Official Tabby Discussion

rooted. Not bad.
Foothold was easy. Maybe find the suitable place a bit difficult but not so hard.
The root part again interesting. I didn’t know it. Fun.
The worst part were those who don’t clean up his tracks once they finish.

Type your comment> @AgaCash said:

Hi guys, this is my first machine and i’m looking for own root rn. Few days ago i found 2 dirs after owning user in the same directory of the user flag. In the dir w** i found **.t.g . I guess it was the right path to follow but now it’s 2 days that the directories are no longer there so my question is this: is this a bug that those folders are not spawning or i found that because a bug so i have to keep looking around or that dirs are not supposed to be there?
I hope that it’s not spoiler
Thx

Ps: I already tried to reset the machine twice yesterday but nothing changed

This is a free VM, so if you don’t have the top level of VIP you’ll be sharing that server with thousands of others. Someone could have deleted the file to be annoying or it could have been created by a user and the server has been reset.

Type your comment> @JossiHacker said:

Type your comment> @AgaCash said:

Hi guys, this is my first machine and i’m looking for own root rn. Few days ago i found 2 dirs after owning user in the same directory of the user flag. In the dir w** i found **.t.g . I guess it was the right path to follow but now it’s 2 days that the directories are no longer there so my question is this: is this a bug that those folders are not spawning or i found that because a bug so i have to keep looking around or that dirs are not supposed to be there?
I hope that it’s not spoiler
Thx

Ps: I already tried to reset the machine twice yesterday but nothing changed

This is a free VM, so if you don’t have the top level of VIP you’ll be sharing that server with thousands of others. Someone could have deleted the file to be annoying or it could have been created by a user and the server has been reset.

Thx, anyway i found the way and got root. It was quite hard as my first machine but really funny and i learned a lot. I would like to thank everyone who suggested here, see ya in others boxes

Rooted!
It was a fun box. The foothold was a little annoying but after that was more or less easy. The only thing… please delete your files when you finish a machine. Or better, don’t put the files directly on the home folder where anyone can see that, just create a spoiler-alert folder or whatever. I saw a t**.g* file there and was a huge spoiler for me :frowning:
If anyone needs a hint feel free to DM me!

Hi all.

I keep getting the below message then nc drops my connection when trying to spawn my shell.

“java.lang.OutOfMemoryError: Java heap space”

Can anyone tell me why?

Rooted. Not my first box from Egotistical, struggling with foothold as usual. Thanks for the box anyways.
My advice:
Foothold: hardest part of the box. Follow the advice others gave and remember you need to use both services available to find the interesting file.
User: very straightforward, there is very good advice on this forum, essentially look for an interesting file.
Root: I work with this technology virtually everyday so it was rather easy for me, I’d say it’s a very realistic technique and there are tutorials online on how to priv esc using it. Check for unusual details on your account :wink:

Type your comment> @daddy said:

Rooted. Not my first box from Egotistical, struggling with foothold as usual. Thanks for the box anyways.
My advice:
Foothold: hardest part of the box. Follow the advice others gave and remember you need to use both services available to find the interesting file.
User: very straightforward, there is very good advice on this forum, essentially look for an interesting file.
Root: I work with this technology virtually everyday so it was rather easy for me, I’d say it’s a very realistic technique and there are tutorials online on how to priv esc using it. Check for unusual details on your account :wink:

Any chance of a little guidance? I’m struggling to get my shell to work…

id
uid=0(root) gid=0(root)
cat root.txt
f8************58

cat user.txt
95************7e

Got root but wrong hash when submitting? I dont know why?
(Tried reset the box but no luck)

Type your comment> @lanhhuyet510 said:

id
uid=0(root) gid=0(root)
cat root.txt
f8************58

cat user.txt
95************7e

Got root but wrong hash when submitting? I dont know why?
(Tried reset the box but no luck)

same problem, got root but all hash are invalid

Hi all,

I get a 997 user shell, found a z** file which can been interesting but cannot succeed in “open” it. Am I in the right way or not ?
Some hint to succeed to open it (tried j**n, but can’t found anything)

Found: Just had to find the right wordlist…

After that, way to root is quite simple if you check what are your new rights

@lanhhuyet510 said:

Got root but wrong hash when submitting? I dont know why?
(Tried reset the box but no luck)

If you reset the box, your hashes are no longer valid, even when the system is working.

