Official Pit Discussion

Type your comment> @subtilis said:

Type your comment> @subtilis said:

I think that my walk doesn’t go as far as it should. Anyone else having the same problem? I’m on VIP+. Who can I PM to show my results and see if indeed my walk is short?

To all those that have e problem with the walk not completing (resulting in a timeout). The culprit might be your internal network (snmpwalk interferes with that as well). Your router maybe? Anyway, try the walk through another network. I used my phone as a hotspot and connected through there! It worked like a charm!

Nice workaround! For me it worked just by changing VPN servers from HTB, might be worth trying first :wink:

Good and weird box at the same time. Since I am quite familiar with ‘walk’ and after reading just first page of discussion I had a good idea for what and how to look without any additional scripts or ‘extensions’ . The number you need to know is pretty standard for looking ‘beyond’.
But I spent most of my time trying to root it … I am not very familiar with SE … That might be a case, I am not sure… Can anybody who understand pm me why the hell it is impossible to execute any sort of scripts (for instance ping inside script, or redirecting string to any of the directories within the system?).
For those who got the right vector but unable to get any use of that - try more different commands, the allowed commands/scripts is limited (I did my own investigation after obtaining root and reset and it’s definitely very limited). Anyone can explain why?

While it was rewarding to get the hop from thing to thing successfully (and there are many things), this one really fell flat for me near the end. Not to be too much of a hater, but the root process seemed so extraordinarily arbitrary that it made the whole thing feel disjointed and intentionally oblique, like it was concocted only to be tricky, not fun or educational.

It’s nice to be rewarded for truly solid enumeration, but I didn’t really get that on the root… was it really just a large amount of guessing & luck? To clarify, you can track down what you need to use to root this by being thorough, I mean the actual exploitation. The way I solved it felt kind of devised and challenging for the sake of being challenging.

It’s super likely I was missing some indicator of what might have worked and just got lucky throwing stuff at it, I suppose. Would someone please PM me if this was the case? I’d love to learn what I might have missed.

Overall, I had a good time with this! It’s hard to get pacing right, but this had really even, constant discoveries and momentum the entire way through. That’s a great design achievement. Thanks for a fun, if not tricky, machine :slight_smile:

hey there, Can I PM someone for the initial foothold ?

@mrWh17e said:

hey there, Can I PM someone for the initial foothold ?

Data from UDP certainly helps accessing something on TCP.

Anyone willing to sanity check? i’m sure about the root privesc but it doesn’t seem to execute (tried a bunch of stuff tho)

Edit: nvm, got it…

Rooted !

Bit hard for medium level but absolutely a great machine to learn so much of things.

User: there are more and more ways to go wrong on initial foothold.
you need to find right path to go further. especially for the password
think about real world flaws related to passwords.
think about other ports and other protocols. I can’t find a path/plan
to get user so i did all possibilities at that time & point, the result
made up the path to go further.

Root : relate initial foothold stuff with privilege escalation you will find
a way, root is easy when it’s compared to user !

Experienced guys may take little time to break, but if you are a beginner
i suppose you need time to break this machine !

DM me for nudges !

Definitely a tricky box, I had some trouble getting linpeas to execute for some reason so I couldn’t do proper enumeration. A bit frustrating for me personally but I found root very interesting. Here’s a couple of my hints for foothold because I thinks that’s where people struggle the most. Thanks to @Element92 for helping me get root

Foothold:

  • usually you use one type of protocol for nmap, this time use the other.
  • enum the service using a special perl script (I ran into two different repos, only one of them will work), a manual walk won’t find it
  • get onto the second service, some guessing is required :frowning: and look for exploits. It will try to make you think it’s patched… but it isn’t

Hi Friends,

I think I need a nudge. I did my enumeration and did “walk” the walk, but no matter how far I walk I don’t seem to find anything which looks interessting. I even walked different ways, using the good ol swk or using some help from mes**** but no way of walking seems to give me something juicy.

Nudge would be appricated, feel free to PM me.

@Dirks0n said:

Hi Friends,

I think I need a nudge. I did my enumeration and did “walk” the walk, but no matter how far I walk I don’t seem to find anything which looks interessting. I even walked different ways, using the good ol swk or using some help from mes**** but no way of walking seems to give me something juicy.

Nudge would be appricated, feel free to PM me.

Look closely at the output. It gives you a place to go and the credentials you need. (This might need a slight leap of faith but remember usernames are often used as passwords)

this box should be of difficulty level “hard”

user: You need to walk and observe things.
Finding hidden web apps.
Finding config files.

Root: You need to take a walk again.
Find something you might missed earlier.

Pm for hints.

Finally rooted !

I learned a lot from this machine !

Thank you @polarbearer and @GibParadox for this awesome machine, and thank you for @pswalia for your hints !

PM for hints.

@dombg said:
… So tip from my side: I did another reset on the machine, then I changed VPN servers, now it works and its a looot of information that I have missed and could have used earlier simply because something was off with the connection… I hope this prevents others from being stuck for 4 hours for no reason^^

This is CRITICAL to be aware of, I just had the same thing happen and wasted many hours looking for information that would never appear. I was operating with OpenVPN Connect on Win10 and running commands within Kali in WSL2, and after reading all the potential hints here and trying tons of different ideas couldn’t find any useful information past the place where I need to log in

I spin up a Pwnbox since I expect that config to be solid, I run the exact same command and boom I get the information I’ve been looking for the past few hours :cold_sweat: I did move the Pwnbox to a less busy VPN, not sure if that was the problem or something with my setup.

I’m happy to be past this now but frustrating that this can happen at seemingly no fault of my own, if anyone knows what might actually be happening and how I may be able to fix it please DM me

EDIT: NM fixed

Hello,

I got the creds for pit on port 9090, but I keep receiving the following error:

Connection failed

There was an unexpected error while connecting to the machine.
Messages related to the failure might be found in the journal:
*journalctl -u cockpit *

I have reset the machine but still getting the same message. If someone could please let me know what I am missing, that would be great.

Pepe

Rooted!
Learned some new tricks. But needed the tips here in the forum to figure out the foothold. Thanks guys!

Can somebody in this forum help me with the root part? I think it should works but this machine didn’t let me log in with root

walk -v * -c ***** pit.htb (binary_num)
iso.(binary_num) = STRING: "/usr/bin/mon
"

❯ ssh root@pit.htb
root@pit.htb: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Type your comment> @k01n said:

Can somebody in this forum help me with the root part? I think it should works but this machine didn’t let me log in with root

walk -v * -c ***** pit.htb (binary_num)
iso.(binary_num) = STRING: "/usr/bin/mon
"

❯ ssh root@pit.htb
root@pit.htb: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Finally i found the “mistake”. Rooted.

not a cool machine