Official discussion thread for Meta. Please do not post any spoilers or big hints.
I guess iâll break the ice. WTF is this enumeration?? 2 ports open and one âkeywordâ on the front page of the web server? any nudges here? found the odd udp port as wellâŚ
Hint: when you have a webserver, there can be several sites.
1 Like
Was pulling my hair out over user for hours last night before I finally threw in the towel. I can see the path I just canât figure out how to walk it. Gonna refresh this page 40 times a day until I see a hint that makes something click into place lol
Iâve managed to reach the upload form and I think that I know which vulnerability to exploit to gain the shell access. However, my payload keeps being commented out. Any nudges?
Same here. Tried some different things, but seems like security policy blocks them or stuff is missing⌠This day was wasted gazing at the stars and thinking about the expansion of the universe, without success.
Wrong exploit, as you can see when you use a proxy or other clients (never trust your browser)
If you upload a file and look at the output, you should be able to match it up with a pretty common tool for dumping the sort-of data you get. I googled for exploits, found a well-known old (3-ish years) one that didnât work, but then found one thatâs much more recent. Itâs a multi-step process to prep, but Iâve thrown it into a little script so I can feel like Iâm doing it all over again.
I have a foothold and am struggling to see a path forward that doesnât involve some lower level network stuff that I didnât think HTB used⌠leaving me to believe Iâm spoofing up the wrong tree.
2 Likes
SAME
I was having more fun before I got foothold.
Maybe this is a box where you go straight to root? Some recent cveâs might be usable. nvm
1 Like
Yeah but I see a potential way to get from the user that owns user.txt to root.
But I can not figure out how to escalate to that user.
And I wont be able to test that theory now.
Stuck on foothold and wondering what the high score for âCTFâ means in the statistics
Foothold gained 
Thank you very much!
1 Like
Yah 
I wonder if d*****t is usually running like that on arena boxes? I can see how thatâs a thing, and I should just drop it, but I canât see anything else of value.
Got User! 
Sorry, but I canât give any advice other than âtry harderâ.
Throw everything you have at it, eventually something will stick.
Edit: Root is straight-forward, user is 99% of the work (at least it was for me). Great Box!
Very nice!
Can you clarify? âThrow everything you have at it, eventually something will stickâ can just be general encouragement⌠but could also be a reference to the d*****t attack where I literally throw packets at it until one of them gets accepted.
Better question: Is timing involved for user?
1 Like
Got foothold.
I had a feeling what needed to be done but kept failing, so I did some googling and found a nice article describing a new criticality that allowed me to get RCE.
Now Iâm trying to get to user, spied interesting things.
Nah. I think I found it hidden away.
2 Likes
Nice box, easy to get foothold tricky user and pretty straifghtforward root.
Foothold: Enum enum enum, then check the output youâre getting it reminds you something?? some tool??.
User: Check whatâs running inside the box, enum what are the users doing and when u came across with the vuln, just google fu.
Root: Pretty easy privesc just do your basic enum and check EVERYTHING u get from the command we all knowâŚ
Personally, i learned a new trick in the root partâŚ
1 Like
Ya, User was a pain. Thereâs an article with the exact steps/payload you need, but you need to a) know what to look for, and b) be more aware than I was of what root is doing to the poor box in the background. High CTF rating is because the box is actively fighting you along the way lol.
EVERYTHING.
3 Likes
For user part are you referring to the blogpost article?
Iâm trying to as in the article: create a .s+g image with payload containing command (trying to echo the i+ command in the /d+v/s+m since a cron is clearing /tm+ folder) but itâs not working (work if i trigger manually, via con+ert, but if I wait the cron, I donât have any result.
Edit: nvm stupid mistake. I didnât change the payload accordingly
2 Likes
from now on i am going to run a particular process spying tool on every CTF linux box .
actually, i am going to run it on every linux box , even my own
OK now i just need to fetch root
2 Likes
ikr itâs so useful. it should be in the core-utils 
3 Likes