Lightweight

1679111214

Comments

  • I'm stuck on the last step for privesc.

    I think I know what binary to use from the last user to get access to the flag, but I've been staring at man pages and playing with the program for the past hour or two and can't get anything other than 'permission denied' errors for the file I want access to.

  • can anyone explain to me why jxplorer is so ludicrously slow, while shelldap is lightning quick? I feel like part of it is that jxplorer is a gui, but that just can't make that big of a difference.

  • edited February 2019

    Can anyone help? I've been stuck on this for days now, trying to get user. I have run t*****p while querying a million different things, have found the hashes, but nothing more than the output of the actual query. I've read the entire RFC and the documentation of all l*** and s*** commands. Any nudge would be appreciated, this is driving me mad.

  • Rooted Successfully along with root shell. Got loads of hints from the comments
    Thanks @all :)

    OSCP

  • Rooted with good impression and experience.
    Followed CEH methodology and CTF techniques that already studied with previous machines. The last step will make you smile.

    Hint for root: Be brave! Go to root directly! Don’t care about permissions!

    tabacci

  • Finally rooted!

    What made this box hard (on free) were the trolls changing passwords and flags.

    Thanks to the people who verified my commands - that i wasn't insane! I kept at it and eventually got the right flags!

  • Rooted! A very interesting box. It had certainly some similarities with Active but I still learned a lot with this one!


    image
                         HTB Profile


  • edited February 2019

    Anyone got root shell?? i'm trying to decrypt shadows, pm for discussion :)
    EDIT: nvm, got it

  • got root...pm for hint...

  • Seriously. The way to get the root flag doesn't make any sense to me.

    Why is that thingy able to do what it can do? There is another of that thing on the box which is no different and it cannot do that thing. The path /seems/ to be relevant. But moving an identical thing from a different place seems to make it not work?

    If anyone is able to PM me and explain I will send you much respect!

  • I got root flag, but still having issues to get root shell. If someone could please PM me for some hint it will be appreciated.

    PP

  • Hello everyone! I am currently stuck on getting ldap****2. I have run multiple captures with tcp**** while attacking ldap with NSE and JX******and have combed through all of the captured ldap packets. I can see ldap****2's hash. I know I am not supposed to try to crack this hash and it is not a simple Pass The Hash attack from my understanding. I feel like I am overlooking something simple! What is the step I am missing for ldap****2? Help me understand in depth please, I want to know what is going on, not just how to get ldap****2 thx! :P

  • edited February 2019

    @Dazed said:

    Hello everyone! I am currently stuck on getting ldap****2. I have run multiple captures with tcp**** while attacking ldap with NSE and JX******and have combed through all of the captured ldap packets. I can see ldap****2's hash. I know I am not supposed to try to crack this hash and it is not a simple Pass The Hash attack from my understanding. I feel like I am overlooking something simple! What is the step I am missing for ldap****2? Help me understand in depth please, I want to know what is going on, not just how to get ldap****2 thx! :P

    If you have the right data, analyzing them on your device, you will find that the packet containing the ldap****2's hash, is carrying an LDAP message, the BindRequest, the start of the authentication process. You can learn more by reading this https://ldap.com/the-ldap-bind-operation/ or this https://ldapwiki.com/wiki/Bind Request
    And yes, if you have the right data, you're overlooking something simple!

  • edited February 2019

    @D3v17 said:

    @Dazed said:

    Hello everyone! I am currently stuck on getting ldap****2. I have run multiple captures with tcp**** while attacking ldap with NSE and JX******and have combed through all of the captured ldap packets. I can see ldap****2's hash. I know I am not supposed to try to crack this hash and it is not a simple Pass The Hash attack from my understanding. I feel like I am overlooking something simple! What is the step I am missing for ldap****2? Help me understand in depth please, I want to know what is going on, not just how to get ldap****2 thx! :P

    If you have the right data, analyzing them on your device, you will find that the packet containing the ldap****2's hash, is carrying an LDAP message, the BindRequest, the start of the authentication process. You can learn more by reading this https://ldap.com/the-ldap-bind-operation/ or this https://ldapwiki.com/wiki/Bind Request
    And yes, if you have the right data, you're overlooking something simple!

    Got user! Thanks for the help and resources! Now onto root. :)

  • ROOTED! This box was quite interesting and definitely taught me some stuff about LDAP that I didn't know about. The unique attack vectors were a good change of pace. If anyone needs help feel free to PM me! :smiley:

  • I am working on Lightweight, but I am stuck in the initial step. I have the low priv ssh access using my IP. I have two ha*s from the usual np l**p enumeration. I am trying to run tc****p on 389 but I hear nothing. Can you please give me a nudge if possible?

  • edited February 2019

    I am stuck on user, tried listening with tc****p on the ldap port but got no traffic PM me pls I need help :(

    EDIT: got it.

  • Finally rooted, a very good machine to learn about a linux capabilities!!

    If you need some hints about this challenge, please PM. im glad to help you. And thanks to @all that help me with your hints.

  • User and Root :)

    With all the information in this post is easier to get it.

    PM if you get stuck.

  • Really cool box! Thanks to @Leonishan for the help :)

    Hack The Box

  • Damn! After wasting hours in the wrong path I now finally have root shell.

  • I learned SO much with this box. PM if you need help.

  • Brand new to HTB - First box, no previous knowledge of other boxes.

    I did the Initial enum. I have the Hashes for the l*userX/Y - from reading the forum these are dead ends (The leads in forum are cryptic/vague - as to not spoil for many).
    I have also used tc****p,
    ap and the regular enumeration tools and getting the same information. Unless i missed something in those files i'm lost and have put quite some time in reviewing everything. I wan't to further learn so i don't mind reading and searching, however, it would appear that i'm no going around in circles without further progress.

    Any help is very much appreciated, I don't want the answer handed but a helpful less vague answer through PMs would be great <3.

    Questions I have:
    -Whats next after you ssh in, and enumerate
    -what am i missing that's preventing me from seeing the obvious to get the first user?

    Thank you in advance to whomever can lend a helpful hand.

  • Is bruteforcing the L*** hashes required?

  • Nope..

    I Love Ice Creams

  • Can someone give a hint on user via PN? Would be really nice!

  • edited March 2019

    i still can't figure out the ld** query to use. i know the process but i don't know where to pass those hash. plz some nudge

    Edit: Got Root Tnx for you help @clmtn anyone need nudge pm me would like to help

  • Just got root on it. Learned a great deal with this machine - the last step to root was ace and did indeed make me smile. Still need to do some additional reading on the underlying mechanism.

  • edited March 2019

    captured the ldap bind credentials and can authentiate with them via various tools, but have no idea what to do then to get user? any help?

    Thanks to HadesAKM
    I was overlooking the obvious.

  • hi folks,

    I've got user and root flag. I tried getting a root shell without success so far. As the box feels already sluggish I don't want to mess aroud with it to much. Can some DM me on how a root shell can be achieved?

    "Respect to whom respect is due."
    Twitter: https://twitter.com/0x4242 | Web: http://0x4242.net
Sign In to comment.