Lightweight

Rooted After a long time trying and failing to get root. If someone needs help! PM me! Always glad to learn other ways and help other!

Ps: No solution given!

I’m super confused. How do you decrypt the hashes found for both users? Or is decrypting them even necessary? I tried using these hashes as ssh passwords but they’re not accepted. A pointer would be appreciated!

Nevermind I’m an idiot. Didn’t need to decrypt

I’ve rooted the machine, but I had a question. Does anyone know why ps wasn’t outputting all processes? It was only returning the processes for the current user. What is limiting the results for ps here?

@Glasgow said:
I’ve rooted the machine, but I had a question. Does anyone know why ps wasn’t outputting all processes? It was only returning the processes for the current user. What is limiting the results for ps here?

se-lin*x

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

Care to elaborate? I’m stuck here myself.

@tiger5tyle said:

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

Care to elaborate? I’m stuck here myself.

Pretty self-explanatory, no elaboration should be required…Don’t overthink it.

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

I’m still an idiot I guess! I can see that is encoded and can decode it to see the salt and hash, but I cannot see anyway to “pass the hash”. I don’t have a lot of experience with LD** though. Any hints here?

Edit: Wow, user wasn’t THAT straightforward but the only hint I will give is don’t bother with the hashes. Like, at all.

@1NC39T10N said:

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

I’m still an idiot I guess! I can see that is encoded and can decode it to see the salt and hash, but I cannot see anyway to “pass the hash”. I don’t have a lot of experience with LD** though. Any hints here?

Maybe…it is not a hash ? :slight_smile:

@1NC39T10N said:

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

I’m still an idiot I guess! I can see that is encoded and can decode it to see the salt and hash, but I cannot see anyway to “pass the hash”. I don’t have a lot of experience with LD** though. Any hints here?

Ohhhh I see what you’re talking about. You’re getting tunnel visioned on the wrong hash like a lot of people did. Disregard that hash (crypt), it won’t help you.

@tiger5tyle said:

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

Care to elaborate? I’m stuck here myself.

You two are talking about two completely different strings, that’s where the confusion comes from.

@1NC39T10N said:

@nergalwaja said:
Nevermind I’m an idiot. Didn’t need to decrypt

I’m still an idiot I guess! I can see that is encoded and can decode it to see the salt and hash, but I cannot see anyway to “pass the hash”. I don’t have a lot of experience with LD** though. Any hints here?

I’m at the same place… have no idea to do with the information I have now, google isn’t being very helpful in figuring it out

EDIT: Ah… Got root now. ok.

Guys, pay attention to this post. A lot of people are getting hung up on this one detail (I did at first as well).

If you find salted hashes on this box, they’re useless. Forget about them and move on, continue your enumeration.

You two are talking about two completely different strings, that’s where the confusion comes from.

This is why I asked for elaboration. I wanted to know if the strings there had any relevance.

If you find salted hashes on this box, they’re useless. Forget about them and move on, continue your enumeration.

Cool. That’s what I was trying to find out. This is a lot more helpful.

Rooted :slight_smile:

Great machine!!

Recommended to learn about LDAP and Linux capabilities.

PM for hints :wink:

Curious what tools everyone used to crack the password on the ba****.7z file. Apparently I haven’t cracked many .7z compressed files. I’m on a non-GPU Kali VM so john is my defacto, but I cannot get the hash into an acceptable format.

Nothing specialized. Script with a wordlist.

7z brute script

@1NC39T10N said:
Curious what tools everyone used to crack the password on the ba****.7z file. Apparently I haven’t cracked many .7z compressed files. I’m on a non-GPU Kali VM so john is my defacto, but I cannot get the hash into an acceptable format.

Did you try 7z2john.pl? Worked for me.

There was a rather broadsided hint to RTFM after you get to initial user. If I read all of that, will I be able to get to root? I took the next step and now I’m scratching my head over o******* . I’ve worked with **** but this crypto bit has a lot of pieces to fit together in order to get a “clear” picture of the “new capabilities.”

Edit: man I have a talent for getting into fascinating rabbit holes.