Hint for Sunday

Ufff, rooted! (well, actually I was trying to crack root’s password, but it was just too slow, so I made workaround and just asked for a root.txt file. I am not sure if this is the way, but it worked)

i’m stuck on the hash. I can use both john and hashcat to crack the original user/pass but not the second. i’ve read through the options and tried a few things but still no luck.

@royc3r said:
i’m stuck on the hash. I can use both john and hashcat to crack the original user/pass but not the second. i’ve read through the options and tried a few things but still no luck.
Send me a PM I will try to help you.

done to get root.txt

[ATTEMPT] target 10.10.10.76 - login “spoiler removed” - pass “19071907” - 14239 of 14344408 [child 0] (0/9)

Using hydra with rockyou.txt on high port, going very slow. Am I on right the right track? Using the only username that had been logged in from list I found by negotiating another service. Also used metasploit to check for users.

For priv esc, try to see what commands can use the users, and after that READ THE MAN PAGE !!
this last step help me to get all for priv esc, including the root.txt

Not sure if this is the right direction, but I’m trying a basic brute force for a service on the host and 2 well known tools are completely shitting themselves and not working at all. Don’t want to give too much away, so if someone wouldn’t mind dropping me a DM and giving me a second opinion, I’d really appreciate it.

EDIT: Neeeevermind. Used a different tool and had success. Still not sure why the other two didn’t work, but whatever!

Wow, loved this box! I rooted it and learned some cool stuff from it.
Ping me if you need any help (no spoilers) :smiley:

Enjoyed getting through the user and PE. It was simple in the end. I skipped it several time to work on other machines as I did not get in initially. I must remind myself to keep retrying passwords since the one that got me in did not work at several previous occasions due to humans working on the box :wink:

can someone pm me. I have usernames and have read up on the 2 ports I have open. tried to enumerate shares and can’t find any. really stuck now

This box is not tough, but it takes time to get the initial foothold and need lot of reset if you or someone else do something wrong when trying to get root. PM me if you need more hints.

@RLFP said:
Pretty much my approach…
youtu.be/v_3ks7-OjGc
youtu.be/234u2ZV8HNY
youtu.be/mLm_3K2YImc
youtu.be/HklWMqA9oVA
youtu.be/e3-5YC_oHjE
youtu.be/fhzm-sZNjsg
youtu.be/BxBfQLHykfI

This was fucking hilarious.

any hint how i will get the password for the second user sa**y

This box was not at all what I expected… not terribly hard looking back at it now, but a good challenge based on fundamentals. Kudos to @Agent22

@RLFP said:
Pretty much my approach…
youtu.be/v_3ks7-OjGc
youtu.be/234u2ZV8HNY
youtu.be/mLm_3K2YImc
youtu.be/HklWMqA9oVA
youtu.be/e3-5YC_oHjE
youtu.be/fhzm-sZNjsg
youtu.be/BxBfQLHykfI

lol - nice

@sazouki said:
any hint how i will get the password for the second user sa**y

enumerate more when you are on the system with… :wink:

@sazouki said:
any hint how i will get the password for the second user sa**y

I really wish they made BACKUPs of passwords… even if they were hashes.

I’ve managed to get user access! However does anyone have any hints for priv esc to get root access? does it have anything to do with lx.xo.1 (if you know what i mean :wink: ) ? PM me please, thanks!

The comments have been very helpful, but I’m having privesc issues to get root.txt. I’ve tried every flag I can think of and some of the one’s on the man page are not valid/working. Would someone kindly nudge me in the right direction?

I’m using a particular service to get the /root/root.txt file, but it is saying “File not Found”