Official Runner Discussion

system · April 20, 2024, 3:00pm

Official discussion thread for Runner. Please do not post any spoilers or big hints.

willowOwO · April 20, 2024, 6:59pm

Here we gooooooo!!! Welcome to the new season everyone :3

TRICP7 · April 20, 2024, 8:26pm

Any hint for user?

nudefender · April 20, 2024, 8:36pm

Same… I have been googling nginx exploits & vulns and can’t find anything that fits.

nks · April 20, 2024, 9:20pm

any hint?

willowOwO · April 20, 2024, 9:24pm

Id recommend looking into C****. You’re going to want to create a custom wordlist to subject the site to wink wink

Nyctophile09 · April 20, 2024, 9:52pm

I tried to bruteforce the directory, but it didn’t work. Did I leave something out?

willowOwO · April 20, 2024, 10:09pm

You’re on the right track, but it’s not a directory. If you’re using gobuster, look into the usage of a different flag (that is, not dir).

hnathan26 · April 20, 2024, 10:11pm

Thank you man, that is big hint. But what were you thinking? ■■■■, i never thought about that.

andlommy · April 20, 2024, 10:52pm

Got initial foothold.
Are user hashes brute-forceable, or should i look for another way before i burn out the GPU?

eldewany · April 20, 2024, 11:38pm

anyone have a nudge on root?

phantom · April 20, 2024, 11:47pm

Hello Guys,

I’m really stuck on this.
I tried to found interested directory on web server and server on port **** but i didn’t found nothing.
I tried to generate a custom wordlist with ceWl and found nothing withing file or custom subdomain DNS.
Maybe i’m dumb but i don’t find anything…
Anyone have a clue please

Thank regard

willowOwO · April 20, 2024, 11:49pm

As a general rule, when scanning for subs on HTB machines, go for vhosts instead of dns.

phantom · April 21, 2024, 12:01am

No found more with that, sorry certainly need some rest my brain is tired for sure…

SergeantSoda · April 21, 2024, 12:06am

Is the j**n hash brute-forcable or should I look for something else?

andlommy · April 21, 2024, 12:08am

one of those two definitely is. hashcat doesn’t do well though (at least for me), but jtr did the trick

gyrsec · April 21, 2024, 3:10am

Thank you. I screwed up that enumeration 10 mins in. Redid it properly and it worked this time… well that was a few hours wasted.

TRICP7 · April 21, 2024, 3:12am

Hey i dot the M*****w passwd but it doesn’t work on ssh am i in a rabbit hole?

willowOwO · April 21, 2024, 3:45am

Not a problem! It took me ages too, this box has been full of retrospective "duh"s for me

noxlumens · April 21, 2024, 3:53am

It’s good to hold onto credentials. Some of the time you don’t need them right away but they come in handy as you get more information/do more enumeration. I’d take a deeper look at what you have access to and maybe play around with it.

Hope that give you the answer you need, trying to be a little bit vague.

You might not need to know the password for every user you find if you can manipulate it or find another method of authentication.