Hint for Sunday

Hi all I found the user sa**** am I meant to guess the password? I have think I may have go it but people may be changing the cred files. Can someone PM me?

goot root , this box is slow ! so lag

Hi I am getting error Exploit failed: Rex::Proto::SunRPC::RPCError 10.10.10.76:111 - SunRPC - XDR decoding failed in sunrpc_create…Please Any Hint for Sunday PM…

@MaTRiX13 said:
Hi I am getting error Exploit failed: Rex::Proto::SunRPC::RPCError 10.10.10.76:111 - SunRPC - XDR decoding failed in sunrpc_create…Please Any Hint for Sunday PM…

You shouldn’t need an exploit to do anything on this box.
Both user and root are obtainable from thorough enumeration (pre and post user) and local tools.

Just rooted, it was a facepalm moment. PM for hints without spoiling. It was a cool box, thanks to the creator!

Without spoiling anything… do you actually need to get a root shell to get root.txt? or is just reading the file enough? :slight_smile:

Found this cool tool during my privesc enumeration. Run it on your attacking box and it’ll echo data from POST requests to the terminal. In case you need another route for data exfiltration :wink: A simple echo server to inspect http web requests · GitHub

I must be the biggest fucking idiot… I can not find a way to get users.txt. I’ve tried looking through the file system… looking at running processes… looking for files with weird permissions…nothing.

Just rooted, It is very cool box thanks to the creator! learned some new things.

Trying to jump to the other user. Could not find any files that help me on that as I’m trying harder every time. Any hint or advice?

Rooted.
Pretty cool box, thanks to @BlackArrow for the hint.
Priv esc was pretty easy, had to reset the box a lot though because somebody kept messing up with the etc files

I got user, now need help getting to root. PM if you have time?

can someone reset the machine please and for the sake of might you don’t have to grab the file to the server yo can post…

Ufff, rooted! (well, actually I was trying to crack root’s password, but it was just too slow, so I made workaround and just asked for a root.txt file. I am not sure if this is the way, but it worked)

i’m stuck on the hash. I can use both john and hashcat to crack the original user/pass but not the second. i’ve read through the options and tried a few things but still no luck.

@royc3r said:
i’m stuck on the hash. I can use both john and hashcat to crack the original user/pass but not the second. i’ve read through the options and tried a few things but still no luck.
Send me a PM I will try to help you.

done to get root.txt

[ATTEMPT] target 10.10.10.76 - login “spoiler removed” - pass “19071907” - 14239 of 14344408 [child 0] (0/9)

Using hydra with rockyou.txt on high port, going very slow. Am I on right the right track? Using the only username that had been logged in from list I found by negotiating another service. Also used metasploit to check for users.

For priv esc, try to see what commands can use the users, and after that READ THE MAN PAGE !!
this last step help me to get all for priv esc, including the root.txt

Not sure if this is the right direction, but I’m trying a basic brute force for a service on the host and 2 well known tools are completely shitting themselves and not working at all. Don’t want to give too much away, so if someone wouldn’t mind dropping me a DM and giving me a second opinion, I’d really appreciate it.

EDIT: Neeeevermind. Used a different tool and had success. Still not sure why the other two didn’t work, but whatever!