Chaos

Right, I have the creds, I can see the logon from for wm*. Creds dont work, is this intentional…

Anyone fancy giving me a nudge?

Update: DNS was slightly off…

Now to work out how to decrypt the message…

I’ve found wp* and wm* but can’t find any credentials anywhere. I’ve enumerated using gobuster and dirb, tried hydra, but am unable to identify credentials for either of these services. Someone previously mentioned that they are right there in front of you but viewing the source of the pages, words on the pages, etc. have not been helpful. Could someone provide some guidance on other tactics I may be overlooking or a bit of direction?

@frankg said:
I’ve found wp* and wm* but can’t find any credentials anywhere. I’ve enumerated using gobuster and dirb, tried hydra, but am unable to identify credentials for either of these services. Someone previously mentioned that they are right there in front of you but viewing the source of the pages, words on the pages, etc. have not been helpful. Could someone provide some guidance on other tactics I may be overlooking or a bit of direction?

One of the things you’ve found is very common and a bunch of tools exist to enumerate aspects of it. If you do that, you’ll find some additional information which may be helpful.

Anyone able to provide some resources or help with decryption? I’m not a python guru so any help would be great.

Hi all . I am still battling with the credits for the user. I don’t know what I am missing. I did dirbuster, dirb and I am missing the credits. Please PM me. Thanks

Hi all . I am still battling with the credits for the user. I don’t know what I am missing. I did dirbuster, dirb and I am missing the credits. Please PM me. Thanks

Do you get the same results if you dirb ip address and dns name?

@Sh11td0wn said:
Do you get the same results if you dirb ip address and dns name?

And dns name is? I tried with ping -a, nslookup and nmblookup and I didnt have luck :confused:

When i say dns name, i mean adding chaos.htb pointing to it’s ip address on your hosts file.

Cheers

@masterrabbit said:
Anyone able to provide some resources or help with decryption? I’m not a python guru so any help would be great.

There’s a pretty helpful message in this thread from jkr. The first time I did this, I just wrote python decryption code by more or less reversing the encryption code (there are probably a few gotchas and you’ll need to understand how the mode which is being used works). As someone else mentioned, it’s also possible to do this without writing any python code using the standard commandline tool for encryption/decryption stuff on *nix boxes. In that case, you’d also need to understand enough about how the encryption works to specify the correct parameters to decrypt, though. Lastly, some people have mentioned finding useful things online. When I find myself needing to write code to do something and I don’t know how to do that, I can often find examples online if I look hard enough.

Thanks,

I was able to use the powerof google and a couple of lines in the py and get something super helpful…

I now have a shell as www and trying to enumerate to get user

Struggling to get from rev shell to a user. Anyone able to provide a bit of direction?

@frankg said:
Struggling to get from rev shell to a user. Anyone able to provide a bit of direction?

Know anyone who uses the same password everywhere? :wink:

User:
You can access with domain name? Good to know you can access it.
Think how you enum webpage like other machine :wink: (gobuster)
Found a post with password? the password is infront of you.
Got the creds? Nice, look at nmap result.
“I dont have time to finish it… i’ll save it as draft”
Python is not really your language? time to make Google FUNCTION again.
Got a shell? got the password already. restricted? check out this link, (posted before)

Root:
take a look at the hidden folder.

@isitme those are actually really good hints! Looking beyond the initial user access I found this box to be really enjoyable, especially getting root was fun.

Anyone able to provide some better hints for root. I am in the application folder. In a sea of files and have no idea where to turn…

R.O.O.T.E.D

what a pain in the ■■■■.

Happy to help but Ill drop a note on here with hints in a bit.

Rooted.

Box was really fun IMO. Thanks @sahay . My first introduction to the RCE.

user: Enumeration is important as with all machines. gobuster is your friend. DNS is your friend. Cewl is a cool tool. (probably too much work in retrospect but I didn’t know creds were right in front of you.
Once you find some stuff, move onto some of those services in your initial scan. Understand the protocols and what they need. I used CLI for this… then realized I could have used a GUI to make my life easier. I learned a lot using the CLI though.
Once you find something interesting in those services… Google is your friend. No need to be a programming guru. Just google and common sense.
Last step for user. you already hold the answer to your problems. I went 3 hours being a noob :).

Root. There is a shell escape link being passed around these forums, use it! for privesc, think of a real workstation used by an everyday user. There’s applications they use all the time. Think of those applications and what data they could hold. There’s a common theme with this user. The dude is lazy. We can leverage that. Hidden files will trip you. Be thorough in your searches and once you think there is a lead… GOOGLE-FU that ■■■■.

Lastly,

theres plenty of hints in these forums to get you by. Shoutout to the help by those folks.

To return the favor, PM if you need a nudge.

Finally got user on this box. What a pain in the backside compared to some other boxes I’ve popped.

Great hints on this thread and props to albertojoser and masterrabbit for their help and hints on the tricker parts - respect given :wink:

Going to take a short break then come back to try for root!

Spoiler Removed