is it normal to have this in the hosts file ?
127.0.1.1 writer
I think that might have been the hardest box Iāve done on HTB, Iām kinda quite glad its over. I would not have classed this as medium at all, good fun all the same, and I learned a great deal from it. Best tip was the ādonāt fall into the rabbit holeā, I wasted an entire evening on the bit in the middle. My best tip if it helps anyone is really really watch out for your quotes and double/triple check paths and things, its quite a delicate and convoluted foothold, although the privesc is reasonably straightforward with a bit of google-fu (well I needed to google anyway lol)
Type your comment> @jsarmz said:
Type your comment> @JulianoPL said:
Once you do, youāll notice a flaw (any system call could be explored right?!) and then play with the payload to be used (again, use the code in your host and play with itā¦ set some debugs for you if needed) and you should be able to ingest a payload to call you back on reverse shellā¦
Thanks a lot for the creator of the hostā¦ this was really interestingā¦
Ping me if you need any nudges
I dont think you got foothold the intended way
wow, this post fucked me up, since I assumed that was some crazy unintended path I wouldnāt be able to figure out, I spent forever down an SMB rabbit hole trying to find a different way
heh, thanks for teaching me a valuable lesson 
Foothold took me a while but finally got it working thanks to @JulianoPL @tuxvador and @sharkmoos for the sanity check.
Like others have said, priv esc and root arenāt too bad. Feel free to PM for help, but let me know what youāve already tried!
Writer.htb
This box was tough for me, but I finally got it. Hereās a couple tips for parts I struggled on
Foothold:
There are two ways to get RCE. The first way requires technical know how and understanding the code, as well as some clever c***** i******** techniques. This is how I got in.
The second way requires some faith and guess work with S** and d*****. If youāre familiar with this kind of app, youāll know where to put your payload.
Lateral Movement:
Look at your groups, look at open ports, see what you can edit. Donāt use send**** do it manually with telnet
PM for nudges or join HTB discord channel
It took me a couple of days to root this one. Shout-out to @cmoon for helping me get root figured out as I was struggling with making the server run my file properly. Foothold: In my opinion, itās the hardest part of the entire box. Remember: that buster is your friend and it is going to open administrative ways for you to get in. After that, you can try some OWASP TOP 10 vulnerabilities to both read files and also log into the application. Someone gave a pretty good tip here on ap**he available s**es, look it up. After that, just follow the paths, read the files, and see what you can do with that interesting script. User1: youāre gonna have to use Mr. John or his Cat after youāve met with Mr. Djan**. Just do some good old enumeration. User2: reading and understanding the disclaimer is all you need to get this. Oh, after having a shell, you can also get his keys. Root: it is actually pretty easy but the box can be a bit weird sometimes. Check what task is constantly running on the box. After that, you can try creating several files and keeping them there by looping it and the service will eventually trigger one of them.
Got user #1 after 2 full afternoon!
Onto user #2 apparently now!
Edit: rooted!
Maybe one of my favorite box on htp; thx for the ride!!!
Lateral is pretty hard to get and privesc is straight forward
PM if stucked, but previous tips are fully valid; just good enumeration and only owasp top 10 for foothold 
Awesome box. I really enjoyed this one & learned a few things.
Thanks
root@writer:~# hostname && whoami && id
writer
root
uid=0(root) gid=0(root) groups=0(root)
can anyone help me with the footholdā¦? Donāt know if Iām right now in a rabbit holeā¦
First medium box and it was a challenge for me!!
# hostname && id
writer
uid=0(root) gid=0(root) groups=0(root)
#
Thanks @T0K10 for the help!
Whew, finally rooted. That was a tough one for me, there were so many possibilities to check for foothold. Priv Esc to the first user was more me looking in the wrong places. Priv Esc to root was the easiest part. Thanks a lot for the machine, I learned a lot!
Tried some magic from the Magic machine, not work, Any good reading/website/keyword for research purpose? -------------------------------------------- Finally done the user, it takes more enumerate. My payload does not work so I changed the approach. Feel free to reach me if you want some hints about the user flag. ----------------------------------------------------- Finally rooted. @JulianoPL 's hints help a lot. Need to take some time to study why some step does not work. Feel free o reach if you want some guidance.
hey i got a hash of admin through sql but dnt know how to get to kyle
I have reverse shell, I found the d* creds but m*** wont connect. It just hangs there and does nothing. Wrong creds give error, so I am not sure if it is machineās problem or I have to look for something else. Nvm: Wrote a script to do it. Guess problems with ttyā¦
I really need some help, guys. Found the **i**t**.p* script but I donāt know exactly what to do here. I donāt know if the exploit has to do with *s.s****m or with *s.p**h functions, or how I should approach thisā¦ I would really appreciate some help. EDIT: Finally got foothold, it was a thing I did not know with the function that downloadsā¦ Thanks @R3s7D0ne for pointing me in the right direction!
Pretty hard box for me, but finally managed to get root. Made me remember some things and also learn. Few hours ago a few of us were struggling to get root at the same time, sadly couldnāt solve it back then. If anybody needs help with this box feel free to message me.
What a nice box it was! It took me some days but eventually I rooted thanks also to the hidden hints in the forum.
Foothold: Enumeration+top10 OWASP most common issues will lead you to a new place. The Enumeration step is critical to understand what you have in front and a mild static analysis of the code will point you in the right direction. This part was quite tricky. Once in remember to feed the cat!
User#1: enumerate all services and pay attention to a well known port also I suggest to use pspy. Once you join all the dots you can do lateral movement to User2.
Root: from User2 POV the final steps are quite easy if you are careful in analyzing what you have (again I suggest pspy64). Thereās a well written article that explains how to take advantage of the situation.
Thank for the box!
rooted just now, nice box. A hint, for me the payload in the article didnāt work, try different one, if it is the same for you.
Type your comment> @s0n0fMrN0b0dy said: > I have reverse shell, I found the d* creds but m*** wont connect. It just hangs there and does nothing. Wrong creds give error, so I am not sure if it is machineās problem or I have to look for something else. > > Nvm: Wrote a script to do it. Guess problems with ttyā¦ This is exactly the same problem Iām having, my payload works and I get a RS going as writer but when I actually try to connect to the db with the creds listed it just hangs and wonāt move forward. Would you mind sharing what the script did that you didnāt? Really confused here
Type your comment> @realslimsudo said: > Type your comment> @s0n0fMrN0b0dy said: > > I have reverse shell, I found the d* creds but m*** wont connect. It just hangs there and does nothing. Wrong creds give error, so I am not sure if it is machineās problem or I have to look for something else. > > > > Nvm: Wrote a script to do it. Guess problems with ttyā¦ > > This is exactly the same problem Iām having, my payload works and I get a RS going as writer but when I actually try to connect to the db with the creds listed it just hangs and wonāt move forward. Would you mind sharing what the script did that you didnāt? Really confused here Try to upgrade shell to have a proper tty shell
Type your comment> @alemusix said: > Type your comment> @realslimsudo said: > > Type your comment> @s0n0fMrN0b0dy said: > > > I have reverse shell, I found the d* creds but m*** wont connect. It just hangs there and does nothing. Wrong creds give error, so I am not sure if it is machineās problem or I have to look for something else. > > > > > > Nvm: Wrote a script to do it. Guess problems with ttyā¦ > > > > This is exactly the same problem Iām having, my payload works and I get a RS going as writer but when I actually try to connect to the db with the creds listed it just hangs and wonāt move forward. Would you mind sharing what the script did that you didnāt? Really confused here > > Try to upgrade shell to have a proper tty shell Ah I see, thank you for the tip