Carrier

1356727

Comments

  • > @23Y4D said:
    > @Underworld said:
    > I got user. And I got a private key. However when I try to ssh in, it asks me for a password. I assume the key has a password on it as well?
    >
    > Dumb question - BUT IM LEARNING :bleep_bloop:
    >
    >
    >
    >
    >
    > The private key you have is not exactly in the Carrier IP.
    > Check ifconfig on the machine..

    Thanks!

    Hack The Box

  • Finally got user, root seems to be pretty hard.
    PM me if you need hints for user though.

    Hack The Box

  • can someone PM on root, i can see the other things connected to the thing im on. not knowledge able wnough on b*p to see the attack vector

  • @badman89 same here... waiting for the answer on root
  • @sakyb ive been looking at this bastard for a while now

  • edited September 2018

    @sakyb said:
    @badman89 same here... waiting for the answer on root

    Stuck at the same place.

    EDIT: Just reading back through the thread, must have missed the private key.
    EDIT2: Can't find them

    jamesa

  • edited September 2018

    Is it possible to connect to this box via ssh without the need to change any config files ? I've found keys in usual location but they don't work. It's a real pain in the ass having to RCE again and again after each reset. Also limited shell from RCE is painfull.

  • @msolnicki said:
    Is it possible to connect to this box via ssh without the need to change any config files ? I've found keys in usual location but they don't work. It's a real pain in the ass having to RCE again and again after each reset. Also limited shell from RCE is painfull.

    which keys did you find? those in authorized keys? they are public of course are not gonna work

    Hack The Box

  • which keys did you find? those in authorized keys? they are public of course are not gonna work

    Obviously I didn't meant pub key from authorized_keys. I've found private keys but it seems they are password protected.

  • > @msolnicki said:
    > Is it possible to connect to this box via ssh without the need to change any config files ? I've found keys in usual location but they don't work. It's a real pain in the ass having to RCE again and again after each reset. Also limited shell from RCE is painfull.

    Agreed I was trying to find a way so I didn't have to go through the first step if someone reset during the day

    Hack The Box

  • edited September 2018

    @Underworld said:
    Agreed I was trying to find a way so I didn't have to go through the first step if someone reset during the day

    If someone resets the box, you're going to have to go through the first step again no matter what, aren't you? Or am I misunderstanding what you guys are saying?

    Also the SSH thing is completely unnecessary overkill. Just have it download a statically-linked ncat/socat/whatever from your machine and then use it to connect back to your listener. This can all be done in literally one line/request.

    Spoiler Removed - Arrexel

    opt1kz
    https://i.imgur.com/4jXzPqJ.png
    404 Friend Not Found

  • @opt1kz said:
    If someone resets the box, you're going to have to go through the first step again no matter what, aren't you? Or am I misunderstanding what you guys are saying?

    Well, no, if there was a pre-configured ssh access to the box, one could just use it instead of going through all those steps you described. Any binary you'll upload will be gone with the reset, so ssh access doesn't really seem like an overkill.

  • @msolnicki said:

    @opt1kz said:
    If someone resets the box, you're going to have to go through the first step again no matter what, aren't you? Or am I misunderstanding what you guys are saying?

    Well, no, if there was a pre-configured ssh access to the box, one could just use it instead of going through all those steps you described. Any binary you'll upload will be gone with the reset, so ssh access doesn't really seem like an overkill.

    Agreed

    Hack The Box

  • > @msolnicki said:
    > @opt1kz said:
    > If someone resets the box, you're going to have to go through the first step again no matter what, aren't you? Or am I misunderstanding what you guys are saying?
    >
    >
    >
    >
    >
    > Well, no, if there was a pre-configured ssh access to the box, one could just use it instead of going through all those steps you described. Any binary you'll upload will be gone with the reset, so ssh access doesn't really seem like an overkill.

    Have a wget from your machine in your rce, that's how I've been running it all day

    jamesa

  • @msolnicki said:
    Well, no, if there was a pre-configured ssh access to the box, one could just use it instead of going through all those steps you described. Any binary you'll upload will be gone with the reset, so ssh access doesn't really seem like an overkill.

