Hint for Sunday

1101113151620

Comments

  • edited July 2018

    @Deku said:

    I currently am working on this machine and thus honing my enumeration skills since this is no lazy Sunday but is bruteforcing necessary ? Can you point me to some good wordlists, so i can establish the initial foothold ?

    If you're using kali -- there are wordlists in both /usr/share/wordlists and /usr/share/seclists, and there are targeted wordlists out there on the internet if you google on the type of thing (not just the service) you are trying to enumerate.

    I won't comment on the bruteforcing question to avoid spoilers but I will say that in my limited experience with HTB and offsec solid enumeration skills and picking decent lists of things for your tasks are foundational.

    LegendarySpork

    LegendarySpork

  • rooted !

  • Finally got the root flag but was unable to root. I got the root hash from the shadow file as well, but was unable to crack it after a days worth of trying with rockyou and many other wordlists. Can anyone that cracked the hash PM me to let me know what worked for you?

    To everyone still trying to get user/root, there is some good advice already throughout the thread. Definitely enumerate a LOT and find out what you can do with your current privileges. As said before, this box does not require overwriting anything in /etc/. I learned some new uses of a certain tool on this one. Good box!

  • Took me a few days to get the first user.
    Took me another day for the second user
    but after that took me an hour to root.

    Hint for first user - think simple, this is what every box in HTB has.
    Hint for second user - try to find something that the first user can read pertaining to the second user
    Hint for root - after getting second user, try man a certain command for priv esc...

    PM for more hints :) Happy hacking.

    Thanks for all the help given.

    wilsonnkwanl

  • @LegendarySpork said:

    If you're using kali -- there are wordlists in both /usr/share/wordlists and /usr/share/seclists, and there are targeted wordlists out there on the internet if you google on the type of thing (not just the service) you are trying to enumerate.

    Thanks for your answer, rooted the box a few days ago but was wondering if there where any specific wordlists. Didn't mean box specific so my question was at the wrong place.

    Deku Deku!

  • Hi guys does anyone having connection issues with this machine on the eu vip servers?

  • @S1kk1S said:
    Hi guys does anyone having connection issues with this machine on the eu vip servers?

    If you are referring to it lags like cows are going to come home, and sometimes finger/ssh no connection, yes, spot on.

    wilsonnkwanl

  • rooted! pm if you need tips :)

    Hack The Box

  • I own 2 users and the user.txt already.

    I tryed as hard as I was able to, but I am not able to find the next step.
    Bruteforcing root with one of the services or something else?
    What is /root/troll for?
    How could wget help?
    Did you used one of that^^ to get root.txt?

    I'm lost and need a liitle push please. Just some gently hints, no spoiler please

  • @dontoni said:
    I own 2 users and the user.txt already.

    I tryed as hard as I was able to, but I am not able to find the next step.
    Bruteforcing root with one of the services or something else?
    What is /root/troll for?
    How could wget help?
    Did you used one of that^^ to get root.txt?

    I'm lost and need a liitle push please. Just some gently hints, no spoiler please

    I'm in the same situation and I think second method is the way to go with this. I read the man page for it but couldn't find what I was seeking for. Any help would be appreciated if I'm going down the wrong path.

  • Rooted! PM me if you need any tips.

  • Rooted! PM if you need any help.
    This thread gives all the answers.. thank you guys!

  • edited July 2018

    Finally rooted. Thanks for all the comments here, won't add anything cuz all the hints are already here. My biggest problem with hints that they make sense only after you got the solution... :persevere:
    Anyway for advice ping me on the HTB channel on netsec focus mattermost channel.

  • edited July 2018

    Got it!!

    for those who are having trouble with the final step

    check what commands you have permission to run. then check the man pages for those commands. read the pages carefully. you know how sometimes things spit your command or input back at you and tell you its wrong even though you know its right? well what if you knew it was wrong?

  • Got the root ! PM if anyone needs help.

  • edited August 2018

    Done

  • Hello everyone,
    I read through the forum but I can not get user.txt. I use hashcat with every wordlist I can find. Nothing...
    I even restarted the server to get the fresh hash. But it was the right one all along.
    Could someone point me in the right direction?

  • I swear to a deity that someone had changed something in the interesting file - gits!! Rooted it within 5 mins after checking it again!!!! >_<

    da1y

    OSCP | eCPPTv2 | eJPT

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • Jeez - what kind of wordlist do you have to use to crack that password you get from that file? have spent hours on trying to crack it to no avail. Tips welcome!

  • rockyou did it...

    da1y

    OSCP | eCPPTv2 | eJPT

    I rarely check private messages, if you do ask for help, show your workings. I don't reply to wall posts.

  • managed to root it. Complex, but nice!

  • I ended up not having to crack root's password to obtain root.txt. The whole challenge wasn't too bad. I spent most of my time with the initial foothold -- figuring out the first username was the most difficult part for me. :-\

  • i have only 2 services listed rom the nmap scan rpc and finger ssh closed and the other ports filtered , i should deal with em with rpcino showmount and mount and finger but non of this tools are working i tried in kali 2016 kali2017 windows 8 windows xp , no result i just got auth error !! am i far away rom the right truck ?

  • @waspy said:
    i have only 2 services listed rom the nmap scan rpc and finger ssh closed and the other ports filtered , i should deal with em with rpcino showmount and mount and finger but non of this tools are working i tried in kali 2016 kali2017 windows 8 windows xp , no result i just got auth error !! am i far away rom the right truck ?

    Try a full port scan - and try enumerating finger :)

  • @loln00b thnx for replay yeah i did and i got 2 users also with metasploit got the running services but what to do next if i cant mount the rpc ?

  • edited August 2018

    Edit: Scan slow boys...
    But now that I got the service I am needing, I am lost on password enumeration.
    Do we need to brute the login?

    cr4nk

  • I'm using rockyou.txt as my dictionary, I'm not sure I'm on the right track, because the hydra told me I should wait for at least .. (when I switch my window, I have found the right password). OK, patient guys.

  • edited August 2018

    Now I am stuck on switching users locally. I feel like I am enumerating everything and missing something.
    Someone please PM me a tip here, I feel like I am dead lost now.

    cr4nk

  • I'm struggling with this mainly because all of my connections keep timing out even on VIP. I'm using sensitive options on my tools to keep things light and slow and I'm trying to use really targeted information but I can't get anywhere.

    Perhaps I'm just going about this the wrong way.

  • edited August 2018

    Please stop wiping out pwds...
    I can't even reset the machine
    EDIT:
    I just got root shortly after user with some help from @Grepthis

    This box was an interesting one. Definitely learned a lot about solaris and some tools :bleep_bloop:

    cr4nk

Sign In to comment.