Poison

I got it. I was using a wrong password for zip file. My hint is KISS and use that you find before.

For anyone still struggling feel free to PM me

Hi all, very newbie question here: this is my first machine…be patient.
What should I do with root.txt file once I get it to prove I’ve hacked the machine?
Thanks in advance.

@luckystarr90 said:
Hi all, very newbie question here: this is my first machine…be patient.
What should I do with root.txt file once I get it to prove I’ve hacked the machine?
Thanks in advance.

Go to https://www.hackthebox.eu/home/machines/profile/132 and paste its contents under OWN ROOT

@tomvv said:
Man this box. I got root after a few hours trying different things. Over thinking things can be a bitch sometimes.

Can you help please, am stuck with overthinking I guess cant get what to with zip

@impetuousdanny said:
For anyone still struggling feel free to PM me

Hi I DM you for help in privesc :astonished:

@impetuousdanny said:
For anyone still struggling feel free to PM me

Thanks for the steer… finally routed. + respect

My Tips for this after having rooted it today: (Some might think this is to SPOILERY)

Getting user is a joke, you shouldn’t need help with this, if you get stuck think about you had to hack your api key and apply that.

After the user owning the fun part starts.

This box is not about thinking outside the box, its about thinking about this person and how they use the box. If we start enumerating the box we find several interesting things. Maybe there is a service of note. Many of you have found this service but have found yourself not able to utilize it. Think about how the person who owns the box would utilize it? Maybe there are guides online that he followed to secure it the way its secured? I bet if you did some googles from the prospective of the user of the box trying to set it up you would figure out really fast.

After you figure this out, the rest absolutely becomes clear, any further questions after this moment can again be answered with pretending you are the user and how he would use the box.

@NanoByte said:
My Tips for this after having rooted it today: (Some might think this is to SPOILERY)

Getting user is a joke, you shouldn’t need help with this, if you get stuck think about you had to hack your api key and apply that.

After the user owning the fun part starts.

This box is not about thinking outside the box, its about thinking about this person and how they use the box. If we start enumerating the box we find several interesting things. Maybe there is a service of note. Many of you have found this service but have found yourself not able to utilize it. Think about how the person who owns the box would utilize it? Maybe there are guides online that he followed to secure it the way its secured? I bet if you did some googles from the prospective of the user of the box trying to set it up you would figure out really fast.

After you figure this out, the rest absolutely becomes clear, any further questions after this moment can again be answered with pretending you are the user and how he would use the box.

Thank you for your hint!!!
“This box is not about thinking outside the box, its about thinking about this person and how they use the box” is the key

I think I have found a way to get privesc, could I PM someone to know if I’m on the right track ?

need help getting shell!!! message me please! tried alot of stuff so far and need some more direction

@JOk3Rxvi said:
need help getting shell!!! message me please! tried alot of stuff so far and need some more direction

just take it easy and enumerate :slight_smile:

Can someone PM the best way to crack the .zip as far as the wordlist goes. Rockyou does not seem to work properly and the default is taking way too long.

if you want long way, you can copy zip file to your PC, and use fcrackzip for brute force, but password is not small. another way try make something simple

Hi guys, I opened the zip file. Can someone give me a hint for the next step in MP pls

@dshulman said:
if you want long way, you can copy zip file to your PC, and use fcrackzip for brute force, but password is not small. another way try make something simple

The password for the zip does not need to be brute forced. Think bad password policy

I was able to unzip the file, but not sure what to do with it to get escalation. I tried a few things, but get Authenticated failed. Can someone PM me to get a nudge in the right direction?

despite what i try for the obvious vuln, its not accepting my commands. further enumeration leads to another file which seems to be an easy win for another servcie running on the machine however im getting “invalid format” upon trying to use it. ive changed the perms and added the appropriate header and footer. pm if you can help

I got the zipfile but I have an authentification failed ?! any hint?

Struggling with PrivEsc myself. I’ve ran stuff like LinEnum and tried a few things but I don’t understand Linux enough yet. Would appreciate if someone could help me out a little without giving me the answer directly.
I was determined to crack it on my own but there comes a point where you have to accept help