Heist

Type your comment> @Aidsko said:

■■■■, so i have 3 passwords and 3 usernames. I am able to connect to the share with the credentials. I have tried using the ruby script and other w**** tools but keep getting authentication errors. I even tried using my windows vm to user more native w**** tools. Can someone push me towards the right direction! I would greatly appreciate it!

Try metasploit module to check right combination of those creds :smile:

Currently working on root but seem to have hit a brick wall. I’m pretty certain I’ve figured out the correct application as the file I’m looking at has been mentioned several times in the forum, however I haven’t been able to decrypt it. Uploaded an application to get the password but it was ineffective as a master password seems to be in use.

A lot of the previous comments imply that the answer is much simpler than it might appear. Would really appreciate a nudge in the right direction. Heading to bed now - sorry if I don’t respond for a few hours.

Cheers.

usernames and 3 cracked passwrds from c***** file didn’t help authenticate neither ./l***d.py script nor msf w login module. Any help on how to get the correct username?

Update : Rooted! The root was so simple than user. Wasted a day for root complicating things…

Rooted

I NEED TO UNDERSTAND TWO THINGS:

  • Why the exploit didn’t work in metasploit or the other ruby scripts? if someone knows, please tell me.
  • From where the ■■■■ you got the username C**e? Has it been mentioned some whare in the website? if someone knows, please tell me.

The root flag was much more easier than user flag.

Ok so I have 3 password and 3 username which i got from the file they give you
I can connect to samba / rpc but i cant enumerate from this cause few rights
i tried the rb script and evil-winrm on both windows and linux machine
I tried to bruteforce username with the 3 password using the metasploit auxiliary tool
I obviously tried all the combinations between these username/password

Still doesnt work, im really stuck, I already tried all the options.

Stuck on root. Could someone give me a nudge? Like others said I’m missing the l****.***n file and cant see any other interesting processes.

Type your comment> @ibarrick said:

Stuck on root. Could someone give me a nudge? Like others said I’m missing the l****.***n file and cant see any other interesting processes.

Once you get the user, try to visit the web pages from inside. You will find something useful.

Type your comment

cracked all 3 passwords, but still milestone is far

Rooted! Pretty Nice box , congrats @MinatoTW

Ping me if you need help

hey, anybody could help me out? I can’t get opencl to work on my ivybridge soo… can’t really do that one thing I’m supposed to do. I know what I should, but unable. Could anyone give it to me? Thanks

–edit: got it, got in to the s**** but nothing seems to be up there. Please some nudge?

Type your comment> @rowra said:

hey, anybody could help me out? I can’t get opencl to work on my ivybridge soo… can’t really do that one thing I’m supposed to do. I know what I should, but unable. Could anyone give it to me? Thanks

–edit: got it, got in to the s**** but nothing seems to be up there. Please some nudge?

I’ve got 3 sets of creds. I tried metasploits w****_lo***, previously linked evil-w**r* and a python winrm lib too (wrote my own little wrapper for a pass checker brute forcer all combinations). Nothing seems to work. I tried adding some obvious/stock ones like Administrator. Nothing, going nuts about how to utilise these creds, they can’t be for nothing… please nudge

To save some others a massive headache turn off bash history substitutions with this command for the final step:

set +H

.

This is the easiest root privesc I’ve made. But I’ve not followed the usual path as most people to get it… So yeah there are 2 ways (at least) to get root.

Two unintended ways to root have been patched. Ones who did root just by cracking a hash or finding the password in a file, I urge you to try again!

I’ve user already since some days. Struggling with root. I guess i know which process here is talked about, but one of the files missing to get pwd out of it. But might be fully wrong. Hints appreciated :smile:

Type your comment> @ml19 said:

I’ve user already since some days. Struggling with root. I guess i know which process here is talked about, but one of the files missing to get pwd out of it. But might be fully wrong. Hints appreciated :smile:

Same here. Also found the hash. Wonder if there is some way to get into the context of the process. The good old m*r doesn’t seem to do the trick. Maybe some Pl magic?

I have the three passwords from the c*** file. when i try to enumerate the users with smbmap or over other tools i always receive access denied. i was trying every combination with ev**-w** and with metasploit without success but i was only guessing the usernames… please give me a nudge.

Tought me that I clearly have no clue about windows

Hint for root: as said a lot, look at processes memory and don’t waste time to look at files (all the things I saw in writeups are not there)