Hawk

FUCKKEN GOT EEEEEM BOISSSSS WOOOOW WHAT A RIDE LAWWWWRD JEEEZUS WOW THEIR IS A REALLY AWESOME SUUUUUUUPER DOPE POST THAT HELPED ME GET THE FINAL STEP FOR THE challenge WAAA IM THIRSTY NOW!!!

HEHE rooted ;D

Spoiler Removed - Arrexel

this was a great box, similar to a couple of other ones currently active.

I think some tips in here are a bit misleading;

on the file, you have everything you need on a base kali install, you don’t need to download anything or write any scripts. the whole process took less than 5 minutes on a VM with the usual wordlist.

on PE, take a careful look at your nmap output, there are big clues there to getting from the w user to the d user. from here, if you’ve done other similar boxes you should know what to do with the running services.

@crisco said:
So, the tool to decrypt the file from GitHub didn’t work for me. It didn’t find the correct password (it couldnt even do it with an example file using “password” as the password), but doing it manually in Python cracked it in about 10-20 seconds with a good wordlist, and was only about 20 lines of code (including fancy argument handling xD).

Similar issue here - scripting the commands to run the decrypt routines worked - the GitHub code did not.

rooted… great things learned on the way! got a taste of h2
PM for help

Just got root. The crucial thing for both user and root is to take things slow. The path is relatively straight forward, but you need to read the source code of the exploits and understand what it’s doing and make necessary modifications in the source code or do some other prior setup.

For root, someone already mentioned this, but consider your approach in Poison. Very similar path.

Seconded
Just take what you have and put it together. And as already said: don’t overthink, think straight

Hey
I decrypted the .enc file. Seems like I have a user D***** and a password ***(…). I have tried using the credentials on all the services exposed. Is there another trick to this?

Rooted! Pretty awesome box. PM for nudges

Gotten user, but stuck with root, know what to do with h20 but i cant do it without a D user. Any hint?

Edit : dont really need D user can be done without it, however u will still need a set of creds when u reach the river.

@StarLord95 said:
Hey
I decrypted the .enc file. Seems like I have a user D***** and a password ***(…). I have tried using the credentials on all the services exposed. Is there another trick to this?

Are you sure you tried all services? Just stick with the password first.
Edit: There is a big hint inside the file where you found the credentials :wink:

@3x0z said:

@StarLord95 said:
Hey
I decrypted the .enc file. Seems like I have a user D***** and a password ***(…). I have tried using the credentials on all the services exposed. Is there another trick to this?

Are you sure you tried all services? Just stick with the password first.
Edit: There is a big hint inside the file where you found the credentials :wink:

Oh…just needed to use a more privileged username ;). But what now, can’t find anything juicy inside the service.
Edit:
never mind
Edit 2:
And now I’m stuck again. God dammit
Hints on priv esc onto root?

Could also use help on privesc… Found a method but can’t use it because i’m missing a certain pw for d***** :confused:

Great box. Struggled a bit decrypting a certain file but i really enjoyed it.

Wow finally got root. I didn’t bother for reverse shell for root though. Fun, annoying, clever. 10/10 would do it again!

Finally rooted! Really cool box, took me days to figure it out :slight_smile:
Thanks to everyone for the nudges.
If anyone needs help feel free to write me.
For the last part, even if you’re thirsty there are 45105 ways to do it!

Besides the poison like privesc, there is also another way to get root! Finally got it!

Hi all,

I am stuck on getting the creds for d****l. I have a RCE on the box, and have trawled through every cfg, conf, cnf file, and run enum script, but still missing something.

If anyone could give me a hint that would be appreciated. :slight_smile:

@Bscratch dont need creds for D. just use the poison way but tweak it to suit what u need.

rooted, this might have been one of my favorite boxes idek why, just a really good flow to it from beginning to user to root : )