Heist

Type your comment> @Raven37 said:

hello everyone :slight_smile: working on root now. i think i understand at what process i should looking, but i can’t find file k**4.d under usual location. Can somebody help me?

nvm, I was blind, found it. Now trying to do something with it

okay, I am stuck on it :slight_smile: is where any way to copy files from heist machine to my kali and vise versa?

Did you able to root?, am stuck on same step got k**.d* but what next? reading article , it mentioned it required log**.j** to decrypt? Am i on the wrong path?

im stuck with the username, i tried all in sb and w***r, little hint in pm, thanks

@MarsG no. i agree, maybe *.db is a wrong path

Spoiler Removed

i can’t decrypt secret hash… plz someone hint me

Type your comment> @azeroth said:

i can’t decrypt secret hash… plz someone hint me

Use hashcat - no rules - rocking list - crack in less than a minute

@Raven37 said:
hello everyone :slight_smile: working on root now. i think i understand at what process i should looking, but i can’t find file k**4.d under usual location. Can somebody help me?

nvm, I was blind, found it. Now trying to do something with it

okay, I am stuck on it :slight_smile: is where any way to copy files from heist machine to my kali and vise versa?

I used pscp:

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

  1. Create a cmd session (upload nc to victim, reveres to attacking box)
  2. Upload pscp, and use it like you would scp

Hi Folks,
Stuck on privesc -
I have the db files
I have dumps of the process
What am I looking for? Am I in a rabbit hole?
Thanks

Finally got root.

Hints:
User:
enumerate, enumerate, enumerate
crack what you enumerate
enumerate some more
Look beyond what you think is normal
play with the rubies

Root:
Think a little forensically
Grep and Strings are your friend
Don’t we always harp on credential re-use?

Feel free to DM me for hints.

Thanks to @minatoTW for making the box and @marlasthemage for all your help!

@1337mm look at my comment above.

Wow I had an unusual hard time getting user. Protip: use hashcat on your native machine.

Rooted.

I hitted head against the wall to understand creds logic, last step was so obvious that i overlooked it.

Pretty fun and useful box.

  • Feel free to PM for help

I have the k.d* file, but I’m stumped as to what to do next. I cant see a way to decrypt it with the info I have. I can’t see any info that stands out from the processes either. Is there a tool or ps cmd like pspy but for windows? Also there is no l*****.j**n file?

EDIT:

Rooted. Was chasing rabbits.

Hints:

File transfers were a pain, nc.exe worked for me.

Root - I love taking a dump on Windows!

Awesome box, learned alot thanks @minatoTW!

I have all the usernames and the 3 password, still cant connect what do I miss ? Should I enum more ?

Type your comment> @C3PJoe said:

@1337mm look at my comment above.

Thanks for the comment “Think a little forensically” - rooted

@MinatoTW Thanks for this exercise, taught me a lot about what can be gleaned from the process, also about seeing the trees amongst the forest.

On root - Can someone DM me?

I am unable to find the exact next step. I have a stable shell and I am able to transfer files without any issues. I have looked at every process, like others suggested in this thread, but it looks like I am unable to find the exact one that will allow me to move forward.

Thanks!

Edit: Rooted - Thanks @Raven37

Anyone knows how to decrypt cisco type 5 password??

rooted, thanks to @marlasthemage :slight_smile: good box, learned a lot of new things

Never been more lost at root before, but I must say it was an excellent learning experience for memory forensics → priv esc. Big thanks to @C3PJoe and @v0yager for the help

Hint for root:
Dump the process with the right tool and the right flags to get EVERYTHING you need but you won’t really need everything in the end :smile: