HackTheBox Admirer Hints

USER HINTS

----------
1. fuzz, and fuzz, and again fuzz, sometime a letter in a word could make the difference
2. a bit of guesswork is mandatory. You do have clues, but most likely you're looking for the wrong tool. Especially if you've never heard about the correct one. Machine name is a massive spoiler to get back to the right path.
3. Difficulty of foothold depends on if you know a specific tool related to databases. The machine name is a big hint.
4. be a hound or r***e and you know what to do.
5. at this moment you can find a window, so google fu, to get into it just prepare your server and run.
6. Enum, brute force dirs like normal but for this add something more to your command that you haven't been including before and you will need to use something big.
7. I use ffuf for dir fuzzing, for this box you definitely want to look over all the options of '-h' and look for other ones that might be useful when brute forcing.
8. Difficulty of foothold depends on if you know a specific tool related to databases. The machine name is a big hint.
9. List, and look for the basics ... everything is just you have to look carefully ...
10. To own the user, you'll have to perform quite an interesting exploit. Once you found the right page, some googling will easily give you the correct info. The exploit needs some setup, but isn't all too complicated in the end.
11. This part was very cool! Google about the "thing" and setup your server correctly, if you did correctly the previous step you will know what to look for.
12. Read the file which you visited at the very beginning and that has the necessary thing, use that to get inside the machine
13. Really intresting, found a great article so it was not that tricky, but many steps.

ROOT HINTS
----------
1. use some privileged command to do what you want
2. is awesome. just awesome
3. Basic enum, then read the script carefully line by line.
4. Just do basic enumeration and think what do you do before you flash your mobile.
5. I never thought that we can do that at that level, this requiere a mod in your way.
6. New priv esc method for me. You know what you can do but if you haven't done this before you may need to do some research on snakes reading!
7. This took me longer than it should have, read the man pages for sudo and python and also pay attention to what permissions you're allowed.
8. OK so now you are finally on the box, if this is your first linux box checkout gtfo bins. Else, just do what you would normally do and you should eventually find the combination of steps. Also think about directories that admins always have access to when you realize what must be done. I really hope this is not a spoiler.
9. This caught me off guard, the method I did not know but it is simple and effective ... if you listed well, you will find an interesting file ... do not be afraid of SNAKE ...
10. Another nice exploit that you need to use here. There's something there that you can control, although it might not seem like it at first. You might be looking for user input to exploit and the way to exploit is quite similiar to that, but it's aimed at something you might not consider to be "user input". However, take a close look at the user privileges you have.
11. if you don't know the trick (like me) probably it will take a long time. Basically you have to make a script run something that seems identical to something else ^__^
12. Past is the answer to your problem.
13. I went really fast from user->root, but it is a really great privesc i have seen before.