Hint for Sunday

Any hints on initial foothold, i have enumerated all the ports, found users, using msf auxilary module, but can’t use any of the users to login with.

Just got the root.txt. Keep things simple!!!

@nm0s0 said:
Just got the root.txt. Keep things simple!!!

DO you get the root shell?

@xxizocxx said:

@nm0s0 said:
Just got the root.txt. Keep things simple!!!

DO you get the root shell?

No, just the key. Nope, getting the root shell it wasn’t my goal but if I have enough time I’ll try for it. There is some popular method but on Solaris involve a command you can’t execute.
If anyone need some hints feel free to PM.

@mafioso1823 said:
Any hints on initial foothold, i have enumerated all the ports, found users, using msf auxilary module, but can’t use any of the users to login with.

I was in the same boat so I feel you. The problem is that the enumeration of ports doesn’t seem to be reliable. I had someone else run a scan with the same options and they got what I was looking for. Once you can get a true successful scan on all ports, you’ll be moving on fast.

Just got root.txt. Enumeration is the key for initial foothold. Next don’t break your brain on privesc and back to basics. Feel free to PM if needed

I think there is something f*cked up with the machine…
Unable to negotiate with 10.10.10.76 port xxx: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Anyone else has this problem?

Any one else getting “ssh target does not support password auth” when messing with ssh? Manually connecting askes for a password, hydra keeps erroring out…

@3x0z said:
I think there is something f*cked up with the machine…
Unable to negotiate with 10.10.10.76 port xxx: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Anyone else has this problem?

3x0z. There’s nothing wrong. You should modify your ssh command options to use one of the offered key exchange methods with oKexAlgorithms.

@PercyJackson35 said:
Any one else getting “ssh target does not support password auth” when messing with ssh? Manually connecting askes for a password, hydra keeps erroring out…

A) See comment below yours regarding setting the proper key exchange during negotiation, not sure if hydra supports those type of options?

B ) You do not need to brute force services for authentication

C) PM me if you want hints

finally got root. alas, this box was far away to be a fun experience. sorry to say.

@nm0s0 said:

3x0z. There’s nothing wrong. You should modify your ssh command options to use one of the offered key exchange methods with oKexAlgorithms.

Thanks for the clarification. Not always safe to say what’s intended and what isn’t.

Any help in getting the root.txt, been thinking of the comments here that you can get it without root privilages and you just need a command to get it. Hitting wall here need a push. Pls pm me. thanks

finally got it… ■■■■… :slight_smile:

who keeps changing the f#cking password???

I was able to login…now i’m wondering how to esc privs. I found directories that contain the user.txt but I can’t access them. Looking for a pm for a nudge in the right direction.

Has anyone got a complete nmap scan of this host they can pm me, mine is either hanging at 99.99% or failing because of a reset

Very close to giving up on this box after 2 solid days. Got user but for the life of me I can’t get root. Can’t even find the freaking root.txt file!!!

HELP!!! :slight_smile:

After 5 days of intense work i got root. I’m very happy because i learned a lot from this machine. I googled a lot to reach the target… often following wrong paths, but this also helps me to improve. When you do not expect it, the solution arrives, just do not get discouraged.
No exploit need to get root. I suggest to enumerate as much as possible trying to understand as much as possible what a user can or can not do… once you understand what you can do you need to focus on this. Very interesting.

Fun box. If you are trying to modify some critical file, please consider that another people is not privesc, and you maybe are closing doors.