Carrier

User wasn’t that difficult, same with initial shell. Looking for root now…

I just started poking at it, so I’m still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

Still no root - given how quickly people have been dropping user, the escalation must be a nightmare.

can confirm, is a headache. the environment is obvious and pretty cool, but personally I do not know anything when it comes to stuff like this. I think the same goes for a lot of people on HtB, hence the lack of root.

@opt1kz said:
I just started poking at it, so I’m still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

Thank you for this. I have been scratching my head for too many minutes.

@stonepresto said:
can confirm, is a headache. the environment is obvious and pretty cool, but personally I do not know anything when it comes to stuff like this. I think the same goes for a lot of people on HtB, hence the lack of root.

Pretty much this. After getting user and poking around/enumerating a bit, I have no idea where to even start. So many things to investigate and so many things that are probably rabbit holes…

@opt1kz said:
I just started poking at it, so I’m still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

Stuck at this point.

Edit: Got it

Remember that snowscan is a troll, many dead ends after user.txt

@opt1kz said:
I just started poking at it, so I’m still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

still at this point

EDIT: Got it :slight_smile:

struggling to even get user. any help would be appreciated :slight_smile: thanks

@taytay said:
struggling to even get user. any help would be appreciated :slight_smile: thanks

did you find the doc? it seems we need to get default user/pwd from the chasiss but enumerating with common tools and wordlists didn’t work out for me

@0xlc said:

@taytay said:
struggling to even get user. any help would be appreciated :slight_smile: thanks

did you find the doc? it seems we need to get default user/pwd from the chasiss but enumerating with common tools and wordlists didn’t work out for me

I have found a few documents yes, still not able to find any chassis that it refers to. i’ll pm you.

@taytay said:

@0xlc said:

@taytay said:
struggling to even get user. any help would be appreciated :slight_smile: thanks

did you find the doc? it seems we need to get default user/pwd from the chasiss but enumerating with common tools and wordlists didn’t work out for me

I have found a few documents yes, still not able to find any chassis that it refers to. i’ll pm you.

same boat

@ryz0rg said:

@taytay said:

@0xlc said:

@taytay said:
struggling to even get user. any help would be appreciated :slight_smile: thanks

did you find the doc? it seems we need to get default user/pwd from the chasiss but enumerating with common tools and wordlists didn’t work out for me

I have found a few documents yes, still not able to find any chassis that it refers to. i’ll pm you.

same boat

join the club lol

Documents is the key for getting user. Back to basics. Start from port scan again but not only tcp.

@beginner2010 said:
Documents is the key for getting user. Back to basics. Start from port scan again but not only tcp.

ye just found it thanks

For anyone stuck on the initial foothold - remember that TCP isn’t the only way to transmit data

For anyone stuck on the Priv Esc - i’m in the same boat as you…

I have no idea where to go after getting access to the admin console

i got rce but no shell yet, i can just ping myself from the box haha

Got user. Time for some root.