Ypuffy

i found usernames and hashes from ldap, tried to authenticate against existing services found from scan – none are working. tried to decrypt it with john/hashcat – no luck. Can someone PM me to help with initial foothold?

Spoiler Removed - Arrexel

@kecebong said:
i found usernames and hashes from ldap, tried to authenticate against existing services found from scan – none are working. tried to decrypt it with john/hashcat – no luck. Can someone PM me to help with initial foothold?

same issue i found the username and hash from ldap, but can authenticate against the given services. i tried to decrypt but no luck. Can someone PM me to help with initial foothold.

thx

My question to @konobi and @kecebong is why are you trying to brute force it? Think about how you can use that information in another way.

Hi, got user, got certificates and saw a way to do things as someone else but not really familiar with openbsd way of doing things, could someone PM me only for an exchange of ideas? Thank you!

@s1gnal thanks, stupid me tried to decrypt it for more than hours lol.
finally can move forward :dizzy: . this is my 2nd windows box in htb, hope i can get to privesc!.
edit: i didn’t bruteforce it :), i was trying to decrypt it using john/hashcat.

@s1gnal

Yeah i know. i missed the right format (:)

Thx

Stop trying to brute-force boxes in general on HTB unless you KNOW that’s the intended method. Think about it, why would a box designer create something they know is going to take down the box for users? It’s a public box, there’s probably better options than (essentially) a DoS attack via brute-force. VERY few boxes require any sort of brute-forcing, and if they do, it’s usually pretty quick.

I would like to point out that my initial concept for this challenge was, while *nix based, pretty much OS agnostic. I actually settled on the OS I did because I haven’t seen it here and I thought some of the OS-specific stuff might give an interesting twist for the second flag.

I suppose there’s a feature that’s kind of mean for getting the first flag but hey, you got to properly enumerate! :grin:

ive got the user, cant get root.
Ive noticed the cfg files in certain directorys and have been somewhat successful in doing stuff with the web page but nothing really meaningful/useful, and cant seem to figure out where to go from here.
pm would be appreciated

@AuxSarge said:
I suppose there’s a feature that’s kind of mean for getting the first flag but hey, you got to properly enumerate! :grin:

I was banging my head because of the “firewall” feature you have made, had to think of another way of getting that juicy detail. But again you left a clue about it… Was fun…

@kecebong said:
i found usernames and hashes from ldap, tried to authenticate against existing services found from scan – none are working. tried to decrypt it with john/hashcat – no luck. Can someone PM me to help with initial foothold?

thanks finally, got root.

i got the user but still stuck on root found intersting file but i haven’t right access to read i used command to execute cmd as user on bsd but no ways am i on the right path ? can any one give me some hints

This box has so much flavor. Simply Brilliant. Cheers @AuxSarge. Loved how things were put together.

I have two usernames and a hashed password, I have tried using the password in different ways and get the "not enough " one of the ways. 3 hours now and I feel it’s taking me a lot longer than it should at this point. Hopefully, I’m going in the right direction.

Read my post on page 3

@kecebong said:
edit: i didn’t bruteforce it :), i was trying to decrypt it using john/hashcat.

I think you’re mixing terminologies. Hashes can’t be decrypted as they are not truly encryptions. They are hashes. The only way to get them IS to brute force them. Using a wordlist just limits the guesses, and not using one lets your machine make all the guesses it can make up, or brute force.

wow. This box gave me a literal headache. One concept I had to learn. Very fun box. Props @AuxSarge

@hmgh0st said:

@kecebong said:
edit: i didn’t bruteforce it :), i was trying to decrypt it using john/hashcat.

I think you’re mixing terminologies. Hashes can’t be decrypted as they are not truly encryptions. They are hashes. The only way to get them IS to brute force them. Using a wordlist just limits the guesses, and not using one lets your machine make all the guesses it can make up, or brute force.

:+1: yeah, noted. thanks!