Ypuffy

rooted this machine if anyone need help feel free to pm :slight_smile:

Got root, Interesting machine, learned a lot with this one.
Didn’t know that the hashes can be used in such a way way to make a connection. Cool! :+1:

Rooted atlast. wow this was amazing learning experiance. I would recommend not taking the easy method for root i.e. not being a script kiddie and doing how it is actually intended. trust me. itll take some time but youll learn SOO MUCH MORE.

PM me if anyone is stuck anywhere.

PLEASE PM HELP ME.

Please :(((

Thanks you. I used msf (ex/win/psex…)

Enumerated l**p, found 2 users and a hash. I know which tool to use (s*******t), which options, but still can’t log because of the syntax.
If someone could help me with it, thanks in advance !
EDIT: got user, on my way to root !

Rooted the machine with the unattended LPE exploit.
Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).

Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-***n and also got my files… but every time I tried to login in a different user-account I would receive the pu****k error.

@Ac1d0 said:
Rooted the machine with the unattended LPE exploit.
Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).

Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-***n and also got my files… but every time I tried to login in a different user-account I would receive the pu****k error.

Makers have no control of published machines. The admins decided to leave it as is.

I read privatekey /home/userc_/c_

How to get r00t via s** localhost

Please PM help me. Thanks you so much.

@AuxSarge said:

@Balzabu said:
Rooted the machine with the unattended LPE exploit.
Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).

Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-***n and also got my files… but every time I tried to login in a different user-account I would receive the pu****k error.

Makers have no control of published machines. The admins decided to leave it as is.

Well, it sounds a little bit stupid since the root part you’ve created can be “bypassed” with this but…who cares? People interested in studying will not use this metod :pensive:

p.s : i managed to exploit the machine the way you intended ;D

have not been able to find the correct syntax for sm*****t to connect to the service for 3 hours using the a*******8 and the hash, have read all docs page for the tool but cant get it to work. can someone direct me? PM please

Can someone PM me a hint I’m stuck on S**C****T command. I have 2 users, hash, not quite sure where to go from here but I know I’m close…

I’ve been stuck on this for ages now. I enumerated l*** and I am connecting into s*******t. Here I can see the working directories but it won’t connect to the server. What am I missing?

EDIT. Found the problem.

Rooted ! Cool box Learn another one. I used the other one that people talking about is way much easier. anyone want to share how the other attack implemented?

For User once you have the creds just use the extra command . Thanks to wish.

For root just follow what other tips here have been giving.

Root was easier than user if you know what others are talking about :slight_smile:

Whelp… user was easy. Got that in about 30 minutes. Now for root!

my command for root doesnt work, could someone help me ?

i logged in with PUTTY but keep loosing the connect after every minute, is it normal?

If you can make the c*** with the s**-*****n command and principal, it has to have a name like -cert.pub. If it isn’t, the authentication will fail.

I like to put stuff from htb names like ‘blah’. … and that gave me a headache when I tried to figure out why the priv esc didn’t work.

Hope this isn’t spoiler :slight_smile:

when I ssh to it, I got error “permission denied (publickey)”. Any hint? Thanks.

user hint: If anybody is having problems with s******nt syntax Using smbclient

This is what got me over the hump, hopefully someone else will find it helpful as well.

@jojiang said:
when I ssh to it, I got error “permission denied (publickey)”. Any hint? Thanks.

same problem i’m having.