Ypuffy

11011131516

Comments

  • edited January 2019

    I'm at the last 5% and keep hitting an error about the p*****_**y. Any1 for a PM to check with my findings?

  • Nice environment. This was a fun box. As hints.

    User

    Enumerate the open ports. Especially the one that allow anybody to touch. You will find juicy credentials that you can used. Use of credentials is not every time used in cleartext so think about using them in another way. Than google the file extention that you find and then you know what to do in order to have a stable connection.

    Root

    In my opinion there is a sad thing that root can be obtain with a "0day". And I call it 0day because was published in october 2018 (along with related CVE ****5) after machine release. It's like a walk in the park with that. I admit I use it but I also admit that I will do the intended way as well( at least I know what to obtain and why but there is a long series of commands). In the end, scope is to learn mechanism and implementations.
    Cheers to all and creator as well!

    clarkkent

  • edited January 2019

    If someone needs help with user just PM. Now onto root.
    Edit: can sign stuff, the only thing I could log in with with the signed cert was the user bob. I dont understand what to do next. Care for a nudge ? :^)

  • User was not that difficult. Although everything was pointing towards a combination of services to get to root, I never figured it out . The 0day rescued me! :sweat_smile: :+1:

    sx02089

  • (9) It was like 4 days
    learned little bit of ldap, smb...

    ASHacker

  • Is there anyone that can help me with s*****t connection syntax?

  • Excellent challenge. Learned me some new things about certain protocols.

    For people who are stuck on the correct s*******t syntax or think they miss some information....there is a tool called crackmapexec. This can be used in combination with the found username and h**h to scan an entire network. In this case only the target.
    But the output will help with getting the s*******t syntax correct.

    Hope that helps for people who are stuck at the first part.

    Still need help...when online, I'm always in for a PM.

    Hack The Box

  • I would appreciate a PM on getting user. I have user and hash but cant get much farther than that.

  • edited January 2019

    I am still banging my head.... I can login as al******* and b****1 but when it comes to us****a i got a Permission denied publickey error. I understand that I need a particular option when generating the file. Does it related to from where can I connect to? Does it in a s*l file located under b*****1 user? The log file not too verbose so I only see that the command run successfully.

  • Ok, I have user. But am stuck on priv esc. Cant seem to figure getting b****1

  • Finally got it both the intended and the "0day" way.

    Because there are a lot of info to get user I only want to share my experience to get root.

    So it could be a real nightmare for days. But just check the s**d config file and be sure to understand the whole process. Check all users home folder and if found sth interesting, note it. Then play with the url, try with combinations (you only need to change one parameter ;) ). If it doesn't work try to reset the machine.

  • rooted..its not that hard but you have to observe the things.
    anyone need help ping me personally.

  • @0daysru said:
    Got user, but need some help with priv esc. I know how to start *******gen with d*** and can create some files. Also I know how to print to screen p*****e k** via stdout as a file, but what about p****c k**? How to save it in a right directory? Or, maybe, it is a wrong way?

    I'm stuck at the exact same point as well. Any assistance would be greatly appreciated. Please PM me if you can lend a hand putting it all together.

  • rooted this machine if anyone need help feel free to pm :)

  • Got root, Interesting machine, learned a lot with this one.
    Didn't know that the hashes can be used in such a way way to make a connection. Cool! :+1:

  • Rooted atlast. wow this was amazing learning experiance. I would recommend not taking the easy method for root i.e. not being a script kiddie and doing how it is actually intended. trust me. itll take some time but youll learn SOO MUCH MORE.

    PM me if anyone is stuck anywhere.

    Hack The Box

  • edited January 2019

    PLEASE PM HELP ME.

    Please :(((

    Thanks you. I used msf (ex/win/psex...)

  • edited January 2019

    Enumerated l**p, found 2 users and a hash. I know which tool to use (s*******t), which options, but still can't log because of the syntax.
    If someone could help me with it, thanks in advance !
    EDIT: got user, on my way to root !

    Hack The Box

  • edited January 2019

    Rooted the machine with the unattended LPE exploit.
    Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).

    Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-*****n and also got my files... but every time I tried to login in a different user-account I would receive the pu****k** error.

  • > @Ac1d0 said:
    > Rooted the machine with the unattended LPE exploit.
    > Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn**).
    >
    > Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-*****n and also got my files... but every time I tried to login in a different user-account I would receive the pu****k** error.

    Makers have no control of published machines. The admins decided to leave it as is.
  • edited January 2019

    I read privatekey /home/userc_/c_

    How to get r00t via s** localhost

    Please PM help me. Thanks you so much.

  • @AuxSarge said:
    > @Ac1d0 said:
    > Rooted the machine with the unattended LPE exploit.
    > Also @AuxSarge please delete the symlink that this exploit creates, since other users could use it by simply typing a command (pwn).
    >
    > Someone who rooted without this method could contact me? I tried with the d*** command combined with the ss*-*****n and also got my files... but every time I tried to login in a different user-account I would receive the pu****k
    error.

    Makers have no control of published machines. The admins decided to leave it as is.

    Well, it sounds a little bit stupid since the root part you've created can be "bypassed" with this but...who cares? People interested in studying will not use this metod :pensive:

    p.s : i managed to exploit the machine the way you intended ;D

  • have not been able to find the correct syntax for sm*****t to connect to the service for 3 hours using the a*******8 and the hash, have read all docs page for the tool but cant get it to work. can someone direct me? PM please

  • Can someone PM me a hint I'm stuck on S**C****T command. I have 2 users, hash, not quite sure where to go from here but I know I'm close...

  • edited January 2019

    I've been stuck on this for ages now. I enumerated l*** and I am connecting into s*******t. Here I can see the working directories but it won't connect to the server. What am I missing?

    EDIT. Found the problem.

  • Rooted ! Cool box Learn another one. I used the other one that people talking about is way much easier. anyone want to share how the other attack implemented?

    For User once you have the creds just use the extra command . Thanks to wish.

    For root just follow what other tips here have been giving.

    Root was easier than user if you know what others are talking about :)

    32x0LF

  • Whelp... user was easy. Got that in about 30 minutes. Now for root!

    n00b

  • my command for root doesnt work, could someone help me ?

    peek

  • i logged in with PUTTY but keep loosing the connect after every minute, is it normal?

  • If you can make the c*** with the s**-*****n command and principal, it has to have a name like -cert.pub. If it isn't, the authentication will fail.

    I like to put stuff from htb names like 'blah'. .. and that gave me a headache when I tried to figure out why the priv esc didn't work.

    Hope this isn't spoiler :)

Sign In to comment.