Hawk

Rooted it , very fun machine had a great time , ping me up for hints :slight_smile:

Hie guys, I can read files as the root user using the webshell but I am failing to get a real shell. Anyone to assist?

Anyone willing to assist with syntax to brute force the .enc file, please PM if you have sometime

someone help me with priv esc. got the service. dont know how to login.

Can someone help me with the initial foothold? I cant seem to find my way in. I have tried enumerating the webapp but nothing is coming to me and I cant find a file on the F** service. Please PM me.

Decryption of this file is crazy…can anyone give a slight nudge? No RCE’s are working for me either… I initially got one to work, died immediately can’t even get it to work again with a different payload?.. whats up with this box?!

Alright …got the file, decrypted, got the info from the file. Access to web instance …anyone able to nudge me onto the getting user flag ? PM if you can

Finally rooted. It took a long time. First i wasted allot of time trying to crack the ***nc file with tools found online. Eventually made my own script and it was cracked within seconds…
The poison hint was a strong one, but i focused on the wrong port for a while…
After finding the right one these two hints helped allot.

@void124 said:
Rooted. For those of you that have a problem with last step of privesc, if you are looking on the login page of interesting service and you also have Poison like access… The login process could be very trivial if you don’t focus only on the login credentials but also on the referenced file. Ask yourself, is url in form referring to something, what actually exists? If it is not, can we change that?

@loopspell said:
search for mannual exploitation of known vulnerability relates to console on google

okay this config file- I don’t know where you guys are finding a password in plain text; I’ve looked through enum scrips; did lots of manual enum; like lots and lots of manual enum… grepped everything for ‘pass’ or ‘password’ also; find / -name “config”/“password” etc etc… went back to my nmap… looked through all the directories disallowed… i’m just like… lost where is this plain text password… someone said it was straight forward… O.o …

I can’t tunnel without some ssh cred action… used curl to check out the H2… but I can’t do anything with it.

…atleast from my current understanding… help guys?

@drUIdmoz said:
okay this config file- I don’t know where you guys are finding a password in plain text; I’ve looked through enum scrips; did lots of manual enum; like lots and lots of manual enum… grepped everything for ‘pass’ or ‘password’ also; find / -name “config”/“password” etc etc… went back to my nmap… looked through all the directories disallowed… i’m just like… lost where is this plain text password… someone said it was straight forward… O.o …

I can’t tunnel without some ssh cred action… used curl to check out the H2… but I can’t do anything with it.

…atleast from my current understanding… help guys?

I hope this isn’t to much of a spoiler. But maybe you should check where the config settings are stored for the CMS this server is running.

I Founded User d**** In SSH
But For Password I Used 10M Pass List But Cant FInd Any
Also No Drupal Exploit Work
any Help
Or Passlist Hint

@Amzker said:
I Founded User d**** In SSH
But For Password I Used 10M Pass List But Cant FInd Any
Also No Drupal Exploit Work
any Help
Or Passlist Hint

@Phrenesis2k said:

@drUIdmoz said:
okay this config file- I don’t know where you guys are finding a password in plain text; I’ve looked through enum scrips; did lots of manual enum; like lots and lots of manual enum… grepped everything for ‘pass’ or ‘password’ also; find / -name “config”/“password” etc etc… went back to my nmap… looked through all the directories disallowed… i’m just like… lost where is this plain text password… someone said it was straight forward… O.o …

I can’t tunnel without some ssh cred action… used curl to check out the H2… but I can’t do anything with it.

…atleast from my current understanding… help guys?

I hope this isn’t to much of a spoiler. But maybe you should check where the config settings are stored for the CMS this server is running.

I have to be looking right over this, or right at it… but I’m just not seeing it.

@drUIdmoz said:

@Phrenesis2k said:

@drUIdmoz said:
okay this config file- I don’t know where you guys are finding a password in plain text; I’ve looked through enum scrips; did lots of manual enum; like lots and lots of manual enum… grepped everything for ‘pass’ or ‘password’ also; find / -name “config”/“password” etc etc… went back to my nmap… looked through all the directories disallowed… i’m just like… lost where is this plain text password… someone said it was straight forward… O.o …

I can’t tunnel without some ssh cred action… used curl to check out the H2… but I can’t do anything with it.

…atleast from my current understanding… help guys?

I hope this isn’t to much of a spoiler. But maybe you should check where the config settings are stored for the CMS this server is running.

I have to be looking right over this, or right at it… but I’m just not seeing it.

I’ve send you a message.

What…I am slow, but I got it…now to get faster…root is done

finally decrpting .enc file is done but then what ?!?!

I have tried to login web interface and/or ssh with default usernames and found password but no luck!! Is that password maybe wrong? but i have tried at decryption process all type of d***** at that tool and i found just one password.

What is happening ? :anguished: :frowning:

I’ve learnt a lot thanks to this box! If I can give you an advice concerning privesc: don’t overcomplicate it. Feel free to PM if you need help!

Having some trouble with the file you get from f**. I know what it contains, and I’ve done the first step, got the tool that everyone talking about, but I don’t know the encryption type, so I made a bash script to recursively go through each one. The script runs, but it’s stopping after checking the very first algorithm.

Can someone take a look at my bash script and see if they can figure out what I’m doing wrong?

EDIT: I figured it out. I put in a break and it was halting the script after the first algorithm! :smiley:

Nice machine, had fun creating my own script for the decryption part because most of the tools weren’t working. A bit disappointed for privesc…

This was a great machine, thanks for creating one that was a challenge each step of the way. Good stuff! ::rootdance!::