Official discussion thread for Runner. Please do not post any spoilers or big hints.
Here we gooooooo!!! Welcome to the new season everyone :3
Any hint for user?
Same… I have been googling nginx exploits & vulns and can’t find anything that fits.
any hint?
Id recommend looking into C****. You’re going to want to create a custom wordlist to subject the site to wink wink
I tried to bruteforce the directory, but it didn’t work. Did I leave something out?
You’re on the right track, but it’s not a directory. If you’re using gobuster, look into the usage of a different flag (that is, not dir).
Thank you man, that is big hint. But what were you thinking? ■■■■, i never thought about that.
Got initial foothold.
Are user hashes brute-forceable, or should i look for another way before i burn out the GPU?
anyone have a nudge on root?
Hello Guys,
I’m really stuck on this.
I tried to found interested directory on web server and server on port **** but i didn’t found nothing.
I tried to generate a custom wordlist with ceWl and found nothing withing file or custom subdomain DNS.
Maybe i’m dumb but i don’t find anything…
Anyone have a clue please
Thank regard
As a general rule, when scanning for subs on HTB machines, go for vhosts instead of dns.
No found more with that, sorry certainly need some rest my brain is tired for sure…
Is the j**n hash brute-forcable or should I look for something else?
one of those two definitely is. hashcat doesn’t do well though (at least for me), but jtr did the trick
Thank you. I screwed up that enumeration 10 mins in. Redid it properly and it worked this time… well that was a few hours wasted.
Hey i dot the M*****w passwd but it doesn’t work on ssh am i in a rabbit hole?
Not a problem! It took me ages too, this box has been full of retrospective "duh"s for me
It’s good to hold onto credentials. Some of the time you don’t need them right away but they come in handy as you get more information/do more enumeration. I’d take a deeper look at what you have access to and maybe play around with it.