Felt like that was a good box for a medium.
Nice, solid medium box.
I especially liked the initial part, the rabbit hole and all. I anticipated the vector to be very, very different from what I eventually exploited. (I would be interested in learning about approaches that seemingly exploited vulnerabilities of nginx itself though, as my approach revolved more around normalization)
The escalation route was reasonably well obfuscated, (in my experience, if you find that linpeas
or linenum
doesn’t give you what you need, it will always be that one other tool that holds the info) , but once I understood the underlying service the actual exploit became fairly straightforward.
Final privesc to root was the quickest I have ever done on HTB.
Type your comment> @TazWake said:
Felt like that was a good box for a medium.
Totally agree, fun medium box. Even though I was familiar with common issues regarding the architecture, foothold took me a lot of time.
Little hint for foothold last step if you are stuck on 403 even though you should have the privs and you know what to do: Try a different browser, delete cookies etc. and reset the box if necessary.
PM me for nudges, always happy to help.
rooted
Rooted!
Foothold way harder than the rest of the box as I didn’t know about the 403 trick. User and root are extremely easy.
PM for a nudge but don’t forget to tell me what you’ve tried!
Can someone pm me and give me some help please?
i need a lil help i have the root shell but cant see a root flag did i miss something?\
ps: as soon as i said that i got the flag loosing mind over this is easy btw nice machine i rooted it!
Rooted, what a fun machine. I really enjoyed the foothold because the inner workings behind it were interesting to me and I hadn’t seen it before. As always DM me if you are stuck and I will do my best to help.
Hello, need nudge for foothold on seal machine. Thanx
hello guys, managed to get credentials of tomcat but then cant access the /m******/h*** then i try to login into /m******/s***** but still the h*** displayed forbidden. tried google path traversal but couldnt find the right answer, need help guys. appreciate it.
@DemChuck said:
hello guys, managed to get credentials of tomcat but then cant access the /m******/h*** then i try to login into /m******/s***** but still the h*** displayed forbidden. tried google path traversal but couldnt find the right answer, need help guys. appreciate it.
Google bypassing that error code. There is a github repo that might help.
Great box, congrats @MrR3boot.
The user part was a bit tricky for me, but very entertaining
Type your comment> @TazWake said:
@DemChuck said:
hello guys, managed to get credentials of tomcat but then cant access the /m******/h*** then i try to login into /m******/s***** but still the h*** displayed forbidden. tried google path traversal but couldnt find the right answer, need help guys. appreciate it.
Google bypassing that error code. There is a github repo that might help.
i tried using 4Fuz* from github but what i always get is max retries exceed error, i wonder if we need to use the tools provided or just try luck?
Rooted this box now; foothold was such a nightmare. PE was very interesting. Overall a great box!
If you want nudges, please PM
Not that easy at all. Wasted most of the time for the initial foothold. Many comments here are misleading…
Foothold:
Things are double at first sight.
User:
Don’t waste time with automated scripts. Take a look at files permissions.
Root:
Basic linux enumeration.
PM me for a nugget.
.
Rooted !
Very interesting machine !
Specially the user part !
root is very easy compared to user!!!
ROOTED !
USER very interesting part!!
Root easy
I’m stuck. I can access m**r/h, but when I try to upload anything I get another 403.
Edit: nevermind, got it to work
Edit 2: Rooted. Great box! Foothold was the hardest part. Got root with the first thing I tried.
Type your comment