@Uvemode said:
Got root and all, but I’m curious, how exactly?
‘It’ was blank, therefore shouldn’t be able to do anything special. I checked and blank means nothing, even with those ending flags. except that previous ‘it’ were removed. Surely I missed something. @avetamine
There is a c function that translates a textual representation of what you can do into a binary one. In the man page there is also a section about what it means when ‘it’ is blank.
You are right, it was at the man page. Just didn’t check for the right keywords.
Thanks.
@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.
So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.
@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.
So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.
Of course, but in my case I was looking for hints on getting user1.
No, I meant Frolic, but completing Waldo will help too for a different part, so that’s a good point.
So apparently you may have used the tool I was referring to on Frolic, or you may have done it a completely different way. Sorry if that led to any confusion for people. I try to give subtle, logical hints that don’t reveal any direct spoilers, but admittedly, I’m not the best at it.
Just think that there is a vulnerable service running on the box. Finding (with nmap) an encrypted password is not necessarily a vulnerability. That being said, try to explore the service vulnerability instead of losing time with brute force.
I’ve ssh’d in as you should, can see 2 accounts, but I’m lost at what to do next? I’ve ran nmap scripts related to the box name, but have nothing to work with. Looking for a nudge.
I’m super confused. How do you decrypt the hashes found for both users? Or is decrypting them even necessary? I tried using these hashes as ssh passwords but they’re not accepted. A pointer would be appreciated!