    I'd disagree, I had a python script that authenticates on the service and initiates a reverse shell via the intended way in, much faster and quicker. Reconfiguring SSH is much longer process.

    One liner that downloads a shell file and executes it is much faster and cleaner.

  • OK thx guys, I forgot I can make my one liner more complicated and use a curl or whatever to inject it. Still, a full ssh shell would be nice. Socat has it's limitations, not to mention nc.

  • @Kykli said:

    @0xlc said:

    @Kykli said:
    Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly...

    try a different rev shell ;)

    Have tried so many ways already and nothing is working :astonished:

    Yes i was at the same situation, i did reset the machine couple times and tried my same RCE one line codes and boom reverse shell !! I was sure about I tried that before but didnt work. So be sure that no one is working on machine or no one has already got shell from your zone machine. You know, you can check that with the page in front of you... ;)

    working on confusing root...

    Wainright

  • For people who are struggling, it's possible to obtain a full reverse shell with a normal one-line command, you don't need to upload an msfvenom shell or anything like that (although that may work as well).

    --Skunkfoot

  • Someones hammering the box tonight - can't even connect to it :\

    Hack The Box

  • @msolnicki said:

    which keys did you find? those in authorized keys? they are public of course are not gonna work

    Obviously I didn't meant pub key from authorized_keys. I've found private keys but it seems they are password protected.

    The private key doesn't seem password protected to me. If it were, the prompt would ask for the key passphrase - not password.

    The password prompt appears because the private key you found is not valid to be used on the server and your login attempt falls through to regular password-based authentication .

  • @Skunkfoot said:
    For people who are struggling, it's possible to obtain a full reverse shell with a normal one-line command, you don't need to upload an msfvenom shell or anything like that (although that may work as well).

    I struggled with this until I realized I had a typo in how I was injecting my one-line command.

  • @petelska said:

    The private key doesn't seem password protected to me. If it were, the prompt would ask for the key passphrase - not password.

    The password prompt appears because the private key you found is not valid to be used on the server and your login attempt falls through to regular password-based authentication .

    You are probably right. Although I tried adding pub cert from this location to authorized_keys, and then using priv key pair to login - in theory this should work but it didn't. That is why I assumed they are password protected. Anyway I'm going back to the drawing board with my RCE one-liner as other people suggested.

  • Guys can anyone guide me on this machine....kinda new to this..

  • Probably not a good box if you are new to this kind of thing, especially the priv esc - which was very clever and completely kicked my ass. Great box @snowscan thanks for creating.

    delosucks

  • May I ask for help with technical details? I think I know what to do, just missing the IT competence. PM me :)

    WillIWas

  • I have logged in, I think that i found what should I attack, it's c***k parameter but don't know how to proceed. Can someone PM me. Thanks

  • edited September 2018

    i found port 1*1
    i enumerated it
    i couldn't detect anything
    help

  • I really am stuck at where I think I have to h****k $target using "a particular method" (don't want to spoiler here) but I can't figure out how to actually do that. I read tons of stuff about $method, but it all seems to be just pretty vague - basically everyone is just saying "yeah if $rogue does 'something' then you h******d $target" but if I do exactly that, then traffic to $target is no longer working. Would be nice if anyone could hook me up with some practical examples of how to do it so that $target stays available but I get to see the "the good stuff".

    image

  • @darkkilla said:
    I really am stuck at where I think I have to h****k $target using "a particular method" (don't want to spoiler here) but I can't figure out how to actually do that. I read tons of stuff about $method, but it all seems to be just pretty vague - basically everyone is just saying "yeah if $rogue does 'something' then you h******d $target" but if I do exactly that, then traffic to $target is no longer working. Would be nice if anyone could hook me up with some practical examples of how to do it so that $target stays available but I get to see the "the good stuff".

    amazing post! I'm exactly on the same exact point as you. And I don't have a full knowledge of $method commands/actions in order to see good stuff keeping traffic to $target.

  • anyone can help

Sign In to comment.