Finally got the user flag. Thanks @C31ibarin. Once it clicked, it wasn’t that hard (who would’ve thought).
Don’t try to upload a shell on the secret page you might’ve found - that rabbit hole leads nowhere. Think how you can use the fact it echoes everything back out to you that you give to it through the URL.
Off to root now.
Found that how this echoes works, tried to access some files but didn’t get anything. what to do now?
Look back at your “map” from the beginning and see what is cannot be seen remotely.
Rooted!
I was stuck at the beta page and got help to find the creds.
I understood what that page does but cannot understand how did we figure out to put THAT URL there and that it will give out the cr**s.
Could someone who completely understands how it works dm me about it?
Rooted!
I was stuck at the beta page and got help to find the creds.
I understood what that page does but cannot understand how did we figure out to put THAT URL there and that it will give out the cr**s.
Could someone who completely understands how it works dm me about it?
It is a combination of trial and error, and using what information you have available.
Foothold: Standard HTB enumeration. No brute force of wordlists needed. Use what you got to get you more.
User: Standard HTB escalation path to get user.
Root: Your tools can point you in the right direction.
Interesting thing… I logged in as pe using evil-winrm so I had a more stable shell. Using evil-winrm I was unable to run the m**c command to trigger the payload I created via a popular framework tool. No error back, it would just “run” but I’d never catch it on the other end.
The same command ran flawlessly through a regular rev shell.
Is there something I don’t understand about RM/evil-winrm?
Interesting box. Foothold took me longer than I would like to admit, but it was definitely a good learning point for double checking things. Root was much more straightforward when using the script that several others have already mentioned in the thread. Feel fee to DM me for nudges if you need it.
Banging my head against the wall on this one, especially since everyone is talking about how easy and in your face this one is. I have had no success uploading a shell/reverse shell to the machine or using LFI/RFI.
I assumed the machine was running X***P, which was confirmed through an error message. I haven’t had any luck accessing any of those files.
Unfortunately, the vegetable hint is not ringing any bells and I am not seeing anything from nmap results that are jumping out at me.
Can someone please offer a nudge? If you would like more details on what I have done, I can do that.
Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?
Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?
Yes. Without giving away too much, you can do the entire box without needing any hashes at all. If you need more then feel free to DM me.
Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?
Yes. Without giving away too much, you can do the entire box without needing any hashes at all. If you need more then feel free to DM me.
Appreciate it but think I’ll try to figure out where I went wrong… I mean that’s a cruel trick lol, I know those are hashes for valid users from reading the thread. Back to the drawing board.
@rancilio said:
Any tips/suggestions for root? basically a windows noob. I’ve ran winpeas which I know basically tells me the priv esc but I really can’t work it out on this one :neutral:
WinPeas output will have highlighted the way to go in red. your looking for something that is set to 1.
Google it and your find the way.
If you have a met******* shell just do a search for it.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)
thank you, I managed to get root. This is what I thought the priv esc was originally but couldn’t get it to work first time so moved on to other ideas. Glad I tried again. thanks
Hey all, been a while but just getting back into HTB again after a hiatus and after getting through the last box pretty easily I’m stuck pretty quick here and I’ll keep it vague so not to spoil anything but I found OWASP top 10 through web app, dumped hashes but for the love of god I can’t crack them… is this a rabbit hole?
Well took a break and came back today and found another way to use this OWASP Vuln to get a foothold through a Bypass method… Not sure if this was intended as when I looked into it the Vuln was only disclosed a couple days ago but none the less it worked!
Well… Spent 4 days, all i have is a list of suspicious dirs and a**** creds, which i obtained via common vulnerability from top10 list, but i cant login with them, other possible ways leads to nothing for me. Can someone give me a nudge in PM, please?
After playing a lot of Linux machines, I decided I need to expand my Windows-skills. Love is an excellent box to learn. I had a lot of fun playing the box and got to root without too much trouble.
Here’s some hint from my perspective:
General
The box looks realistic to me. There are a lot of possible rabbit holes to get lost in and a lot of things to do and try. Don’t get discouraged.
User
Be sure to enumerate everything, even when the service returns an error. Once you find the vulnerable piece, standard CVEs should help you get to user. However, simply copying and pasting doesn’t work. You need to think about what you do and make some small adjustments.
Administrator
I never did PrivEsc on a Windows machine before so it took me several hours. What helped me was Tib3rius’s course: “Finding and exploiting Windows vulnerabilities and misconfigurations to gain an administrator shell.”. Be structured about your privesc methods and don’t be afraid to use scripts to help you find what you need. Once you have it, the route towards PrivEsc is fairly simple.
What a fun and great box, I really enjoyed this one!
Does anyone encounter this error while trying to use m*****c?
“The Ws Ins****er Service could not be accessed. This can occur if the Ws Ins****er is not correctly installed.”
I am not sure if error messages are considered spoilers but tried to do some masking.
i ran into this too - super annoying. ultimately i think there’s an issue with using ewm - even when using more standard shells from there. Ultimately I had to do some post-exp to recreate the initial foothold in a different manner with a standard c*** shell (for whatever reason Mf or p***ll wouldn’t work if launched from my initial foothold.).
Once i got the standard shell which required a bit of re-work on initial path, it worked like a charm. Really weird, but don’t want to waste more time digging into it than I already did for an easy box lol. HIH!
Those encrypted passwords of users and admin are too hard to crack.
Probably because you dont need them to complete this box.
![Foalma321] (https://www.hackthebox.eu/badge/image/74636)
