Hint for Sunday

Hello, I am pretty new to this, I’ve followed a few of ippsec’s videos for retired machines and Jerry was the first active machine I managed to pwn without using a walkthrough. Having some trouble with Sunday though.

I ran nmap and found 2 open ports but haven’t found a way to gain access to the machine using those ports. I enumerated the users using one of the ports but don’t know how to proceed. I am currently running nmap on every single port (tcp&udp) on the machine but as expected it is taking quite some time.

Am I going in the right direction or am I wasting my time? Are there still ports that weren’t found with my initial scan? I realize now that enumerating the udp ports might be useless but I don’t want to restart the scan.

For people who are complaining about finding only two ports…try harder.
For people complaining about not finding where the user.txt is, think about how you can find the correct directory.
For people complaining about priv esc…realize there are other ways about going about it.
For people stuck on obtaining root, think about how you can enumerate further with that privileged user.

Finally got user & root

I got user, but, any tips for priv esc? maybe suid or another technique? pm please

I have a question: this is my second machine, I am at vip lab but when I was first started to work with Sunday, someone was in the machine already (u know what i mean), after I did reset machine, no one was seeming as logged in at machine and I couldnt find that username again with normal enumeration ways. My question is that: can I normally find that username with different enumerations (I have already found more than 2 ports open, but…)? or should I wait that user will log in to system automatically??? (Because without finding that username myself will be spoiler itself :slight_smile: )

can anyone give me nmap results for this machine mine is taking 4ever

Ok, I got root.txt, but should you also be able to access the box as root user? Could someone clarify that for me, please?

@Planetxort said:
For people who are complaining about finding only two ports…try harder.
For people complaining about not finding where the user.txt is, think about how you can find the correct directory.
For people complaining about priv esc…realize there are other ways about going about it.
For people stuck on obtaining root, think about how you can enumerate further with that privileged user.

Finally got user & root

In getting root, w**t is the program that will help me?

@Takao said:
In getting root, w**t is the program that will help me?

Yes, read through the options on the man page. Keep in mind that if a program errors, often it will give you information on what lead to that error.

Finally got user and root.

Tbh this machine is not that hard but people keep messing with the machine constantly, so the process was really slow and painful.

wget is not just for download, sometimes you can use it for upload with help of post method .

can i use rockyou to get through ssh?

nevermind, got it!

which word-lists did u use to crack the root’s password?

Any hint for privesc? i try many vectors…

Just rooted the box. It was fun and learned alot the simple things.

For priv esc just read the above comments .

After 1 hour I got the hash, now spending 2 hours just because people are messing with the box. Every time i log in the hash is either different or missing. At this rate cracking with hashcat is also impossible. Please PM me i need some help.

@Takao said:

@Planetxort said:
For people who are complaining about finding only two ports…try harder.
For people complaining about not finding where the user.txt is, think about how you can find the correct directory.
For people complaining about priv esc…realize there are other ways about going about it.
For people stuck on obtaining root, think about how you can enumerate further with that privileged user.

Finally got user & root

In getting root, w**t is the program that will help me?

I didn’t use a program

To all the people complaining about the nmap taking too long. Try redefining your parameters. For this box in particular, using what I always use didn’t work. If you’re confused to what I mean, think about how ports work. That’s all I can say without straight up giving it away.

@Planetxort said:
To all the people complaining about the nmap taking too long. Try redefining your parameters. For this box in particular, using what I always use didn’t work. If you’re confused to what I mean, think about how ports work. That’s all I can say without straight up giving it away.

Root flag obtained… Thank you all for your help!

I will try harder.

I got into the machine as the 1st user and found the 2nd user along with the user.txt file. I ran an enumeration script to see how I could escalate privileges to read the user.txt file and the only result I get tells me that I can s*** without a p***** but it’s not working as expected. I don’t want to spoil anything so if someone willing to point me in the right direction could PM me I can give more details. I’m just trying to get the user flag.