Hint for Sunday

Hello everyone.

I was able to obtain the root flag (yay!).
But I am still missing out on being root on the box. So i know about a possible way of getting root by editing passwd, but I dont want to do that since people are saying that it is possible to get root without modifying and files on the system.
Which is why i obtained the root-hash and wanted to use hashcat like I did for one of the other users on the box.
Has anybody managed to get the password for root via hashcat (With a standard desktop pc)?
I already tried rockyou and many different pw-lists from seclist but had no luck yet.
If anybody got the root-pw via hashcat, I would be verry happy to get a PM on which dictionary-file to use. Thanks in advance.

And btw. Great box!
Hint: Dont think too complicated : - ) I did and it cost me several hours.

Can’t find much with enumeration. Did some finger-fu and got back some service accounts, and found high ports with two services, but I’m not familiar with one in particular and can’t get much from it. Is this something I should research, or knock on the door until a pair lets me in?

I’m having a ■■■■ of a time doing my initial scan against this box. There’s so much lag/so many dropped probes that nmap adjusts itself to where the full scan is going to take 12+ hours. Has anyone else had this issue/figured it out? I’ve tried all sorts of timing adjustments.

@opt1kz said:
I’m having a ■■■■ of a time doing my initial scan against this box. There’s so much lag/so many dropped probes that nmap adjusts itself to where the full scan is going to take 12+ hours. Has anyone else had this issue/figured it out? I’ve tried all sorts of timing adjustments.

I am also experiencing this and also with other boxes. I cannot get a stable latency.

Got user and I know what I need to do for root, but people keep screwing up important files.

I just got the root flag easy peasy, but that’s not good enough! I want a shell! I could very easily get one by writing to certain files, but I don’t want to do that. It’s too dirty.

If the binary I was using was a slightly newer version I’m pretty sure I’d be able to achieve command execution with it, but not this one. Or perhaps I’m overlooking something.

Anyone care to give me hints as to how they popped their shell? ;D

Edit: Never mind. Found a semi-clean method I’m happy with. Overwrite a particular file with a modified copy to grant you access to whatever toys you want, pop a shell, immediately overwrite it again with the original version. As long as you don’t f**k it up somehow it doesn’t impact system stability at all.

stuck on this box and need some help
i found 2 service and enumerate all user and i guess the pass for su*** user according to hints but im not sure on how to connect im not familiar with 2nd service “higher port”
anny hint is a entry point for me

@raouf09 said:
stuck on this box and need some help
i found 2 service and enumerate all user and i guess the pass for su*** user according to hints but im not sure on how to connect im not familiar with 2nd service “higher port”
anny hint is a entry point for me

As has been said many times in this thread, if you’ve only found 2 services, and you’re not sure how to connect, you might need to enumerate more.

This Box trolled Me, In The End !
:astonished:

im stuck to switch between the tow users any hint for dump the file

Can someone PM me and help with getting root? I have all of my steps laid out so I will tell you everything I have tried.

EDIT: Scratch that! Got it! Very cool…

Hello guys I’m stack in this box tu much time I don’t find the way to read user.txt please give me one detail how to do it, thank you

I didn’t use the technique everyone says though…pretty cool.

Is there anyone willing to share their full nmap result? I really can’t do full scan due to latency issues. It almost took me couple of hours and gets nothing, besides the machine keeps resetting by people. Thanks in advance!

@rocux said:
Is there anyone willing to share their full nmap result? I really can’t do full scan due to latency issues. It almost took me couple of hours and gets nothing, besides the machine keeps resetting by people. Thanks in advance!

Sent. The stability of this box is terrible

On the note of enumerating the interesting services, can someone send me a pointer or two? I’m not sure if I can try the output of the tools I’m using right now due to the network issues

Thanks,

@ccma40 said:

@rocux said:
Is there anyone willing to share their full nmap result? I really can’t do full scan due to latency issues. It almost took me couple of hours and gets nothing, besides the machine keeps resetting by people. Thanks in advance!

Sent. The stability of this box is terrible

Hey can I get the full nmap results too? I doubt the scan will ever complete.

Got root.txt but no shell. Tried everything in the forum and other ideas I could think of by exploring the box. I realize some files in /etc/ can be overwritten but people have suggested a cleaner way is possible. Can anybody drop a hint for the cleaner solution?

Would anyone be willing to PM me their full scan results? The latency on this box is ridiculous and mine can never complete.

@p3ac3ch3ck Pm me,