but yet again the flags just say incorrect when I submit. Never seen this happen before in HTB, has someone been tampering with the flags?

The reason you are getting an integer error is because you are most likely using a code tool that has number at the start of the code like:

1
2
3

etc…