I rooted this yesterday after several hours. I have no idea if I did this the intended way. I leveraged the command found in b*****.**p after searching through documentation for hours. Anyone who has rooted it also mind sharing with me how they did it? From what Iām reading here, I donāt think the approach I took to get there is what others did.
Edit: Yea, I definitely didnāt do this box the way that most people are, I overthought it. Still got root though, so ?āāļø. If you want to solve it the way that I did, when looking at the command you can run, read into all the different type of targets you can be saving to, and then explore whether any of those options have a way to manipulate what gets run.
Hit me up on HTB Discord if you want, @agreenbhm#8525
Finally rooted, User part quite easy, but the root was just frustrating, This is the first hard box from me, took time from me to finish it, but I tried to do it by myself as much as possible.
root@bolt:~# id
uid=0(root) gid=0(root) groups=0(root)
root@bolt:~#
ROOTED !!!
Great box, learnt a lot !
Everyone writing enumeration is the key is absolutely right, after fetching d****r files, getting the user is all about your enumeration skills.
@drdsol92 said:
Currently stuck at bt user. From the hints provided here, I think Iām supposed to su to w-d*** and exploit r***c somehow? Iāve even gone through the php files but still canāt find anything useful. Would appreciate it if someone could give me a nudge in the right direction ><
You have to find a way to become w**-d**** and get your way with r****c to BACKUP all the essential files
i am stuck on second user. i cracked hash, logged in web app but uploading shell doesnt work. when i want change extension, it shows 404 not found. any help?
User! thanks to my mentor, he knows who he isā¦im finding this box frustrating but not difficult, im not familiar with d****r so i had to read the docs and read the docs and read the docs, that and enumeration is all youāll need to get to user, its that simpleā¦ Now on to root gl -all
As for root, I gave up to make outbound connection to my local machine. Everything was done in this machine besides cracking creds.
For the final touch, I didnāt know r***-s***** is portable.