Ypuffy

Nice environment. This was a fun box. As hints.

User

Enumerate the open ports. Especially the one that allow anybody to touch. You will find juicy credentials that you can used. Use of credentials is not every time used in cleartext so think about using them in another way. Than google the file extention that you find and then you know what to do in order to have a stable connection.

Root

In my opinion there is a sad thing that root can be obtain with a “0day”. And I call it 0day because was published in october 2018 (along with related CVE ****5) after machine release. It’s like a walk in the park with that. I admit I use it but I also admit that I will do the intended way as well( at least I know what to obtain and why but there is a long series of commands). In the end, scope is to learn mechanism and implementations.
Cheers to all and creator as well!

If someone needs help with user just PM. Now onto root.
Edit: can sign stuff, the only thing I could log in with with the signed cert was the user bob. I dont understand what to do next. Care for a nudge ? :^)

User was not that difficult. Although everything was pointing towards a combination of services to get to root, I never figured it out . The 0day rescued me! :sweat_smile: :+1:

(9) It was like 4 days
learned little bit of ldap, smb…

Is there anyone that can help me with s*****t connection syntax?

Excellent challenge. Learned me some new things about certain protocols.

For people who are stuck on the correct st syntax or think they miss some information…there is a tool called crackmapexec. This can be used in combination with the found username and h**h to scan an entire network. In this case only the target.
But the output will help with getting the s
t syntax correct.

Hope that helps for people who are stuck at the first part.

Still need help…when online, I’m always in for a PM.

I would appreciate a PM on getting user. I have user and hash but cant get much farther than that.

I am still banging my head… I can login as al******* and b1 but when it comes to usa i got a Permission denied publickey error. I understand that I need a particular option when generating the file. Does it related to from where can I connect to? Does it in a s*l file located under b*****1 user? The log file not too verbose so I only see that the command run successfully.

Ok, I have user. But am stuck on priv esc. Cant seem to figure getting b****1

Finally got it both the intended and the “0day” way.

Because there are a lot of info to get user I only want to share my experience to get root.

So it could be a real nightmare for days. But just check the s**d config file and be sure to understand the whole process. Check all users home folder and if found sth interesting, note it. Then play with the url, try with combinations (you only need to change one parameter :wink: ). If it doesn’t work try to reset the machine.

rooted…its not that hard but you have to observe the things.
anyone need help ping me personally.

@0daysru said:
Got user, but need some help with priv esc. I know how to start gen with d and can create some files. Also I know how to print to screen p***e k via stdout as a file, but what about pc k**? How to save it in a right directory? Or, maybe, it is a wrong way?

I’m stuck at the exact same point as well. Any assistance would be greatly appreciated. Please PM me if you can lend a hand putting it all together.

rooted this machine if anyone need help feel free to pm :slight_smile:

Got root, Interesting machine, learned a lot with this one.
Didn’t know that the hashes can be used in such a way way to make a connection. Cool! :+1:

Rooted atlast. wow this was amazing learning experiance. I would recommend not taking the easy method for root i.e. not being a script kiddie and doing how it is actually intended. trust me. itll take some time but youll learn SOO MUCH MORE.

PM me if anyone is stuck anywhere.

PLEASE PM HELP ME.

Please :(((

Thanks you. I used msf (ex/win/psex…)

Enumerated l**p, found 2 users and a hash. I know which tool to use (s*******t), which options, but still can’t log because of the syntax.
If someone could help me with it, thanks in advance !
EDIT: got user, on my way to root !

Rooted the machine with the unattended LPE exploit.
Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).

Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-***n and also got my files… but every time I tried to login in a different user-account I would receive the pu****k error.

@Ac1d0 said:
Rooted the machine with the unattended LPE exploit.
Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).

Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-***n and also got my files… but every time I tried to login in a different user-account I would receive the pu****k error.

Makers have no control of published machines. The admins decided to leave it as is.

I read privatekey /home/userc_/c_

How to get r00t via s** localhost

Please PM help me. Thanks you so much.