Hint for Sunday

11416181920

Comments

  • Got root.txt but no shell. Tried everything in the forum and other ideas I could think of by exploring the box. I realize some files in /etc/ can be overwritten but people have suggested a cleaner way is possible. Can anybody drop a hint for the cleaner solution?

  • Would anyone be willing to PM me their full scan results? The latency on this box is ridiculous and mine can never complete.

  • edited August 2018

    Got the second user, and on my way to root. I think I'm on the right path. Could I PM someone to check if it's correct?

    Vex20k

  • Can someone pm me the nmap results...tried 10times already never finishes....!!

  • @ccma40 said:
    On the note of enumerating the interesting services, can someone send me a pointer or two? I'm not sure if I can try the output of the tools I'm using right now due to the network issues

    Thanks,

    So...the network conditions were definitely not helping. Certain tools were having issues returning all their results which resulted in certain...interesting users not being returned.

    Frustrating.

  • edited August 2018

    running a certain metasploit scanner will return far more interesting results than nmap for users who are having stability issues...

  • @Hacklen I knew that was gonna be the pass but enumeration was my downfall. This is one of those where "enumerate and then enumerate" again was SERIOUSLY the case -_-

  • Could some one give me some hints as to what to do after getting in with a first user? I see a user text but dont have the user to get to it. Also not sure on priv esc. Thanks!

    Hack The Box

  • @Underworld said:
    Could some one give me some hints as to what to do after getting in with a first user? I see a user text but dont have the user to get to it. Also not sure on priv esc. Thanks!

    I would say lookout deep into the bottom and see what can u find.

    weezyboy

  • Lol fanks. Got user.

    Hack The Box

  • I got user and root but not shell (root), i found the password of root. I try to crack (john the ripper) the password but I could not.
    Someone can give me a hint to crack it.

    sckull

  • Yea I'm actually in the same boat. Pwned user and root, but didn't manage to crack. I'm guessing Hashcat might do the trick from reading various posts. I tried a bunch of wordlists but no luck.

    Hack The Box

  • Did someone change the password for the users? :| Come on!

    weezyboy

  • Any hints on initial foothold, i have enumerated all the ports, found users, using msf auxilary module, but can't use any of the users to login with.

  • Just got the root.txt. Keep things simple!!!

  • @nm0s0 said:
    Just got the root.txt. Keep things simple!!!

    DO you get the root shell?

  • @xxizocxx said:

    @nm0s0 said:
    Just got the root.txt. Keep things simple!!!

    DO you get the root shell?

    No, just the key. Nope, getting the root shell it wasn't my goal but if I have enough time I'll try for it. There is some popular method but on Solaris involve a command you can't execute.
    If anyone need some hints feel free to PM.

  • @mafioso1823 said:
    Any hints on initial foothold, i have enumerated all the ports, found users, using msf auxilary module, but can't use any of the users to login with.

    I was in the same boat so I feel you. The problem is that the enumeration of ports doesn't seem to be reliable. I had someone else run a scan with the same options and they got what I was looking for. Once you can get a true successful scan on all ports, you'll be moving on fast.

  • Just got root.txt. Enumeration is the key for initial foothold. Next don't break your brain on privesc and back to basics. Feel free to PM if needed

  • I think there is something f*cked up with the machine..
    Unable to negotiate with 10.10.10.76 port xxx: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    Anyone else has this problem?

  • Any one else getting "ssh target does not support password auth" when messing with ssh? Manually connecting askes for a password, hydra keeps erroring out...

  • @3x0z said:
    I think there is something f*cked up with the machine..
    Unable to negotiate with 10.10.10.76 port xxx: no matching key exchange method found. Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    Anyone else has this problem?

    3x0z. There's nothing wrong. You should modify your ssh command options to use one of the offered key exchange methods with oKexAlgorithms.

  • edited September 2018

    @PercyJackson35 said:
    Any one else getting "ssh target does not support password auth" when messing with ssh? Manually connecting askes for a password, hydra keeps erroring out...

    A) See comment below yours regarding setting the proper key exchange during negotiation, not sure if hydra supports those type of options?

    B ) You do not need to brute force services for authentication

    C) PM me if you want hints

  • finally got root. alas, this box was far away to be a fun experience. sorry to say.

    hopihallido

  • @nm0s0 said:

    3x0z. There's nothing wrong. You should modify your ssh command options to use one of the offered key exchange methods with oKexAlgorithms.

    Thanks for the clarification. Not always safe to say what's intended and what isn't.

  • Any help in getting the root.txt, been thinking of the comments here that you can get it without root privilages and you just need a command to get it. Hitting wall here need a push. Pls pm me. thanks

  • finally got it... damn... :)

  • who keeps changing the f#cking password!!!!????

  • I was able to login...now i'm wondering how to esc privs. I found directories that contain the user.txt but I can't access them. Looking for a pm for a nudge in the right direction.

Sign In to comment.