Lightweight

1810121314

Comments

  • edited March 2019

    got user2, got user1, but can't got root, anyone PM me and help?

    EDIT

    Thx for help

  • Awesome Priv esc method. Thank you for the box @0xEA31

  • Got Root Shell..Happy to help

    Hack The Box

  • Any hints on user?

  • Hi Everyone, I need some hints for TC*D*** Please DM me :)

    SiV4rPent3st

  • Type your comment> @SiV4rPent3st said:

    Hi Everyone, I need some hints for TC*D*** Please DM me :)

    not anymore :) got it :) thank you!

    SiV4rPent3st

  • Hi everybody,

    I am stuck on the lowpriv shell. Could someone PM me with hints to escalate to user?

    Thanks in advance

  • edited March 2019

    Spoiler Removed

  • Some HINTS:

    user1: forget hashes. forget cracking. forget {crypt}. The life is plenty of rabbit holes. listen inside the box what ldap wants to say. using tcpd*** is your friend. Be patient, the noise doesn't appear fast. while it listens, go to take a drink with your friends. Saving the result in a pcap file makes easier to read. Bindrequest is the start of the authentication. Get focused on those packets....
    NOTE: ssh credentials are not the same as unix credentials...

    user2: ba****.*z is your friend. encrypted? password needed? use scripting such as https://gist.github.com/bcoles/421cc413d07cd9ba7855 and enjoy. After that read the content carefully.

    root: two binaries are present. o*****l is ur friend. The other one... just another rabbit hole. Pay attention to capabilities and check if this binary has any relation with them. Do what you really want to do taking advantage of this binary. Is it possible to elevate privilege using that binary? Maybeeee....;)

  • Type your comment> @brianma said:

    Some HINTS:

    user1: forget hashes. forget cracking. forget {crypt}. The life is plenty of rabbit holes. listen inside the box what ldap wants to say. using tcpd*** is your friend. Be patient, the noise doesn't appear fast. while it listens, go to take a drink with your friends. Saving the result in a pcap file makes easier to read. Bindrequest is the start of the authentication. Get focused on those packets....
    NOTE: ssh credentials are not the same as unix credentials...

    user2: ba****.*z is your friend. encrypted? password needed? use scripting such as https://gist.github.com/bcoles/421cc413d07cd9ba7855 and enjoy. After that read the content carefully.

    root: two binaries are present. o*****l is ur friend. The other one... just another rabbit hole. Pay attention to capabilities and check if this binary has any relation with them. Do what you really want to do taking advantage of this binary. Is it possible to elevate privilege using that binary? Maybeeee....;)

    Thanks for all the tips, but.... my tcpdump inside the server don't reveal any noise, even after hours.
    tried -i ens33 & lo, dst port 389 and dst 10.10.10.119.. nothing come to me, except when I generate traffic with nmap, jxplorer or ldapsearch requests.

    Can you PM me please to point me my errors?
    Thanks in advance

  • Type your comment> @Amen0 said:

    Type your comment> @brianma said:

    Some HINTS:

    user1: forget hashes. forget cracking. forget {crypt}. The life is plenty of rabbit holes. listen inside the box what ldap wants to say. using tcpd*** is your friend. Be patient, the noise doesn't appear fast. while it listens, go to take a drink with your friends. Saving the result in a pcap file makes easier to read. Bindrequest is the start of the authentication. Get focused on those packets....
    NOTE: ssh credentials are not the same as unix credentials...

    user2: ba****.*z is your friend. encrypted? password needed? use scripting such as https://gist.github.com/bcoles/421cc413d07cd9ba7855 and enjoy. After that read the content carefully.

    root: two binaries are present. o*****l is ur friend. The other one... just another rabbit hole. Pay attention to capabilities and check if this binary has any relation with them. Do what you really want to do taking advantage of this binary. Is it possible to elevate privilege using that binary? Maybeeee....;)

    Thanks for all the tips, but.... my tcpdump inside the server don't reveal any noise, even after hours.
    tried -i ens33 & lo, dst port 389 and dst 10.10.10.119.. nothing come to me, except when I generate traffic with nmap, jxplorer or ldapsearch requests.

    Can you PM me please to point me my errors?
    Thanks in advance

    Most of the options you wrote are not needed. Maybe you should write it to a file, it's easier to see the traffic. That worked for me.

    v1ew-s0urce.flv
  • Ok, Thanks, Will try>

  • So got user with some help! If your T*****P isn't working maybe think about outputting it to a file for a more readable format. Worked wonders for me when I'd been stuck for a long long time.

  • edited March 2019

    ATM, t****** wont write to a pcap file from myu logged in directory. IT says that the file doesnt exist. Any ideas please?

    EDIT 1 : Logging out and back in worked. Lucky I didnt do a shotgun reset

  • rooted, good machine , i learnt a lot , LDAP, linux capabilities ,
    if you need help feel free to pm me

    and i need help, how some people could get root shell?
    bing0o

    No Hack No Life ✌😒
  • edited March 2019

    I connected through ssh, run tc****p and export it in pcap file, waited over 2 hours, did it 9 times (9 different pcap files) but in all of them for user1 and 2 I only got the crypt values, the only simple was for ROOT but with no data, am I missing something?

    Edit: Nr10 pcap did the job!
    On to root, o*****l is a nightmare! any hints are welcome!!
    Edit2: rooted! Thanks @brianma for your help!

  • User flag took about 1,5h of fiddling and reading about the software in use. Based on the posts here some people have listened the traffic some other guy initiated and therefore gave advise that's gonna be a loooooong wait if there's no one else doing the box.

    If you can't find anything by listening harder think of a place where you might have witnessed a weird delay with no clear explanation.

    The climb towards root took me about 5h and I probably wouldn't have figured it out in any reasonable time without the hints in this thread. They're a useful resource when you hit a blank and can't even figure out anything to google or learn that would help you.

    So thanks everybody for the hints without outright spoiling the machine and thanks to the maker of this challenge. You guys "force" me to learn new stuff all the time : )

  • im trying to uzip the b****.*z file but my wordlist doesnt seem to work, any help?

  • Type your comment> @thewildspirit said:

    im trying to uzip the b****.*z file but my wordlist doesnt seem to work, any help?

    Rockyou.txt gets there eventually

  • Can I PM someone for a nudge ?

  • edited March 2019

    @Sevuhl said:
    Can I PM someone for a nudge ?

    Go ahead.

    v1ew-s0urce.flv
  • Hi,Do I have to crack the hash password?

  • Type your comment> @evilcall said:

    Hi,Do I have to crack the hash password?

    Not at all.

  • edited March 2019

    I am stuck on it! I need some suggestions... PM please


    Rooted!

  • Hi guys... someone can give me an explanation about the root step and why it works ?

  • Type your comment> @evilcall said:

    Hi guys... someone can give me an explanation about the root step and why it works ?

    mhhh if you got the flag you should know why it works. Anyway, (un)fortunately this discussion gives away too much hints and spoilers after three months and a half. Just read it and you should have enough information to find the answer.

    0xEA31

  • @0xEA31 Thank you for teaching me a few new things. It took a while to free my mind, but it was definitely an interesting box.

    Hack The Box
    OSCP

  • same, I've been staring at the screen for 2 days now trying to figure this out.... when I did i could have slapped myself.

  • anyone managed a full shell on this box?

  • Type your comment> @Ripc0rd said:

    anyone managed a full shell on this box?

    For those managing to get root.txt but not root shell, if you found the same article I found, you just need to read the rest of the article. It doesn't take 44 days.

    Hack The Box
    OSCP

Sign In to comment.