Official Meta Discussion

Rooted. Dm me if you need nudges.

Any hints of how to find it? Struggling to find any foothold.

@J7R1X Have you fuzzed for directories? What else can gobuster / ffuf look for?

1 Like

Ok, Iā€™m stumped on the user. I keep messing with different ways of trying the .s**, .m**, and .p** files with co***t and mo*****y and i canā€™t get any results. Just errors. At one point I thought I was onto something because my error message had reverse shell code in it but nope. Any nudges (probably significant haha) for user for this thing?

1 Like

I have tried enumerating in many different ways until I found the uploading page.
Tried to upload a reverse shell via playing around with the magic bytes. It seems that I have successfully bypassed the upload sanitazation but I donā€™t know how to proceed from this point.
Any ideas/ help will be appreciated.

Thanks for the box @Nauten . I always break my teeth on footholdā€¦ :crazy_face:

FOOTHOLD : some obscure word lost in files of a famous distrib. :rofl: Did not find it with favourite tool. :thinking: Donā€™t understand why. Then thereā€™s an RCE to get inside.

USER : some program running at user exploiting a special image format.

ROOT : Canā€™t pass any options to binary. See the conf.

Great box overall, but to me, the user part was pretty hard. I might have done something wrong in my research, but it took me ages to find the correct thing. If anyone is willing to exchange on this, Iā€™d be glad, just drop a DM (here or Discord).

Loved the root part.

DM if you are stuck

1 Like

I am having a hard time figuring out my exploit is successfully ran in the context of UID 3x, but in the context of UID 1xxx I can see that the command is ran but no output is saved to the output file I specified.

What am I missing here?

try with absolute path

Got inside but canā€™t be thomas Can you give me a hint whatā€™s next?

any hints for enum i saw 3 ports open

Hi guys someone can help me a little bit with this machine?
I cant execute the shell and I dont know why is not working.

Thanks :smiley:

Rooted :slight_smile: I donā€™t have a whole lot of experience with HTB but this is one fun machine.
Just wanted to share my experience:

FOOTHOLD - enumerate and donā€™t just use the tools you are used to, not-so-used dictionaries might be handy too. Also, try to recognize what type of data is shown and which tool could be helpful to gather these data.
USER - look for something being executed.
ROOT - fun little piece of privesc, look into how vars work.

DM me if youā€™re stuck

This box almost killed me - but was a wild wild ride and fun anyways.

FOOTHOLD like others have said relies on enum. i personally recommend the ffuf.me lists as they are so useful for so much enum. Also look for ā€œamassā€ on git hub that has some nice lists as well. I use those a lot. My goto lists now.

USER: one hint - like others have said this box likes to tidy up everything. Do not ignore this hint like I did - cost me 2 daysā€¦

ROOT: almost was the death of meā€¦ e***** the var < really do not want to say more ā€¦

1 Like

Foothold:
Experience can pay dividends as recognizing the output to a command with some basic google will find an exploit.
User:
Try to spy on stuff. Properly enumerate, whats in there? Is that the real file? What version is this? Now How can I exploit.
Root:
Your number one resource might prove useless, but understanding how to set a home dir and adding a line to that interesting file in the home can get you root.

Feel free to message me for some help or tips :slight_smile:

Hi, iā€™m having a trouble. I have a reverse shell with www-data user. I get the id_rsa from another user but when i try to connect using this rsa-key with ssh iā€™m get a Load key ā€œid_rsaā€: invalid format message. I tried to open with vim and format it but still get the same error.

2 Likes

Iā€™m trappedā€¦
I managed to find the web where thomas, sarah and judy appear.
Iā€™ve used all the dictionaries with gobuster and I canā€™t find anythingā€¦
any specific list to use?

Hi, got the www-data shell but currently Iā€™m struggling with local user account - the exploit for cron job running Ima***ck doesnā€™t work. Can somebody point me into the right direction?

What will you do to increase your ATTACK SPACE?

I had this issue too, tried a ton of different .m** and .s** eventually i reset the box and had some luck with one of the .s** that didnā€™t seem to work before. So maybe try a box reset if you are sure you have a well crafted file