Type your comment> @Spunnring said:
use Burp instead of trying to view XML Files in the Browser!
I wasted 4h because I thought the file wasn’t there
Or you can try to view page source code
@Spunnring said:
use Burp instead of trying to view XML Files in the Browser!
I tend to go with what @NordeN said. In very general terms, if your browser shows you a blank page, it got some valid data back from the server. If it doesn’t get data (i.e. the service doesn’t exist) you get a browser error message, if the page doesn’t exist you get a server error message.
Blank responses are almost always worth further investigation to find out why it is blank.
Finally rooted 
, good box and learned new things Like IT!
Spoiler Removed
@dbstart09 said:
Can I use another tool? I mean is there any default tool for the same in Kali Linux?
Yes, but the tool you’ve read about is better.
That was a fun one. Bootie Rootie in about 2hours, yay!
Learned a ton about the stuff involved with the privesc too.
The box is quite amazing learned some new stuff. Specially the first part to get user. i took me almost 3 hrs to find the correct path to find user and password. Priv ESC is something new i have never done that before.
Hint: Enumerate well for the first part after L*I. Google is your friend to find the exact path and look for high port for little bit of guess work to get your way.
USER: Documentation can help your way in.
Root: What you found while enumeration if anything is suspicious just google it . you will get your way 
@egre55 Thanks for this awesome box. 
Looking forward for this types of more cool boxes.
Phew - finally rooted.
Foothold - a struggle for me but all the comments in this forum will point you in the right direction. Thanks to @3VAD3 and @TazWake for their help.
User - I wasted hours using the wrong tool. If you don’t get what you expect within a couple of minutes try something different or new, in my case.
Root - Easy to spot and there is a very good article if you google it. For me, it was the easiest part of this box.
All in all a very good box and I learnt a lot.
Too much time and wasted effort, but I got root and I learned A LOT from this one. My turn to drop some hints. To be fair, many of the hints already listed here will help drastically if you pay attention, but I always like to contribute where and how I can.
Foothold: This is going to be the tricky part. Again, pay attention. If something doesn’t seem right on the page, investigate. Look at the errors, and any open documentation. Dismiss nothing. Once you know what you are looking for, google to see if you can find the exact location. It may not be where you think it should be.
User: What do you have access to? Too often the next step is hidden in plain sight; in this case almost literally. Enumerate, check files, see what you can find.
Root: Relatively simple, but new to me (which was quite fun). What powers do you currently have? Linpeas will point you in the right direction.
This box definitely feels real life; I can easily see a company following these steps to believe they are secured. Try to think about it from the other side, as a sysadmin.
Good luck, and let me know if I can help or provide any advice!
For the foothold, if you try to be lazy and don’t install it yourself, you’ll probably spend 5 times as long getting that path. ■■■■
i rooted the machine
but HTB says ERROR it refuse the flag???! any idea?
@CONFIANT said:
i rooted the machine
but HTB says ERROR it refuse the flag???! any idea?
HTB moved to dynamic hashes a few months ago. This means the hashes change every time the box reboots and across VPNs.
Sometimes someone has rebooted the box between you getting the hash and submitting it. This is just unlucky.
Sometimes the dynamic hash doesn’t work because it hasn’t been properly registered or it simply breaks. It’s worth reporting this to HTB on JIRA so they can understand the issues.
Alternatively, reboot and re-pwn then try the new hash. Remember to leave it a few minutes after the reboot though.
Type your comment> @TazWake said:
@CONFIANT said:
i rooted the machine
but HTB says ERROR it refuse the flag???! any idea?HTB moved to dynamic hashes a few months ago. This means the hashes change every time the box reboots and across VPNs.
Sometimes someone has rebooted the box between you getting the hash and submitting it. This is just unlucky.
Sometimes the dynamic hash doesn’t work because it hasn’t been properly registered or it simply breaks. It’s worth reporting this to HTB on JIRA so they can understand the issues.
Alternatively, reboot and re-pwn then try the new hash. Remember to leave it a few minutes after the reboot though.
that was very help … thank you
nice box, some issue in the initial phase but after it is not hard.
got the creds for ho**-ma***er but cant figure out what to do next please help me
Been trying to use m*****r-s****t privs to upload/deploy war for hours now. Can someone help me out? Feel like I’m gonna start breathing fire at any second
Either I’m missing something very obvious or the documentation is lacking. Honestly I think it’s a bit of both
Just a guess, Check your command is hitting the correct endpoint, and enclose the password in single quotes…
Yes, it is hitting the correct endpoint and I am using single quotes 
My approach must be slightly off but the documentation is not helping at this point
If I’m hitting the wrong endpoint then I don’t know what the correct endpoint could possibly be lol
Don’t have my notes with me, but I recall when I did it, I made the mistakes above, and my url had ‘host-‘ in it, which from memory I had to remove…sorry I don’t have any more details these that right now…