Lightweight

Would anyone be able to provide a hint for User? Like @sanre initial query I am unsure on how to get the information I need using t*****p

EDIT: Reached l*******1, now to figure out root…
EDIT2: Rooted, Thanks for the advise folks!

finally got root but still got some questions on why something worked the way it worked

PM would be nice

Anyone able to help with escalating from the first user? I’ve ran the tp but am getting the same information that I got from the n script. I’ve tried using {***}* to login as well as the full hashes, but no luck.

EDIT: Nevermind, make sure you listen in the right places! :confounded:
EDIT 2: Rooted… paths are important!

Finally rooted this box and learned about capabilities :slight_smile:
Special thanks to @sanre for taking the time to explain about linux capabilities.

I’m stuck on the last step for privesc.

I think I know what binary to use from the last user to get access to the flag, but I’ve been staring at man pages and playing with the program for the past hour or two and can’t get anything other than ‘permission denied’ errors for the file I want access to.

can anyone explain to me why jxplorer is so ludicrously slow, while shelldap is lightning quick? I feel like part of it is that jxplorer is a gui, but that just can’t make that big of a difference.

Can anyone help? I’ve been stuck on this for days now, trying to get user. I have run tp while querying a million different things, have found the hashes, but nothing more than the output of the actual query. I’ve read the entire RFC and the documentation of all l and s* commands. Any nudge would be appreciated, this is driving me mad.

Rooted Successfully along with root shell. Got loads of hints from the comments
Thanks @all :slight_smile:

Rooted with good impression and experience.
Followed CEH methodology and CTF techniques that already studied with previous machines. The last step will make you smile.

Hint for root: Be brave! Go to root directly! Don’t care about permissions!

Finally rooted!

What made this box hard (on free) were the trolls changing passwords and flags.

Thanks to the people who verified my commands - that i wasn’t insane! I kept at it and eventually got the right flags!

Rooted! A very interesting box. It had certainly some similarities with Active but I still learned a lot with this one!

Anyone got root shell?? i’m trying to decrypt shadows, pm for discussion :slight_smile:
EDIT: nvm, got it

got root…pm for hint…

Seriously. The way to get the root flag doesn’t make any sense to me.

Why is that thingy able to do what it can do? There is another of that thing on the box which is no different and it cannot do that thing. The path /seems/ to be relevant. But moving an identical thing from a different place seems to make it not work?

If anyone is able to PM me and explain I will send you much respect!

I got root flag, but still having issues to get root shell. If someone could please PM me for some hint it will be appreciated.

PP

Hello everyone! I am currently stuck on getting ldap2. I have run multiple captures with tcp while attacking ldap with NSE and JXand have combed through all of the captured ldap packets. I can see ldap2’s hash. I know I am not supposed to try to crack this hash and it is not a simple Pass The Hash attack from my understanding. I feel like I am overlooking something simple! What is the step I am missing for ldap2? Help me understand in depth please, I want to know what is going on, not just how to get ldap**2 thx! :stuck_out_tongue:

@Dazed said:

Hello everyone! I am currently stuck on getting ldap2. I have run multiple captures with tcp while attacking ldap with NSE and JXand have combed through all of the captured ldap packets. I can see ldap2’s hash. I know I am not supposed to try to crack this hash and it is not a simple Pass The Hash attack from my understanding. I feel like I am overlooking something simple! What is the step I am missing for ldap2? Help me understand in depth please, I want to know what is going on, not just how to get ldap**2 thx! :stuck_out_tongue:

If you have the right data, analyzing them on your device, you will find that the packet containing the ldap****2’s hash, is carrying an LDAP message, the BindRequest, the start of the authentication process. You can learn more by reading this The LDAP Bind Operation – LDAP.com or this https://ldapwiki.com/wiki/Bind%20Request
And yes, if you have the right data, you’re overlooking something simple!

@D3v17 said:

@Dazed said:

Hello everyone! I am currently stuck on getting ldap2. I have run multiple captures with tcp while attacking ldap with NSE and JXand have combed through all of the captured ldap packets. I can see ldap2’s hash. I know I am not supposed to try to crack this hash and it is not a simple Pass The Hash attack from my understanding. I feel like I am overlooking something simple! What is the step I am missing for ldap2? Help me understand in depth please, I want to know what is going on, not just how to get ldap**2 thx! :stuck_out_tongue:

If you have the right data, analyzing them on your device, you will find that the packet containing the ldap****2’s hash, is carrying an LDAP message, the BindRequest, the start of the authentication process. You can learn more by reading this The LDAP Bind Operation – LDAP.com or this https://ldapwiki.com/wiki/Bind%20Request
And yes, if you have the right data, you’re overlooking something simple!

Got user! Thanks for the help and resources! Now onto root. :slight_smile:

ROOTED! This box was quite interesting and definitely taught me some stuff about LDAP that I didn’t know about. The unique attack vectors were a good change of pace. If anyone needs help feel free to PM me! :smiley:

I am working on Lightweight, but I am stuck in the initial step. I have the low priv ssh access using my IP. I have two has from the usual np l**p enumeration. I am trying to run tc***p on 389 but I hear nothing. Can you please give me a nudge if possible?