Official Meta Discussion

Official discussion thread for Meta. Please do not post any spoilers or big hints.

I guess i’ll break the ice. WTF is this enumeration?? 2 ports open and one ‘keyword’ on the front page of the web server? any nudges here? found the odd udp port as well…

Hint: when you have a webserver, there can be several sites.

1 Like

Was pulling my hair out over user for hours last night before I finally threw in the towel. I can see the path I just can’t figure out how to walk it. Gonna refresh this page 40 times a day until I see a hint that makes something click into place lol

I’ve managed to reach the upload form and I think that I know which vulnerability to exploit to gain the shell access. However, my payload keeps being commented out. Any nudges?

Same here. Tried some different things, but seems like security policy blocks them or stuff is missing… This day was wasted gazing at the stars and thinking about the expansion of the universe, without success.

Wrong exploit, as you can see when you use a proxy or other clients (never trust your browser)

If you upload a file and look at the output, you should be able to match it up with a pretty common tool for dumping the sort-of data you get. I googled for exploits, found a well-known old (3-ish years) one that didn’t work, but then found one that’s much more recent. It’s a multi-step process to prep, but I’ve thrown it into a little script so I can feel like I’m doing it all over again.

I have a foothold and am struggling to see a path forward that doesn’t involve some lower level network stuff that I didn’t think HTB used… leaving me to believe I’m spoofing up the wrong tree.



I was having more fun before I got foothold.

Maybe this is a box where you go straight to root? Some recent cve’s might be usable. nvm

1 Like

Yeah but I see a potential way to get from the user that owns user.txt to root.
But I can not figure out how to escalate to that user.
And I wont be able to test that theory now.

Stuck on foothold and wondering what the high score for “CTF” means in the statistics

Foothold gained :wink: Thank you very much!

1 Like

Yah :confused:

I wonder if d*****t is usually running like that on arena boxes? I can see how that’s a thing, and I should just drop it, but I can’t see anything else of value.


Got User! :tada:
Sorry, but I can’t give any advice other than “try harder”.
Throw everything you have at it, eventually something will stick.

Edit: Root is straight-forward, user is 99% of the work (at least it was for me). Great Box!

Very nice!

Can you clarify? “Throw everything you have at it, eventually something will stick” can just be general encouragement… but could also be a reference to the d*****t attack where I literally throw packets at it until one of them gets accepted.

Better question: Is timing involved for user?

1 Like

Got foothold.
I had a feeling what needed to be done but kept failing, so I did some googling and found a nice article describing a new criticality that allowed me to get RCE.
Now I’m trying to get to user, spied interesting things.

Nah. I think I found it hidden away.


Nice box, easy to get foothold tricky user and pretty straifghtforward root.

Foothold: Enum enum enum, then check the output you’re getting it reminds you something?? some tool??.

User: Check what’s running inside the box, enum what are the users doing and when u came across with the vuln, just google fu.

Root: Pretty easy privesc just do your basic enum and check EVERYTHING u get from the command we all know…

Personally, i learned a new trick in the root part…

1 Like

Ya, User was a pain. There’s an article with the exact steps/payload you need, but you need to a) know what to look for, and b) be more aware than I was of what root is doing to the poor box in the background. High CTF rating is because the box is actively fighting you along the way lol.

:point_up: EVERYTHING.


For user part are you referring to the blogpost article?
I’m trying to as in the article: create a .s+g image with payload containing command (trying to echo the i+ command in the /d+v/s+m since a cron is clearing /tm+ folder) but it’s not working (work if i trigger manually, via con+ert, but if I wait the cron, I don’t have any result.

Edit: nvm stupid mistake. I didn’t change the payload accordingly


from now on i am going to run a particular process spying tool on every CTF linux box .
actually, i am going to run it on every linux box , even my own
OK now i just need to fetch root


ikr it’s so useful. it should be in the core-utils :grin: