which keys did you find? those in authorized keys? they are public of course are not gonna work
Obviously I didn’t meant pub key from authorized_keys. I’ve found private keys but it seems they are password protected.
The private key doesn’t seem password protected to me. If it were, the prompt would ask for the key passphrase - not password.
The password prompt appears because the private key you found is not valid to be used on the server and your login attempt falls through to regular password-based authentication .
@Skunkfoot said:
For people who are struggling, it’s possible to obtain a full reverse shell with a normal one-line command, you don’t need to upload an msfvenom shell or anything like that (although that may work as well).
I struggled with this until I realized I had a typo in how I was injecting my one-line command.
The private key doesn’t seem password protected to me. If it were, the prompt would ask for the key passphrase - not password.
The password prompt appears because the private key you found is not valid to be used on the server and your login attempt falls through to regular password-based authentication .
You are probably right. Although I tried adding pub cert from this location to authorized_keys, and then using priv key pair to login - in theory this should work but it didn’t. That is why I assumed they are password protected. Anyway I’m going back to the drawing board with my RCE one-liner as other people suggested.
Probably not a good box if you are new to this kind of thing, especially the priv esc - which was very clever and completely kicked my ■■■. Great box @snowscan thanks for creating.
I really am stuck at where I think I have to hk $target using “a particular method” (don’t want to spoiler here) but I can’t figure out how to actually do that. I read tons of stuff about $method, but it all seems to be just pretty vague - basically everyone is just saying "yeah if $rogue does ‘something’ then you h**d $target" but if I do exactly that, then traffic to $target is no longer working. Would be nice if anyone could hook me up with some practical examples of how to do it so that $target stays available but I get to see the “the good stuff”.
@darkkilla said:
I really am stuck at where I think I have to hk $target using “a particular method” (don’t want to spoiler here) but I can’t figure out how to actually do that. I read tons of stuff about $method, but it all seems to be just pretty vague - basically everyone is just saying "yeah if $rogue does ‘something’ then you h**d $target" but if I do exactly that, then traffic to $target is no longer working. Would be nice if anyone could hook me up with some practical examples of how to do it so that $target stays available but I get to see the “the good stuff”.
amazing post! I’m exactly on the same exact point as you. And I don’t have a full knowledge of $method commands/actions in order to see good stuff keeping traffic to $target.
@farid007 said:
i found port 1*1
i enumerated it
i couldn’t detect anything
help
Did you get some data from enumerating that particular service and did you enumerate the web server? Because that way you might find some interesting loot to get further.
@darkkilla said:
I really am stuck at where I think I have to hk $target using “a particular method” (don’t want to spoiler here) but I can’t figure out how to actually do that. I read tons of stuff about $method, but it all seems to be just pretty vague - basically everyone is just saying "yeah if $rogue does ‘something’ then you h**d $target" but if I do exactly that, then traffic to $target is no longer working. Would be nice if anyone could hook me up with some practical examples of how to do it so that $target stays available but I get to see the “the good stuff”.
amazing post! I’m exactly on the same exact point as you. And I don’t have a full knowledge of $method commands/actions in order to see good stuff keeping traffic to $target.
@farid007 said:
i found port 1*1
i enumerated it
i couldn’t detect anything
help
Did you get some data from enumerating that particular service and did you enumerate the web server? Because that way you might find some interesting loot to get further.
i found some directory
i found doc directory
i couldn’t found chassis serial number
@farid007 said:
i found port 1*1
i enumerated it
i couldn’t detect anything
help
Did you get some data from enumerating that particular service and did you enumerate the web server? Because that way you might find some interesting loot to get further.
i found some directory
i found doc directory
i couldn’t found chassis serial number
Earlier on you said you found a specific port and enumerated it. You didn’t get any data out of it? Because you should’ve gotten something from that.
Ehh rooting this box is ■■■■ near impossible, not only is it a hard challenge, also due to the everyone fiddling with b** at the same time, you can’t test ■■■■. Reset doesn’t help much, seconds later all routes get fucked up, configuration changes and there is no way to sort this mess.