Hint for Sunday

Just got root.txt. Enumeration is the key for initial foothold. Next don’t break your brain on privesc and back to basics. Feel free to PM if needed

I think there is something f*cked up with the machine…
Unable to negotiate with 10.10.10.76 port xxx: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Anyone else has this problem?

Any one else getting “ssh target does not support password auth” when messing with ssh? Manually connecting askes for a password, hydra keeps erroring out…

@3x0z said:
I think there is something f*cked up with the machine…
Unable to negotiate with 10.10.10.76 port xxx: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Anyone else has this problem?

3x0z. There’s nothing wrong. You should modify your ssh command options to use one of the offered key exchange methods with oKexAlgorithms.

@PercyJackson35 said:
Any one else getting “ssh target does not support password auth” when messing with ssh? Manually connecting askes for a password, hydra keeps erroring out…

A) See comment below yours regarding setting the proper key exchange during negotiation, not sure if hydra supports those type of options?

B ) You do not need to brute force services for authentication

C) PM me if you want hints

finally got root. alas, this box was far away to be a fun experience. sorry to say.

@nm0s0 said:

3x0z. There’s nothing wrong. You should modify your ssh command options to use one of the offered key exchange methods with oKexAlgorithms.

Thanks for the clarification. Not always safe to say what’s intended and what isn’t.

Any help in getting the root.txt, been thinking of the comments here that you can get it without root privilages and you just need a command to get it. Hitting wall here need a push. Pls pm me. thanks

finally got it… ■■■■… :slight_smile:

who keeps changing the f#cking password???

I was able to login…now i’m wondering how to esc privs. I found directories that contain the user.txt but I can’t access them. Looking for a pm for a nudge in the right direction.

Has anyone got a complete nmap scan of this host they can pm me, mine is either hanging at 99.99% or failing because of a reset

Very close to giving up on this box after 2 solid days. Got user but for the life of me I can’t get root. Can’t even find the freaking root.txt file!!!

HELP!!! :slight_smile:

After 5 days of intense work i got root. I’m very happy because i learned a lot from this machine. I googled a lot to reach the target… often following wrong paths, but this also helps me to improve. When you do not expect it, the solution arrives, just do not get discouraged.
No exploit need to get root. I suggest to enumerate as much as possible trying to understand as much as possible what a user can or can not do… once you understand what you can do you need to focus on this. Very interesting.

Fun box. If you are trying to modify some critical file, please consider that another people is not privesc, and you maybe are closing doors.

Hello guys , someone can help me please? i ennumerated 4 services and when i tried to connect ssh i have this error: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 i cant found the parameter to connect…

Someone can help me?

How i can get the password?

root :slight_smile: thank you all

I have a general question, how the people knows the name of the user.txt file or root.txt file? there is a documentation of this box? because i cant find it , a document or PDF or something where i can read the problem or the name of the flags… How the people knows how to find the file and the name of the file?

Takao

For user

Type below the hash that is inside the user.txt file in the machine. The file can be found under /home/{username} on Linux machines and at the Desktop of the user on Windows.

For root
Type below the hash that is inside the root.txt file in the machine. The file can be found under /root on Linux machines and at the Desktop of the Administrator on Windows.

Solaris is like a unix, soo…