Type your comment> @Meise said:
Hi there, i’m trying to figure out how to get root, can someone give me a nudge? i know where to walk and i walked
information you got walking before, now helps you to walk better and get root.
Could someone tell me, am I supposed to bruteforce/guess that pw for the login found after walking? I checked my walk and everything I picked up beforehand, tried default creds, common usernames with xato-10000, no luck -.- little nudge would be appreciated.
Edit: got help, someone could confirm that they got all they needed with the same command I used during the walk. So tip from my side: I did another reset on the machine, then I changed VPN servers, now it works and its a looot of information that I have missed and could have used earlier simply because something was off with the connection… I hope this prevents others from being stuck for 4 hours for no reason^^
DMN! is this really a medium machine??!
it took me a lot of steps and focus to get foothold only!
but anyway I have learnt a lot of good stuff…
this is my nudges for you
foothold: you have to make your recon wider, after that some google searching will help alot… focus twice on your walk you may meet a new friend on a way…
user: search smartly… it is too close!
root: let’s walk again! and look carefully, if you found it every things will be clear!
anyway root part need additional steps like install sn**-mi**-do******** and execute it on your local macine this made me stuck for hours! it’s annoying
Type your comment> @subtilis said:
I think that my walk doesn’t go as far as it should. Anyone else having the same problem? I’m on VIP+. Who can I PM to show my results and see if indeed my walk is short?
To all those that have e problem with the walk not completing (resulting in a timeout). The culprit might be your internal network (****walk interferes with that as well). Your router maybe? Anyway, try the walk through another network. I used my phone as a hotspot and connected through there! It worked like a charm!
Type your comment> @subtilis said:
Type your comment> @subtilis said:
I think that my walk doesn’t go as far as it should. Anyone else having the same problem? I’m on VIP+. Who can I PM to show my results and see if indeed my walk is short?
To all those that have e problem with the walk not completing (resulting in a timeout). The culprit might be your internal network (snmpwalk interferes with that as well). Your router maybe? Anyway, try the walk through another network. I used my phone as a hotspot and connected through there! It worked like a charm!
Nice workaround! For me it worked just by changing VPN servers from HTB, might be worth trying first 
Good and weird box at the same time. Since I am quite familiar with ‘walk’ and after reading just first page of discussion I had a good idea for what and how to look without any additional scripts or ‘extensions’ . The number you need to know is pretty standard for looking ‘beyond’.
But I spent most of my time trying to root it … I am not very familiar with SE … That might be a case, I am not sure… Can anybody who understand pm me why the ■■■■ it is impossible to execute any sort of scripts (for instance ping inside script, or redirecting string to any of the directories within the system?).
For those who got the right vector but unable to get any use of that - try more different commands, the allowed commands/scripts is limited (I did my own investigation after obtaining root and reset and it’s definitely very limited). Anyone can explain why?
While it was rewarding to get the hop from thing to thing successfully (and there are many things), this one really fell flat for me near the end. Not to be too much of a hater, but the root process seemed so extraordinarily arbitrary that it made the whole thing feel disjointed and intentionally oblique, like it was concocted only to be tricky, not fun or educational.
It’s nice to be rewarded for truly solid enumeration, but I didn’t really get that on the root… was it really just a large amount of guessing & luck? To clarify, you can track down what you need to use to root this by being thorough, I mean the actual exploitation. The way I solved it felt kind of devised and challenging for the sake of being challenging.
It’s super likely I was missing some indicator of what might have worked and just got lucky throwing stuff at it, I suppose. Would someone please PM me if this was the case? I’d love to learn what I might have missed.
Overall, I had a good time with this! It’s hard to get pacing right, but this had really even, constant discoveries and momentum the entire way through. That’s a great design achievement. Thanks for a fun, if not tricky, machine 
hey there, Can I PM someone for the initial foothold ?
@mrWh17e said:
hey there, Can I PM someone for the initial foothold ?
Data from UDP certainly helps accessing something on TCP.
Anyone willing to sanity check? i’m sure about the root privesc but it doesn’t seem to execute (tried a bunch of stuff tho)
Edit: nvm, got it…
Rooted !
Bit hard for medium level but absolutely a great machine to learn so much of things.
User: there are more and more ways to go wrong on initial foothold.
you need to find right path to go further. especially for the password
think about real world flaws related to passwords.
think about other ports and other protocols. I can’t find a path/plan
to get user so i did all possibilities at that time & point, the result
made up the path to go further.
Root : relate initial foothold stuff with privilege escalation you will find
a way, root is easy when it’s compared to user !
Experienced guys may take little time to break, but if you are a beginner
i suppose you need time to break this machine !
DM me for nudges !
Definitely a tricky box, I had some trouble getting linpeas to execute for some reason so I couldn’t do proper enumeration. A bit frustrating for me personally but I found root very interesting. Here’s a couple of my hints for foothold because I thinks that’s where people struggle the most. Thanks to @Element92 for helping me get root
Foothold:
- usually you use one type of protocol for nmap, this time use the other.
- enum the service using a special perl script (I ran into two different repos, only one of them will work), a manual walk won’t find it
- get onto the second service, some guessing is required
and look for exploits. It will try to make you think it’s patched… but it isn’t
Hi Friends,
I think I need a nudge. I did my enumeration and did “walk” the walk, but no matter how far I walk I don’t seem to find anything which looks interessting. I even walked different ways, using the good ol swk or using some help from mes**** but no way of walking seems to give me something juicy.
Nudge would be appricated, feel free to PM me.
@Dirks0n said:
Hi Friends,
I think I need a nudge. I did my enumeration and did “walk” the walk, but no matter how far I walk I don’t seem to find anything which looks interessting. I even walked different ways, using the good ol swk or using some help from mes**** but no way of walking seems to give me something juicy.
Nudge would be appricated, feel free to PM me.
Look closely at the output. It gives you a place to go and the credentials you need. (This might need a slight leap of faith but remember usernames are often used as passwords)
this box should be of difficulty level “hard”
user: You need to walk and observe things.
Finding hidden web apps.
Finding config files.
Root: You need to take a walk again.
Find something you might missed earlier.
Pm for hints.
Finally rooted !
I learned a lot from this machine !
Thank you @polarbearer and @GibParadox for this awesome machine, and thank you for @pswalia for your hints !
PM for hints.
@dombg said:
… So tip from my side: I did another reset on the machine, then I changed VPN servers, now it works and its a looot of information that I have missed and could have used earlier simply because something was off with the connection… I hope this prevents others from being stuck for 4 hours for no reason^^
This is CRITICAL to be aware of, I just had the same thing happen and wasted many hours looking for information that would never appear. I was operating with OpenVPN Connect on Win10 and running commands within Kali in WSL2, and after reading all the potential hints here and trying tons of different ideas couldn’t find any useful information past the place where I need to log in
I spin up a Pwnbox since I expect that config to be solid, I run the exact same command and boom I get the information I’ve been looking for the past few hours 
I did move the Pwnbox to a less busy VPN, not sure if that was the problem or something with my setup.
I’m happy to be past this now but frustrating that this can happen at seemingly no fault of my own, if anyone knows what might actually be happening and how I may be able to fix it please DM me
EDIT: NM fixed
Hello,
I got the creds for pit on port 9090, but I keep receiving the following error:
Connection failed
There was an unexpected error while connecting to the machine.
Messages related to the failure might be found in the journal:
*journalctl -u cockpit *
I have reset the machine but still getting the same message. If someone could please let me know what I am missing, that would be great.
Pepe