Official Undetected Discussion

Another try. I’ll try not giving nudges. So sorry if it’s too much. For a medium, I found it a bit hard.

FOOTHOLD : pretty much what you see at first glance. Check closely at web files to find a way to enter.

USER : well, the boxe’s name is undetected. So see what’s hidden and check contents.

ROOT : the tricky part. Some threads running on the background and doing things. Take a close look to message from user. I was not able to use the mail service. I’m stuck at reverse.

3 Likes

did you rooted? I am currently stuck at reverse as well.

No sorry.

I got foothold and user relatively easily, but I’ve been struggling on privesc for about 6 hours now. I thought I found a number of ways up but so far no dice.

I found a weirdly permissioned file in a web directory that seems promising, but I need a break for a bit.

If anyone feels like giving me a nudge on root privesc to verify if I’m even on the right track, I would appreciate it.

Stuck on root. Anyone doing the L*_*****D trick and might give me a nudge. Always getting a strange error.

hey man, I found this trick as well, but probably I am getting same error as you got.

I made a program with bac***** snipset of code to reproduce calculation, but I’m not very aware in reverse. Is the first byte character of -0x5b or it is the last character? Having something to see with little or big indian, I think… Therefore, any orientation doesn’t give me the password…

Maybe there’s another computation elsewhere. Please help.

EDIT : well, almost that. I managed to decode it with cyberchef and the password is ugly but readable.

2 Likes

Got root. Root was simpler than I made it out to be lol

2 Likes

Just root!
I love hex !:slight_smile:

1 Like

Can someone give me an hint for user? I’m stuck at www-data , tried finding hidden .* files. But nothing.

The arena is closing soon :frowning: .

Same here

Have you noticed the 777 symlink? I deleted it by mistake.

If anyone wants to team up for this one, send me your Matrix.org identity (I don’t use discord)

1 Like

Hum. Nice box!

However, I don’t agree with the classification as medium and this is more and more often the case nowadays… Why not rating this box as “hard”; it is a hard box after all (and I’ve done ~200 of those on this platform ^^)

Here are some hints:

  • Foothold: basic enumeration, follow what you found on http, build on that and you’ll get a shell within an hour
  • Lateral: check for usual places, what you are looking for should be in your enumeration notes routine. You’ll get a shell within another hour or so
  • Root: this part is hard; the email you found earlier (linpeas flags it) put you on the correct path, but the road is pretty long

Have fun!

3 Likes

Hey I am stuck at www-data reverse shell

Any hint? to escalate the privilege

I do think this box was mislabeled on difficulty, I would’ve put it more on par with a hard box. However, it is still a good challenge.

Foothold
Enumerate the files you find within the webserver. A simple google search of the name should give the exploit.
User
Honestly, you can completely skip this and go to root if you know how to enumerate :wink: But the key lies in reading files you own. There’s more way to skin a cat, like with a string lol. Now decode it
Root
Did you enumerate the config files of the services running? Notice anything out of the norm, maybe investigate that file and follow the commands you reveal. Ghidra is the best tool for the last step to find the auth.

Feel free to DM for tips or hints :slight_smile:

5 Likes

got the reverse shell. need time to read the l*npe*s result

I’m trying to r…e with the dragon a…e m.d_r…r.* (also s.p m.d_r…r.s* into my box), but the dragon can’t r…e.
Can anybody DM me I’m stuck in the final part, I think I know what I need to do but I’ve encountered this issue. Thanks

Hi, can I please have a hint / more info on the reverse shell? I’ve been trying to spawn one from the box using PHP fsockopen as nc doesn’t look to be working?
Thnx

Are u using exploit from internet or do u use something of your own? Because in case you use exploit from net and you give it php command as parameter, try to embed php fsockopen directly in code and then execute exploit.

there is a htb matrix channel for us that dont like centralized/closed source stuff like discord #hackthebox:hispagatos.org you welcome to join is htb but mostly competitive ctf’s