Carrier

i got some information from that port 1*1 while enumerating
but i didn’t get chassis serial number

can someone drop me a hint or some reading material to get inspired for privesc (I think it has to do with q***** and b** but I’ve never used it).

@farid007 said:
i got some information from that port 1*1 while enumerating
but i didn’t get chassis serial number

PM me and show me what data you found on that port, maybe then I can give you a hint in the right direction without spoiling.

Ehh rooting this box is ■■■■ near impossible, not only is it a hard challenge, also due to the everyone fiddling with b** at the same time, you can’t test ■■■■. Reset doesn’t help much, seconds later all routes get fucked up, configuration changes and there is no way to sort this mess.

Rooted! Really nice box.

Could anyone that have rooted it PM me to discuss the other stuff that you find with the flag please?

Could some one PM me with a hint as what to look at first for privesc. You don’t know what you don’t know :slight_smile: What to look for for reading material would be good too.

I was going to do some pcap.
Tried logging into FTP. Will have another go at this.

Many thanks

@Underworld said:
Could some one PM me with a hint as what to look at first for privesc. You don’t know what you don’t know :slight_smile: What to look for for reading material would be good too.

I was going to do some pcap.
Tried logging into FTP. Will have another go at this.

Many thanks

At a start, re-read the ticketing system pages. I think there are lots of hints there (but it is something I am rubbish at so I think an attempt I’ll have to privesc will need lots more research).

Once I lose my shell I had to reset the machine to get back inside(I am on VIP). Upgrading to meterpreter shell was the solution that kept me safe.

@darkkilla said:
I really am stuck at where I think I have to h****k $target using “a particular method”

Forget my earlier request, I’ve popped root. :slight_smile:

got the user but stuck on priv esc
i know its multi con****** box found the 2 other addr but there is only one service on those con*****rs
from the picture i see the situation but how can i found the port running the web server
can anyone pm to discute about it plz

what. a. pain. but finally root.

This is killing me. I feel like I have an idea how to progress but not only can I not seem to get it to work, but I’m not even sure it makes sense any more.

This is an awesome box. If I ever get root, I will have learned a lot.

Thanks @snowscan, but I am not sure if I hate you or not :smile:

@TazWake said:
This is killing me. I feel like I have an idea how to progress but not only can I not seem to get it to work, but I’m not even sure it makes sense any more.

This is an awesome box. If I ever get root, I will have learned a lot.

Thanks @snowscan, but I am not sure if I hate you or not :smile:

DM

Does this require any specialized tools or scripts once you’re connected or can it be accomplished with standard bash commands?

@Skunkfoot said:
Does this require any specialized tools or scripts once you’re connected or can it be accomplished with standard bash commands?

I used a static version of nmap, it’s not 100% required but still helps a lot.

Rooted after 2 days. Nice work @snowscan, learned a lot from this machine

@Skunkfoot said:
Does this require any specialized tools or scripts once you’re connected or can it be accomplished with standard bash commands?

I wrote a simple bash script for that.

finally had the time to work on privesc, new stuff comes to HTB and that’s a very good thing!
i think last step is quite contrived anyway.
thanks snowscan :slight_smile:

Finally rooted :slight_smile: It took a while mostly because it was really hard to figure stuff out with routes constantly changing, people messing with b** etc. But it was a great challenge anyway, I feel really proud of myself :smiley: Thanks @snowscan!

ok can i ask for some help with the reverse shell, i will explain in PM where i am at so as to now ruin it for anyone, or “repeating” what others are saying…