@pppchan said:

same problem, got root but all hash are invalid

This is a semi-regular topic on the forums. The dynamic hashes used by HTB mean that every time a box is reset, or VPN switched etc, a new hash is generated. There are occasions where the new hash isn’t set properly and this cant be fixed by bruteforcing the old hash you have.

The options are:

  • Report it to HTB as a Jira ticket and get them to fix the problem.
  • Wait, it normally resolves itself after a while but if its a box where people are constantly resetting it, it may never fix itself. You will need to re-exploit it to get a new hash when it is fixed, so make sure you kept notes.

This has been going on for quite a few months now. HTB will not change its stance on the dynamic hash as they get very few reports of problems but have successfully identified lots of “flag sharing” and other rule violations. Sadly, despite dynamic hashes being in use since March, there are still people selling/trading flags, so this isn’t going to change.

Type your comment> @Somnus said:

The Biggest push/hint i could give you is.

on Your local kali Box

sudo apt-get install …

find / -iname …

???

Profit :slight_smile:

didn’t want to do this… had to after this comment

Type your comment> @TazWake said:

@lanhhuyet510 said:

Got root but wrong hash when submitting? I dont know why?
(Tried reset the box but no luck)

If you reset the box, your hashes are no longer valid, even when the system is working.

@pppchan said:

same problem, got root but all hash are invalid

This is a semi-regular topic on the forums. The dynamic hashes used by HTB mean that every time a box is reset, or VPN switched etc, a new hash is generated. There are occasions where the new hash isn’t set properly and this cant be fixed by bruteforcing the old hash you have.

The options are:

  • Report it to HTB as a Jira ticket and get them to fix the problem.
  • Wait, it normally resolves itself after a while but if its a box where people are constantly resetting it, it may never fix itself. You will need to re-exploit it to get a new hash when it is fixed, so make sure you kept notes.

This has been going on for quite a few months now. HTB will not change its stance on the dynamic hash as they get very few reports of problems but have successfully identified lots of “flag sharing” and other rule violations. Sadly, despite dynamic hashes being in use since March, there are still people selling/trading flags, so this isn’t going to change.

This is weird!
I tried reset the box several times but after re-exploit flags in the machine are the same. Exactly previous exploits.
I had to wait others to reset the box to see anything else and re-exploit but log luck in submitting flags.

@lanhhuyet510 said:

This is weird!
I tried reset the box several times but after re-exploit flags in the machine are the same. Exactly previous exploits.
I had to wait others to reset the box to see anything else and re-exploit but log luck in submitting flags.

If the flags are the same after a reset, thats a good sign something has broken with the box. Raising a ticket with HTB might help but I dont know if that is faster than waiting for others.

Type your comment> @reno42 said:

Hi all,

I get a 997 user shell, found a z** file which can been interesting but cannot succeed in “open” it. Am I in the right way or not ?
Some hint to succeed to open it (tried j**n, but can’t found anything)

Found: Just had to find the right wordlist…

After that, way to root is quite simple if you check what are your new rights

I’ve nearly supposed that it’s rabbit hole, because I’ve stucked lot of hours at this step.
Can someone give me nudge about right dict ? or maybe about “shape of key” from this door ?
thx

My first pwn on HTB, to be honest.

kali@kali:~$ ssh root@megahosting.htb
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-31-generic x86_64)

@macrek said:
Type your comment> @reno42 said:

Hi all,

I get a 997 user shell, found a z** file which can been interesting but cannot succeed in “open” it. Am I in the right way or not ?
Some hint to succeed to open it (tried j**n, but can’t found anything)

Found: Just had to find the right wordlist…

After that, way to root is quite simple if you check what are your new rights

I’ve nearly supposed that it’s rabbit hole, because I’ve stucked lot of hours at this step.
Can someone give me nudge about right dict ? or maybe about “shape of key” from this door ?
thx

I’m gonna rock you.

Spoiler Removed

Just a reminder - this is a retired box, I don’t know why something would be a spoiler here now.

Verified OK
wc: ‘/root/Desktop/HACKTHEBOX/VIPSUB/**22.TABBY/lxd-alpine-builder/rootfs/usr/share/alpine-mirrors/MIRRORS.txt’: No such file or directory
sed: -e expression #1, char 2: invalid usage of line address 0
Selecting mirror /v3.13/main
WARNING: Ignoring /v3.13/main: No such file or directory
ERROR: unable to select packages:
alpine-base (no such package):
required by: world[alpine-base]
Failed to install rootfs

Need help for this for the TABBY box.