Carrier

@AuxSarge said:

@opt1kz said:
I just started poking at it, so I’m still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

Thank you for this. I have been scratching my head for too many minutes.

@taytay said:

@0xlc said:

@taytay said:
struggling to even get user. any help would be appreciated :slight_smile: thanks

did you find the doc? it seems we need to get default user/pwd from the chasiss but enumerating with common tools and wordlists didn’t work out for me

I have found a few documents yes, still not able to find any chassis that it refers to. i’ll pm you.

same boat

hint on login creds…?

Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly…

@sakyb said:
hint on login creds…?

something on some open ports… NOT on the TCP range

@Kykli said:
Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly…

try a different rev shell :wink:

@0xlc said:

@Kykli said:
Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly…

try a different rev shell :wink:

Have tried so many ways already and nothing is working :astonished:

any hint after rce …? got the Shell!

@sakyb said:
any hint after rce …? got the Shell!

Same boat.

Found some IPs and found a service is running on one of the IP. Login the service, but there is nothing. Any hint…?

Hint for everyone looking for privilege escalation tips: If you enumerate the LAN, you’ll find several other nodes. You’ll notice they all have the same service running on them. That service, plus the original value of the parameter from the RCE step, plus the diagram you found during enumeration… A bit of Googling with these things in mind should lead you to an attack vector.

@23Y4D said:
@Underworld said:
I got user. And I got a private key. However when I try to ssh in, it asks me for a password. I assume the key has a password on it as well?

  Dumb question - BUT IM LEARNING :bleep_bloop:

The private key you have is not exactly in the Carrier IP.
Check ifconfig on the machine…

Thanks!

Finally got user, root seems to be pretty hard.
PM me if you need hints for user though.

can someone PM on root, i can see the other things connected to the thing im on. not knowledge able wnough on b*p to see the attack vector

@badman89 same here… waiting for the answer on root

@sakyb ive been looking at this ■■■■■■■ for a while now

@sakyb said:
@badman89 same here… waiting for the answer on root

Stuck at the same place.

EDIT: Just reading back through the thread, must have missed the private key.
EDIT2: Can’t find them

Is it possible to connect to this box via ssh without the need to change any config files ? I’ve found keys in usual location but they don’t work. It’s a real pain in the ■■■ having to RCE again and again after each reset. Also limited shell from RCE is painfull.

@msolnicki said:
Is it possible to connect to this box via ssh without the need to change any config files ? I’ve found keys in usual location but they don’t work. It’s a real pain in the ■■■ having to RCE again and again after each reset. Also limited shell from RCE is painfull.

which keys did you find? those in authorized keys? they are public of course are not gonna work

which keys did you find? those in authorized keys? they are public of course are not gonna work

Obviously I didn’t meant pub key from authorized_keys. I’ve found private keys but it seems they are password protected.

@msolnicki said:
Is it possible to connect to this box via ssh without the need to change any config files ? I’ve found keys in usual location but they don’t work. It’s a real pain in the ■■■ having to RCE again and again after each reset. Also limited shell from RCE is painfull.

Agreed I was trying to find a way so I didn’t have to go through the first step if someone reset during the day

@Underworld said:
Agreed I was trying to find a way so I didn’t have to go through the first step if someone reset during the day

If someone resets the box, you’re going to have to go through the first step again no matter what, aren’t you? Or am I misunderstanding what you guys are saying?

Also the SSH thing is completely unnecessary overkill. Just have it download a statically-linked ncat/socat/whatever from your machine and then use it to connect back to your listener. This can all be done in literally one line/request.

Spoiler Removed - Arrexel