Official Blunder Discussion

191012141521

Comments

  • @in3vitab13 did you try "--force" ? Also, can anyone help me with the username I'm lost? I think I have tried all the ones I can think of with a cool list of words. Any help would be appreciated.

  • @waido said:

    Hi,

    I need some help (in DM) for privilege escalation.
    I'm stuck on www-data user.
    I used LinEnum and LinPeas to look for some clues but I didn't find anything.
    I searched for zip and backup file ... nothing.
    I searched for (valid) passwords in text files ... nothing.
    I searched on Google for "Ubuntu 19.10 privilege escalation", I found something about sudo but it's not applicable.

    In very general terms manual enumeration is much better than scripts.

    Thanks in advance

    [EDIT]

    Uhm ... I haven't tried the bruteforce of the u*****. php file yet ... my next step

    As a rule of thumb for HTB, if it doesn't crack quickly it might not be the right thing. For attacks like this, try to have an idea of what account you are looking for and a reason to think it should be active on the machine.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @in3vitab13 said:

    m doing it with hashcat (s**1 -algorithm)....still it terminates as soon as i start it!
    and the websites you mentioned couldnt guess it!
    anything else i should try?!!
    you sure its in rockyou?

    I don't think it is in the default rockyou, but I could be wrong. If you have the right thing, there is an online tool which solves this for you in seconds.

    If you have the wrong thing, you could spend months on this. If you are in any doubt, check you have a good reason to think the thing you have will work.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @BIGGYBBQ said:

    Hi,

    I'm stuggling with the initial foothold :( i guess i have the username (which is really common for the management page). I tried to bruteforce the password with no result...

    maybe my username is not the right one ?

    Thx

    Almost certain that you have the wrong username.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @andrhtb said:

    How did you guess the password here?

    I don't think people guess - more likely they use a brute force approach with a custom wordlist.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @Redh00d03 said:

    @in3vitab13 did you try "--force" ? Also, can anyone help me with the username I'm lost? I think I have tried all the ones I can think of with a cool list of words. Any help would be appreciated.

    ohkay i try --force!
    are you talking aboout username for b****?! or anything else!

  • @Redh00d03 said:
    @in3vitab13 did you try "--force" ?

    still getting exhausted, just like before!

  • Type your comment> @s0b3k said:

    My current issue is that I get this message in msf and it doesn't create a session
    [] Started reverse TCP handler on CENSORED
    [+] Logged in as: f***** (I censored this as well)
    [
    ] Retrieving UUID...
    [] Uploading xCwhiPoQRB.png...
    [
    ] Uploading .htaccess...
    [] Executing xCwhiPoQRB.png...
    [!] This exploit may require manual cleanup of '.htaccess' on the target
    [
    ] Exploit completed, but no session was created.
    Am I using the wrong payload or is it a issue I havent thought of yet?

    had the same problem!
    then i switched to a python exploit , and it worked easily at once without an issue!
    i suggest you do the same

  • for those struggling with cracking the hash!
    1. make sure you have the right hash
    2. also check the directory in which you found the file
    3. if its the right hash you wont need to worry about salt!

  • for root!
    google has always been your buddy

  • edited July 2020

    "This exploit may require manual cleanup of '.********' on the target"

    Stuck here.. is part of chall or is my problem only ?

    Hack The Box

  • Type your comment> @in3vitab13 said:
    > for root!
    > google has always been your buddy

    Congrats buddy.
    Always try to read older comments as it most probably have enough hints. ;)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Pretty fun box, but I really didn't have the attention span for the second step of the first foothold. lmao

    [email protected]:~# id
    uid=0(root) gid=0(root) groups=0(root)

    Conway

  • Type your comment> @Jok3 said:

    "This exploit may require manual cleanup of '.********' on the target"

    Stuck here.. is part of chall or is my problem only ?

    had the same problem!
    found a python exp. instead of m**!
    you could do the same!

  • I just stuck in getting the root.
    I found user S**n is in group ld.
    After googling, I found that I can get use of it.
    But the machine is missing l*c...
    So, am I in a wrong track?

  • Type your comment> @6uta said:
    > I just stuck in getting the root.
    > I found user S**n is in group ld.
    > After googling, I found that I can get use of it.
    > But the machine is missing l*c...
    > So, am I in a wrong track?

    The root was pretty easy. Just sit back and think about what you see.
  • Open to PMs on this box. Initial foothold is killing me.

  • @JohnGuy said:

    Open to PMs on this box. Initial foothold is killing me.

    Make sure you've found the username and built your own wordlist. Then google how to byass the protection.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Finally rooted
    Initial foothold:be cewl about the word list and make sure you have the right username
    User: start enumerating from where you landed
    Root:just google you privilege

    PM if you need help

  • Rooted
    [email protected]:/root# id && date
    id && date
    uid=0(root) gid=1001(hugo) groups=1001(hugo)
    Mon 6 Jul 11:16:09 BST 2020
    [email protected]:/root#

    Foothold: Read the "index.html" and create your own wordlist (can't say more).
    User: Look at the directories you've first found when you accessed the machine and start enumerating from there.
    Root: Find your privileges....

  • Type your comment> @Karthik0x00 said:
    > Type your comment> @6uta said:
    > > I just stuck in getting the root.
    > > I found user S**n is in group ld.
    > > After googling, I found that I can get use of it.
    > > But the machine is missing l*c...
    > > So, am I in a wrong track?
    >
    > The root was pretty easy. Just sit back and think about what you see.

    So, I should let go "l * d" ?
  • @6uta said:

    So, I should let go "l * d" ?

    I dont know what that is, but the short answer is "yes".

    Privesc is pretty simple if you do your enumeration.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited July 2020

    Type your comment> @TazWake said:

    @6uta said:

    So, I should let go "l * d" ?

    I dont know what that is, but the short answer is "yes".

    Privesc is pretty simple if you do your enumeration.

    Thank you.
    I will just enumerate again from the beginning.


    Rooted.
    I found that I spent a whole day on enumerating a user which I should not enumerate.
    My problem is super quick to switch from user H to user S....

  • Spoiler Removed

  • Hi,

    I'm a bit stuck and could use a little help or a push in the right direction.

    I have a shell like www ... and I found an interesting file with two hashes. one from a user with which we could get a shell and a new one.

    I identified the hash type and tested it with the known one. However, for the new hash I keep getting Exhausted, various word lists use a custom one and a frequently used one, the same for both.

    Is this a rabbit hole and a completely wrong direction ... or am I missing something?

    Thanks for the push

  • @mrZapp said:

    Is this a rabbit hole and a completely wrong direction ... or am I missing something?

    This is the correct direction. If it isn't in your wordlist it won't crack. Try an online tool such as a station which cracks.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @TazWake said:

    @mrZapp said:

    Is this a rabbit hole and a completely wrong direction ... or am I missing something?

    This is the correct direction. If it isn't in your wordlist it won't crack. Try an online tool such as a station which cracks.

    Thank you ,

    With your tip, it took me less than ten minutes and a new file to explore to get out. Sometimes we just have a blind spot :-)

    now to root

  • Spoiler Removed

  • Learnt some new techniques from this. Also I now have a 15GB wordlist to use in the future, if the popular one fails. This box was trickier than I expected, but I really liked it.

  • Rooted.

    There is an abundance of information here in the forums, which was good for me because I was really stuck on finding the file with the initial foothold username. Once I got that, however, the rest was pretty easy. Also, you can ignore the screenshots. The information in them is unhelpful and inaccurate.

Sign In to comment.