Hint:
For rooting, I checked running processes and I need to ssh the box (without password) to get reverseshell
Type your comment> @dalemazza said:
Type your comment> @in3vitab13 said:
How are people getting ideas of OSINT? i see it nowhere in the page source!
and also the author has collection of web-shells? but how do i use this info?
and also how do i use OSINT to proceed further?The author has a collection of webshells. These are .PHP. you are attacking port 80. Maybe you can check for webshells already installed?
They are gone now as of the submission of this comment. Finally once i got an idea of how to approach after the OSINT, it’s gone.
Not sure what’s going on but that’s not cute, man lol. People need to stop ruining the fun.
@0xFFensvDfndr said:
They are gone now as of the submission of this comment. Finally once i got an idea of how to approach after the OSINT, it’s gone.
No - just checked, its there.
Type your comment> @TazWake said:
@0xFFensvDfndr said:
They are gone now as of the submission of this comment. Finally once i got an idea of how to approach after the OSINT, it’s gone.
No - just checked, its there.
So apparently what i saw before was other peoples garbage and when I enummed again, I changed my query and boom… some dirs
Someone deleted the index? I can see s*****k.php just by browsing to the IP
now the lua script isn’t there anymore… I would restore it if I just remembered the line correctly
I found the user.txt file but on submitting it’s showing incorrect flag
@cosmicWind said:
I found the user.txt file but on submitting it’s showing incorrect flag
It could be one of many things.
It could be that the box has recently rebooted and the flag you found isn’t yet in the system. It could be that the box rebooted between you finding the flag and pasting it in.
It could just be a fault in the API for the flags and should be reported via Jira (https://hackthebox.atlassian.net/servicedesk/customer/portal/1)
Finally rooted! very interesting things happened while I was trying it. Learned a lot, thanks to the creator!
Hello! I’m stuck on traceback machine, i got the user but i dont know what i have to do to root it. Somebody could help me? 
Type your comment> @0xFFensvDfndr said:
Type your comment> @dalemazza said:
(Quote)
They are gone now as of the submission of this comment. Finally once i got an idea of how to approach after the OSINT, it’s gone.Not sure what’s going on but that’s not cute, man lol. People need to stop ruining the fun.
A bit dramatic ? glad you got it to work eventually!
Can anyone give me a clue on these processes?
Edit: So I got the root flag but I’m not sure if this was the correct way to do this…no root shell, just read the flag…
Are the 403’s normal in the busted directories? Trying to use belch to bypass if there is a w*f.
Rooted. It was not really difficult but I learnt few things during the process.
Initial foothold: standard dictionaries will not work, visit that web shells website and try.
User: check permissions you have and google that program.
Root: use an automatic privesc tool to find that process or monitor processes. Then google it and modify a file with your payload. Then when you log in, your payload will be executed.
You can PM me for nudges.
Type your comment> @captain said:
Can anyone give me a clue on these processes?
Edit: So I got the root flag but I’m not sure if this was the correct way to do this…no root shell, just read the flag…
You can also get a reverse shell if you want.
Got user and root flag. The nudges and hints in the forum should get you there, but pm if I can help.
Rooted. I was making things way harder for myself by not paying attention to my commands as well as the responses the machine was telling me.
Thanks to @TazWake and @Gverre for standing in as my rubber duckies.
Hi guys, i was wondering… I got the user and the root. But the Flag (submit flag) is wrong. I thought I had to paste the hash from the root as flag? Or am I missing something?
@eMVee said:
Hi guys, i was wondering… I got the user and the root. But the Flag (submit flag) is wrong. I thought I had to paste the hash from the root as flag? Or am I missing something?
Cross-quoting @TazWake from another thread:
@Hashut said:
Is this a problem with the flag submitting system?
I think Multimaster uses a dynamic flag - and it was one of the first to do so. The main advice here is to submit as soon as you root and if that doesn’t work, reset the box, wait a bit and see if there is a new flag you can use.
If you are having problems, it’s definitely worth raising a Jira ticket https://hackthebox.atlassian.net/servicedesk/customer/portal/1
I think the biggest issue is on boxes where you have to do several steps to get root - resetting and retrying may well become tedious. However, on this box it should be ok as you can log in & exploit fairly quickly.
AFAIK, all machines use dynamic flags, by now.
Type your comment> @HomeSen said:
@eMVee said:
Hi guys, i was wondering… I got the user and the root. But the Flag (submit flag) is wrong. I thought I had to paste the hash from the root as flag? Or am I missing something?
Cross-quoting @TazWake from another thread:
@Hashut said:
Is this a problem with the flag submitting system?
I think Multimaster uses a dynamic flag - and it was one of the first to do so. The main advice here is to submit as soon as you root and if that doesn’t work, reset the box, wait a bit and see if there is a new flag you can use.
If you are having problems, it’s definitely worth raising a Jira ticket https://hackthebox.atlassian.net/servicedesk/customer/portal/1
I think the biggest issue is on boxes where you have to do several steps to get root - resetting and retrying may well become tedious. However, on this box it should be ok as you can log in & exploit fairly quickly.
AFAIK, all machines use dynamic flags, by now.
Okay, the root is still the flag to submit to own the system? If so I can do it again…
So the machine was rebooted a few seconds after I had the flag… ?
Yes, you need to submit the content of the root.txt (or user.txt, depending on where you are).
Try resetting the machine, and wait a few minutes before retrieving the (hopefully new) root.txt file.