I did know how to do it, would you tell me ?

U r not alone with it.

Ah yea. Funny the mistakes made when doing things live and manually :-).. There's definitely some value in scripting out tools to do this stuff.

I highly doubt that was the intended route. If so, the box would have been rated Medium by HTB Staff due to the documentation around that API being so bad.

Hey. Its my box. I'm dmw0ng. There were multiple methods, but the intended was to use the api. I thought it would be easy knowing restarting the nscp service would kill it for everyone. I thought it would be a lesson to all not to just find an exploit and blindly follow.

@@danielmorris5302 Ah sorry - Had checked the author provided writeup after solving the box and there was no mention of api. Perhaps was an old version.

@@ippsec I submitted the doc with the method similar to what you described. However, after discussions with staff, it seemed it was not feasible, I then provided additional docs to highlight the preferred method. This box was a carbon copy of what I discovered somewhere during a pentest, I was the only person on the box, and therefore did not have the issues that you get when multiple people are on it. Thats why I submitted original documentation as I did. A shame, because it was as real life as I could get it because of the find. Unfortunately, a badly rated box, but, HTB always produce incredible boxes, so this one will soon be forgot. 🤭. Good job with your patience.

@@danielmorris5302 apart from the lil problems in the end man.. This is a very unique and great box.. I learnt a lot. Respect for sharing this box and knowledge with us all..

For real! Lol I'm not sure I've ever hear him laugh before

Because it has less chance to fail. New lines, quotes, spaces, etc can cause things to fail when passing commands through the command line. Encoding saves you from that headache

@@ippsec thanks but i mean the little endian encode iconv -t utf-16le before base64 encoding

@@robinhood3841 the different encoding is due to the different environment he is interfacing. He's passing data from a Linux system (which uses UTF8) to a Windows environment (Which uses UTF16)

Its just because however the webserver is accessing the file errors out on a directory; and the webserver puts 404 whenever there's an error

Because it was vulnerable to LFI, only files can be viewed not dirs !

@@ippsec thanks! i've been learning a lot from you though it's really hard for me to be qualified in hackthebox. you're one of my inspirations. more power to the channel!

@@dbeeeeee thanks! i should learn LFI

kzbin.info/www/bejne/bnytlpWsoslkfM0

It's not about being the best, it's about learning. There is so much to learn about computer sciences and hacking. If you get tired of HTB, search other interesting subjects like reversing or cryptography, they may interest you more because they look new. Also, try other pages. HTB gets boring sometimes. I recomend you cryptohack.org . Don't put too much pressure on you, do it for the thrill of learning what surrounds you.

@@TheHectorshark I understand. Thank you very much for the response! Will leave that here in case somebody has the same issue. You hit me with cryptography bcz I'm a crypto guy. Reversing? Not so much of my bread, but trying harder will work here for me. For popping boxes, well, leaving it for a while seems okay for now. Again, thank you!

With every box you go over you have more knowledge. More knowledge = more chance to do stuff individually. Before running learn to walk kind of thing. I started this in March from literally zero (0) Linux, Networking knowledge with the goal to get my OSCP. On every retired box I go over I take extensive notes and make sure I understand the point of why something is done. It's a very effective studying technique which I can suggest you to follow. Don't be discouraged and expect too much of yourself from the start. Just keep on grinding and it will come in time just as everything in life does.

Just adding this answer for anyone who's just starting like me , HTB is hard for a beginner i would suggest trying tryhackme.com as it walks you through everything and explains it , nonetheless ippsec is a great source for information and i recommend you watch every week's machine and try to do it like him or in a different way through reading the write-ups in HTB forums , Retired boxes are active for free users for 2 weeks after retiring

Ah you just need to buy my very expensive book and comes with a free certificate. Just practice more what. Replay old hackthebox.

Try harder

I gave up on Administrator flag. Defender cleans up the files too quick even if you know the commands. And I am using the VIP+ subscription so it is my own instance. Learned what I needed to know and moving on. Screw the flag lol

no it has a free version

not really, the vpn of hackthebox is made for that

I think he was trying to access over Firefox which gives random errors and can make it seem closed

@@ippsec Actually when I did this box it was a total mess. Port 8443 was only open internally.

@@buestrm2841 I had 8443 open, but couldn't access it with a browser, and a raw GET / command through nc on 8443 failed as well.

Well, execute payload is not always the solution. Maybe we can look at creating a new user with admin permission, disable the defender with command.

There's a way around that. Use the powershell Set-MpPreference command to disable active real time monitoring by the AV. This only works if you can execute commands as nt authority, which you can by using the nsclient++ vulnerability

and then u can run any exe without any issues. That's how I rooted the box

nc64.exe worked with me

@@Xx-nd1rs how this works, I don't understand

IppSec runs parrot in a vm. As for best option, it comes a lot down to preference. Using distros like Kali or Parrot are nice and easy to start as you've got basically any tool you want pre-installed, but you can use any distro you like as long as it has packages for the tools you want

try traceback, it was the first root on any active machine i got

it's not about the script but the IEX command that tries to make a connection to a remote server

@@xXThePr0Xx The question is how it knew it was malicious even with the IEX removed. It must have been one heck of an over protective anti-virus to assume that powershell doing a WebClient call was malicious o_O