Lightweight

@mrflibbleoz said:
Been trying to bruteforce for a whole day using assorted wordlists etc. with no luck. Am I missing something?

Brutforcing is a rabbit hole, though accounts are usefull. You should think about a different approach to get the passwords.

@prokaryont said:

@Uvemode said:
Got root and all, but I’m curious, how exactly?
‘It’ was blank, therefore shouldn’t be able to do anything special. I checked and blank means nothing, even with those ending flags. except that previous ‘it’ were removed. Surely I missed something.
@avetamine
There is a c function that translates a textual representation of what you can do into a binary one. In the man page there is also a section about what it means when ‘it’ is blank.

You are right, it was at the man page. Just didn’t check for the right keywords.
Thanks.

Yes thanks for the insight @prokaryont

@mitoOo said:
any hints for root privesc???
cracking ba****.***

Once you crack that file and read the contents carefully, it should be straightforward. PM me if you need help

@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.

@TazWake said:

@epsequiel said:
I’m a bit disappointed. After I got user1 it took me less than 5 minutes to get root. But that’s not because I’m a good pentester but because the ‘hints’ in the forum where almost a spoiler.
When I got user1 I already knew what to do to get root. I don’t feel I cheated because in the end I had to understand and know what to do but I do feel I was spoiled a little.

So, as a tip, maybe you shouldn’t read through the forums if you dont want the hints.

Of course, but in my case I was looking for hints on getting user1.

Any hints for the o****** part? Struggling to figure out a solution.

@rufy said:
Any hints for the o****** part? Struggling to figure out a solution.

NVM. Got it. Fun box with lots of new things to learn!

@Skunkfoot said:

@Baikuya said:

@Skunkfoot
It helps if you’ve completed Frolic.

Dont you mean Waldo?

No, I meant Frolic, but completing Waldo will help too for a different part, so that’s a good point.

So apparently you may have used the tool I was referring to on Frolic, or you may have done it a completely different way. Sorry if that led to any confusion for people. I try to give subtle, logical hints that don’t reveal any direct spoilers, but admittedly, I’m not the best at it.

Anybody got root shell? I got root.txt but can’t get a shell. I’ll appreciate any hints.

@epsequiel said:
Anybody got root shell? I got root.txt but can’t get a shell. I’ll appreciate any hints.

It’s not that hard to get a root shell, if you can read root files maybe you can even write them :wink:

Ahh what fun that was :slight_smile:

Someone which want’s to talk about the way he got user. I was able to get user but unable to do it again… Something I am missing

hoo these heshes are frustrating me. thought i knew what to do, done it, looked better, but nope.

Just think that there is a vulnerable service running on the box. Finding (with nmap) an encrypted password is not necessarily a vulnerability. That being said, try to explore the service vulnerability instead of losing time with brute force.

Cheers

I’ve ssh’d in as you should, can see 2 accounts, but I’m lost at what to do next? I’ve ran nmap scripts related to the box name, but have nothing to work with. Looking for a nudge.

Nice box! After having the user.txt and the root.txt the icing on the cake was getting a root shell :slight_smile:

Rooted After a long time trying and failing to get root. If someone needs help! PM me! Always glad to learn other ways and help other!

Ps: No solution given!

I’m super confused. How do you decrypt the hashes found for both users? Or is decrypting them even necessary? I tried using these hashes as ssh passwords but they’re not accepted. A pointer would be appreciated!

Nevermind I’m an idiot. Didn’t need to decrypt