Poison

My first server :D, two interesting days.
The comments are rights, just enumerate the services and understand how they works, then using the file.
I learned a lot.

hello, desperate newbie here. Two issues:

  1. on my first scan, I found two open ports and two filtered ones (one even corresponding to a known and useful service - or at least I thought so). Problem is, I can’t find those two services anymore, they don’t show up in my scan. I tried resetting the box several times, nothing changed. Did I allucinate?

  2. I was able to find a username by decoding the password backup. I thought of using it in *** but I can’t figure out the password (I found the pwd file but all the entries are simpy ‘*’). It was stated several times that no bruteforce is needed here, so…What am I missing?

@federella You’ve done the right thing by finding a username… Perhaps you might enumerate a little more and find a password somewhere?

how do you unzip the zip file because i’ve tried “unzip -p passwd zipfile” and it didnt work…

@Andromalius said:
@federella You’ve done the right thing by finding a username… Perhaps you might enumerate a little more and find a password somewhere?

That’s what I thought but I’m stuck. the passwd file was useless and I can’t find the shadow file so…I don’t know what to look for!

EDIT: i feel so stupid! I already had the password lol

I have previously owned the user and submitted the hash. However now I try to login the same way the password no longer works? It kept saying Permission Denied… Did someone change the password or something?? Very puzzled…

@julietta said:
I have previously owned the user and submitted the hash. However now I try to login the same way the password no longer works? It kept saying Permission Denied… Did someone change the password or something?? Very puzzled…

I would double check the password is right. If you’re copy/pasting it rather than typing it… Here’s a hint.

Try echoing it before you use it in the connection. Does it still look right?

For any who have trouble extracting a zip file… If you’re using the command unzip -P “***” you might get an ‘incorrect password’ even if you are right.

Try just using unzip on the file, then enter the password at the prompt.

Hope that isn’t a spoiler, but at least I learned how to use the unzip command the right way.

I must be super dumb but I can’t find this backup password file people keep mentioning. I’ve got an LFI so can read passwd and I’ve dirbed and dirbusted it with the supplied lists but it’s not bringing anything like that up. What am I missing?

@NeilSec If you got user, you really shouldn’t have any trouble finding it.

Edit: Unless you mean for privesc, in which case the above hints should be more than sufficient with research or knowledge. (Time machine stuff)

@Andromalius said:
@NeilSec If you got user, you really shouldn’t have any trouble finding it.

Edit: Unless you mean for privesc, in which case the above hints should be more than sufficient with research or knowledge. (Time machine stuff)

I got a user by LFIing the passwd file. Not sure how that helps me find a password file that I don’t know the name of?

@NeilSec So you haven’t gotten on the machine, and you’re wondering why you can’t see the password backup people are talking about?

… Just saying

@Andromalius said:
@NeilSec So you haven’t gotten on the machine, and you’re wondering why you can’t see the password backup people are talking about?

… Just saying

Ah OK…some comments imply they got onto the machine by finding an encrypted password file for the user found via the LFI…or maybe they didn’t but I assumed they did.

@NeilSec Having done the box, I’m going to assume they were talking about something different.

If you don’t know how they got on the box, my hint to you would be to enumerate more. You might find something useful you missed before.

rooted, big thanks to @mcruz and the source he provide. For those who need help, Spoiler Removed - Arrexel

@Andromalius said:
@NeilSec Having done the box, I’m going to assume they were talking about something different.

If you don’t know how they got on the box, my hint to you would be to enumerate more. You might find something useful you missed before.

Strange. I just found the file by looking a bit harder. Maybe you got in a different way?

Stuck on priv esc for the last 2 days. I think I’m heading in the right directions but any more hints would be great.

@scando said:
Stuck on priv esc for the last 2 days. I think I’m heading in the right directions but any more hints would be great.

5 Mins after posting this I’m in. Root dance time.

@grandk said:
rooted, big thanks to @mcruz and the source he provide. For those who need help, https://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html , How to Configure a SSH Tunnel On A VNC Server - Ubuntu 14 .

yes. I tried all these methods. I am able to connect to that port. But the screen is grayed out with big X mouse. Some pixel alignment problem. Tried different pixels there. But no solution.

Rooted. Nice box. Learned a lot.