Active any hints

stuck on getting root. cracking the hash isn’t working and i’m getting nowhere with impacket. any hints through DM?

I got the user but stuck on root. Help?!?

Great box, just completed it. You can solve almost the entirely of the box with just impacket toolkit.

This box is something that I would see at work :+1: to the creators

I am stuck at initial PrivEsc. I managed to login into the box using “SmClit" without any creds, and I manage to get into two "shas". One is "Repcatn" (in which I found several folders but no files) and the second one is "IP*” which does not let me even “dir” into it (I get access denied). Nullinux and enum4linux (that were previously mentioned here, so no spoiler) ended up with a bunch of failures, and none of the metasploit auxilieries/exploits worked. Am Iooking in the wrong place ?

Got root flag. A quick pointer for people to avoid encountering the same issue I was:

If you’re running a virtual machine, make sure you crack hashes on your host system rather than your virtual box so your GPU is used. DON’T use the ‘–force’ flag for hashcat on your VM - it can output incorrect passwords.

thanks to cosmoGM for that reminder, was on this part longer than all other parts combined… worked right away

@cosmoGM said:
Got root flag. A quick pointer for people to avoid encountering the same issue I was:

If you’re running a virtual machine, make sure you crack hashes on your host system rather than your virtual box so your GPU is used. DON’T use the ‘–force’ flag for hashcat on your VM - it can output incorrect passwords.

I’ve got root and i used ‘–force’ flag in VM and i can get the correct password without issues.

@sheepkiller said:
Hello everyone, if you are having issues with the typical tools mentioned in this forum to connect to the service, it’s probably a misconfiguration with your Kali smb.conf file. Here is what I did to fix it:

nano /etc/samba/smb.conf

// In the file, I added the following in the [global] section
client min protocol = SMB2
client max protocol = SMB3

sudo service smbd restart

i’ve got root and i do not completely unsderstand why we need change this. I assumed that if we do not add SMB2 and 3, it can use SMB1 to connect the service.
I also try to connect to service without change config and i’ve got 2 successful request in 7 request that i’ve tried.
Could anyone explain to me?

To root this machine you don’t need to get crazy trying to get a reverse shell. You can do it without a command prompt.

To everyone who has user creds and trying to root, I really recommend trying this tool which is a wrapper for impacket.

I use it all the time and rooted the box in about 45 minutes. In fact, I went straight for the root.txt

I don’t want to give any more away, but this is an awesome tool!

@Revolution said:
I am stuck at initial PrivEsc. I managed to login into the box using “SmClit" without any creds, and I manage to get into two "shas". One is "Repcatn" (in which I found several folders but no files) and the second one is "IP*” which does not let me even “dir” into it (I get access denied). Nullinux and enum4linux (that were previously mentioned here, so no spoiler) ended up with a bunch of failures, and none of the metasploit auxilieries/exploits worked. Am Iooking in the wrong place ?

You are in the right place with the Rep******. There is something contained within there that will move you to the next stage.

rooted, PM me for help

i like chicken Roast but I can’t steal the ticket for it (laughing at my self right now)

This last step for cracking the stuff is kicking my ■■■. Is it the version? the Syntax? sigh -.-

I wasn’t able to crack it in VM, I ran it on my gaming box with a 1080ti and had it in seconds.

Also this thread is loaded with spoilers now, this a good box to learn and discover on and has the added bonus of being something you would likely find in the wild

If you are new to the box and coming to the thread for hints. Turn back and work the problem, you won’t regret it.

@albertojoser said:
This last step for cracking the stuff is kicking my ■■■. Is it the version? the Syntax? sigh -.-
Did you choose the correct mode for cracking.

@nope said:

@albertojoser said:
This last step for cracking the stuff is kicking my ■■■. Is it the version? the Syntax? sigh -.-
Did you choose the correct mode for cracking.

Yes… my syntax was all over the place and @lun3r & @VINDICATOR helped me out :smiley: Awesome box!

For user, NullLinux and manual searching is enough. Check each file and see if you can find anything that says it has password. Once you have the password, search for the file where the password is found and you will know the next step.

For system, a tool in Impacket and “bleeding” version of Mr. Ripper is all you need. However, there are pre-reqs to use the tool which can be tricky. For example, the configuration is very sensitive about case.

My tip

  • Understand how the the specific authentication technology used in this machine works.
  • Be very very very… attentive about the options available and which you need and which one you don’t; I had an extra option which caused waste of a day for me, but that’s the learning part.
  • You can use but do not need metasploit, shell access, special word-list.

Happy hunting!

Great box! Learned loads from this one.

@n01n02H could you give me a nudge in the right direction? Got user.txt but having problems finding root. Thanks for your help in advance.