Hint for Sunday

I own 2 users and the user.txt already.

I tryed as hard as I was able to, but I am not able to find the next step.
Bruteforcing root with one of the services or something else?
What is /root/troll for?
How could wget help?
Did you used one of that^^ to get root.txt?

I’m lost and need a liitle push please. Just some gently hints, no spoiler please

@dontoni said:
I own 2 users and the user.txt already.

I tryed as hard as I was able to, but I am not able to find the next step.
Bruteforcing root with one of the services or something else?
What is /root/troll for?
How could wget help?
Did you used one of that^^ to get root.txt?

I’m lost and need a liitle push please. Just some gently hints, no spoiler please

I’m in the same situation and I think second method is the way to go with this. I read the man page for it but couldn’t find what I was seeking for. Any help would be appreciated if I’m going down the wrong path.

Rooted! PM me if you need any tips.

Rooted! PM if you need any help.
This thread gives all the answers… thank you guys!

Finally rooted. Thanks for all the comments here, won’t add anything cuz all the hints are already here. My biggest problem with hints that they make sense only after you got the solution… :persevere:
Anyway for advice ping me on the HTB channel on netsec focus mattermost channel.

Got it!!

for those who are having trouble with the final step

check what commands you have permission to run. then check the man pages for those commands. read the pages carefully. you know how sometimes things spit your command or input back at you and tell you its wrong even though you know its right? well what if you knew it was wrong?

Got the root ! PM if anyone needs help.

Done

Hello everyone,
I read through the forum but I can not get user.txt. I use hashcat with every wordlist I can find. Nothing…
I even restarted the server to get the fresh hash. But it was the right one all along.
Could someone point me in the right direction?

I swear to a deity that someone had changed something in the interesting file - gits!! Rooted it within 5 mins after checking it again!!! >_<

Jeez - what kind of wordlist do you have to use to crack that password you get from that file? have spent hours on trying to crack it to no avail. Tips welcome!

rockyou did it…

managed to root it. Complex, but nice!

I ended up not having to crack root’s password to obtain root.txt. The whole challenge wasn’t too bad. I spent most of my time with the initial foothold – figuring out the first username was the most difficult part for me. :-\

i have only 2 services listed rom the nmap scan rpc and finger ssh closed and the other ports filtered , i should deal with em with rpcino showmount and mount and finger but non of this tools are working i tried in kali 2016 kali2017 windows 8 windows xp , no result i just got auth error !! am i far away rom the right truck ?

@waspy said:
i have only 2 services listed rom the nmap scan rpc and finger ssh closed and the other ports filtered , i should deal with em with rpcino showmount and mount and finger but non of this tools are working i tried in kali 2016 kali2017 windows 8 windows xp , no result i just got auth error !! am i far away rom the right truck ?

Try a full port scan - and try enumerating finger :slight_smile:

@loln00b thnx for replay yeah i did and i got 2 users also with metasploit got the running services but what to do next if i cant mount the rpc ?

Edit: Scan slow boys…
But now that I got the service I am needing, I am lost on password enumeration.
Do we need to brute the login?

I’m using rockyou.txt as my dictionary, I’m not sure I’m on the right track, because the hydra told me I should wait for at least … (when I switch my window, I have found the right password). OK, patient guys.

Now I am stuck on switching users locally. I feel like I am enumerating everything and missing something.
Someone please PM me a tip here, I feel like I am dead lost now.