Poison

@julietta said:
I have previously owned the user and submitted the hash. However now I try to login the same way the password no longer works? It kept saying Permission Denied… Did someone change the password or something?? Very puzzled…

I would double check the password is right. If you’re copy/pasting it rather than typing it… Here’s a hint.

Try echoing it before you use it in the connection. Does it still look right?

For any who have trouble extracting a zip file… If you’re using the command unzip -P “***” you might get an ‘incorrect password’ even if you are right.

Try just using unzip on the file, then enter the password at the prompt.

Hope that isn’t a spoiler, but at least I learned how to use the unzip command the right way.

I must be super dumb but I can’t find this backup password file people keep mentioning. I’ve got an LFI so can read passwd and I’ve dirbed and dirbusted it with the supplied lists but it’s not bringing anything like that up. What am I missing?

@NeilSec If you got user, you really shouldn’t have any trouble finding it.

Edit: Unless you mean for privesc, in which case the above hints should be more than sufficient with research or knowledge. (Time machine stuff)

@Andromalius said:
@NeilSec If you got user, you really shouldn’t have any trouble finding it.

Edit: Unless you mean for privesc, in which case the above hints should be more than sufficient with research or knowledge. (Time machine stuff)

I got a user by LFIing the passwd file. Not sure how that helps me find a password file that I don’t know the name of?

@NeilSec So you haven’t gotten on the machine, and you’re wondering why you can’t see the password backup people are talking about?

… Just saying

@Andromalius said:
@NeilSec So you haven’t gotten on the machine, and you’re wondering why you can’t see the password backup people are talking about?

… Just saying

Ah OK…some comments imply they got onto the machine by finding an encrypted password file for the user found via the LFI…or maybe they didn’t but I assumed they did.

@NeilSec Having done the box, I’m going to assume they were talking about something different.

If you don’t know how they got on the box, my hint to you would be to enumerate more. You might find something useful you missed before.

rooted, big thanks to @mcruz and the source he provide. For those who need help, Spoiler Removed - Arrexel

@Andromalius said:
@NeilSec Having done the box, I’m going to assume they were talking about something different.

If you don’t know how they got on the box, my hint to you would be to enumerate more. You might find something useful you missed before.

Strange. I just found the file by looking a bit harder. Maybe you got in a different way?

Stuck on priv esc for the last 2 days. I think I’m heading in the right directions but any more hints would be great.

@scando said:
Stuck on priv esc for the last 2 days. I think I’m heading in the right directions but any more hints would be great.

5 Mins after posting this I’m in. Root dance time.

@grandk said:
rooted, big thanks to @mcruz and the source he provide. For those who need help, https://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html , How to Configure a SSH Tunnel On A VNC Server - Ubuntu 14 .

yes. I tried all these methods. I am able to connect to that port. But the screen is grayed out with big X mouse. Some pixel alignment problem. Tried different pixels there. But no solution.

Rooted. Nice box. Learned a lot.

Hi, can someone PM me with some hints, I got LFI and RCE, but I am not able to open a rev shell. Thanks

@sesha569 said:

@grandk said:
rooted, big thanks to @mcruz and the source he provide. For those who need help, https://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html , How to Configure a SSH Tunnel On A VNC Server - Ubuntu 14 .

yes. I tried all these methods. I am able to connect to that port. But the screen is grayed out with big X mouse. Some pixel alignment problem. Tried different pixels there. But no solution.

sometimes u might need to wait for awhile/ reset and redo the steps. mine was extremely unresponsive on my first try.

T_T, why ippsec release too fast, i’ve got user.txt & otw to get root T_T

So I got the password (decoded it 13 times). Can anyone give me a hint of how to use it? I presume I need to find a user somehow but I have not been very successful in enumerating any usernames to use…

Please help (I’m new) :slight_smile:

I know you need it to root it but has anyone had any luck getting log poisoning to work on this machine? I can run commands but not actually managed to get a reverse shell working in the ways I’m used to. Log seems very finicky and chokes various symbols.

PM if you have.

My god, the “poison” direction and hints threw me off so bad since I had already gotten foothold with a much easier way (the way in is listed already on main page…) and I was stuck wondering how the heck “poisoning” could help me privesc.