Rooted. Dm me if you need nudges.
Any hints of how to find it? Struggling to find any foothold.
Ok, Iām stumped on the user. I keep messing with different ways of trying the .s**, .m**, and .p** files with co***t and mo*****y and i canāt get any results. Just errors. At one point I thought I was onto something because my error message had reverse shell code in it but nope. Any nudges (probably significant haha) for user for this thing?
I have tried enumerating in many different ways until I found the uploading page.
Tried to upload a reverse shell via playing around with the magic bytes. It seems that I have successfully bypassed the upload sanitazation but I donāt know how to proceed from this point.
Any ideas/ help will be appreciated.
Thanks for the box @Nauten . I always break my teeth on footholdā¦
FOOTHOLD : some obscure word lost in files of a famous distrib. Did not find it with favourite tool. Donāt understand why. Then thereās an RCE to get inside.
USER : some program running at user exploiting a special image format.
ROOT : Canāt pass any options to binary. See the conf.
Great box overall, but to me, the user part was pretty hard. I might have done something wrong in my research, but it took me ages to find the correct thing. If anyone is willing to exchange on this, Iād be glad, just drop a DM (here or Discord).
Loved the root part.
DM if you are stuck
I am having a hard time figuring out my exploit is successfully ran in the context of UID 3x, but in the context of UID 1xxx I can see that the command is ran but no output is saved to the output file I specified.
What am I missing here?
try with absolute path
Got inside but canāt be thomas Can you give me a hint whatās next?
any hints for enum i saw 3 ports open
Hi guys someone can help me a little bit with this machine?
I cant execute the shell and I dont know why is not working.
Thanks
Rooted I donāt have a whole lot of experience with HTB but this is one fun machine.
Just wanted to share my experience:
FOOTHOLD - enumerate and donāt just use the tools you are used to, not-so-used dictionaries might be handy too. Also, try to recognize what type of data is shown and which tool could be helpful to gather these data.
USER - look for something being executed.
ROOT - fun little piece of privesc, look into how vars work.
DM me if youāre stuck
This box almost killed me - but was a wild wild ride and fun anyways.
FOOTHOLD like others have said relies on enum. i personally recommend the ffuf.me lists as they are so useful for so much enum. Also look for āamassā on git hub that has some nice lists as well. I use those a lot. My goto lists now.
USER: one hint - like others have said this box likes to tidy up everything. Do not ignore this hint like I did - cost me 2 daysā¦
ROOT: almost was the death of meā¦ e***** the var < really do not want to say more ā¦
Foothold:
Experience can pay dividends as recognizing the output to a command with some basic google will find an exploit.
User:
Try to spy on stuff. Properly enumerate, whats in there? Is that the real file? What version is this? Now How can I exploit.
Root:
Your number one resource might prove useless, but understanding how to set a home dir and adding a line to that interesting file in the home can get you root.
Feel free to message me for some help or tips
Hi, iām having a trouble. I have a reverse shell with www-data user. I get the id_rsa from another user but when i try to connect using this rsa-key with ssh iām get a Load key āid_rsaā: invalid format message. I tried to open with vim and format it but still get the same error.
Iām trappedā¦
I managed to find the web where thomas, sarah and judy appear.
Iāve used all the dictionaries with gobuster and I canāt find anythingā¦
any specific list to use?
Hi, got the www-data shell but currently Iām struggling with local user account - the exploit for cron job running Ima***ck doesnāt work. Can somebody point me into the right direction?
What will you do to increase your ATTACK SPACE?
I had this issue too, tried a ton of different .m** and .s** eventually i reset the box and had some luck with one of the .s** that didnāt seem to work before. So maybe try a box reset if you are sure you have a well crafted file