Official TheNotebook Discussion

Very nice box! The foothold took me the longest as I wasn’t familiar with the technology.

You should be able to root it with the hints from the last couple pages but feel free to PM if you need a hint. Just let me know what you’ve tried until now.

Thank you, @mostwanted002 for a really fun box!

Foothold and root both took me ages, but the “light bulb” moments were very rewarding.

foothold and user were relatively straightforwarded. but now i am stuck on root. I think i got the right path but would like to check with someone if I am on the right track as I couldnt get a shell back yet with the exploit I am trying to use. pls pm me.
rooted: took me a while to understand how this works and to get the exploit to work properly. thanks @xDragon for resolving an issue with the final exploit.
funny thing … just learned the things I needed for foothold/user last week … and what I learned for root I can apply to a current running pentest. So this is was a full on machine experience. well done … :smiley:

finally get root shell.
DM if you are really stuck

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

@spellanser said:

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

Are you running two sessions? The approach needs the exploit running in one, while you “exploit” it properly in the second before the first one finishes.

Type your comment> @TazWake said:

@spellanser said:

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

Are you running two sessions? The approach needs the exploit running in one, while you “exploit” it properly in the second before the first one finishes.

Yeap, I’m running in two sessions.

Type your comment> @spellanser said:

Type your comment> @TazWake said:

@spellanser said:

Found the way to get the PE (100% sure, proved in the HTB Discord that it’s the one) - but it does not work. Like it’s runs but nothing happens.
Thought I’ve broke the way on the machine - even restarted it.
But after I’ve mentioned, that it fixes itself.
Tried to be “faster” - same result.

Does anybody encountered such problem?

Are you running two sessions? The approach needs the exploit running in one, while you “exploit” it properly in the second before the first one finishes.

Yeap, I’m running in two sessions.

■■■■ it, I’m an idiot. Found my mistake.

Hint: remember, that then you remove file on Linux, which is used by a running process, it will not be removed. It’s inode still there.

Hey Folk,
I am stuck on the foothold. I’ve enumerated everything and I feel like I have a good understanding of how the web app works.
I’ve also found out how to make the machine GET an HTTP request to my machine (using the k** field of the J*T). But I can’t really get my head around this and how to exploit it.
Would anyone give me a hint? I have the feeling it’s just something basic I haven’t thought about.

Thanks

EDIT: I figured it out. Hint for who will struggle next, the path is right, but the RCE is a consequence not the first aim.

@Tw1st3dxF4t3 do you understand what that field you’ve modified is used for?
if you want to discuss this in more detail just send me a private message.

@xaif7aLe yes, I think I do. But still can’t make it useful for RCE. I’ll pm you.

Type your comment> @Tw1st3dxF4t3 said:

@xaif7aLe yes, I think I do. But still can’t make it useful for RCE. I’ll pm you.

RCE sounds like a rabbit hole. tamper with what defines who you are

Very great box. Absolutely loved the root part, very interesting topic to learn. Thanks @mostwanted002

Finally got root !!!. Love the foothold and root part.
There are some rabbit holes in there guys, be aware !!!
PM me if you need any help, please tell me what have you tried before asking for hints !!

This machine is interesting. Some thoughts:

##Foothold
Intercept your web requests. Classic tempering with data.

User

Enumeration. A folder stands out.

Privesc

  • What commands can you run as root? → Google that vulnerability
  • Grab a coffee, cause takes a while to understand.

Notes

I had the executable build correct and commands executed well. It took me a solid hour rerunning the same thing before the root shell actually popped. If you’re certain, keep at it. I think that it I might have been to slow every time.

Can some one DM me to help with foothold? I think I’m missing something here.

Spoiler Removed

Finally rooted.
This was my hardest HTB so far and taught me a lot.

Foothold: check everything you intercept and try to understand what you have and research how to use at your advantage
User: Classic enum script points you into the right direction
Root: spent a lot of time to make this part work. After the classical enumeration, Google helped with the right path to pursue but the thing I found needed some polish in order to work as I wanted.

Thanks a lot for the box!

HI All, I have got root, but not able to find the flag . Please help

ls -la

total 24
drwx------ 1 root root 4096 Apr 12 15:38 .
drwxr-xr-x 1 root root 4096 Apr 12 15:38 …
lrwxrwxrwx 1 root root 9 Apr 12 15:38 .bash_history → /dev/null
-rw-r–r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Feb 12 07:30 .cache
-rw-r–r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 0 Feb 9 08:02 .python_history
-rw-r–r-- 1 root root 254 Feb 9 08:09 .wget-hsts

id

uid=0(root) gid=0(root) groups=0(root)

pwd

/root

Type your comment> @souravguin said:

HI All, I have got root, but not able to find the flag . Please help

It might be worth checking you have root in the box, not in a container.