I feel like I am really being tested now. The current machine on HTB that I am working on gave up the user flag in a way that was fun and taught me a few things. The root flag however is trying my patience.
For the user flag I found out about a neat little browser add-on that helps to show information about the website that you are viewing. The add-on, wappalyzer, was able to show me the CMS that was running the site that I was attempting to break into. Once I knew the CMS type and version, it was simple to find a working exploit that allowed me access to a username and password. It was at this point that I banged my head against the wall for a bit trying to make things work. Once I had the creds, I figured that I must need to log into the CMS console in order to run another authorized exploit that I had found for the service. It turns out that after thinking about it for an hour it was much simpler than that. New lesson, when you get creds try them on all of your enumerated services, like SSH for example.
The root flag is still out there for me to get. I think that I’m on the right track, but finding writable files that can help me privesc has been difficult. I’ve stepped away from it for a bit, so hopefully something will pop soon.
VulnHub Rooted: 3
HTB Rooted: 1.5
HTB Challenges: 5