Writeup

Finally root!!
don’t over think user just try different CVEs (like a pro script-kiddy :p)
root:watch closely p***64 program, know the problem with non-absolute paths, work with that…it doesn’t work–> then watch more closely to see what root is trying to do :wink:

Feel free to PM me

Hi!!

I got user, but i’m really stuck in root. Can someone pm me with some directions?

HInt user: In my case, I didn’t really have to force the hash with haschat or jack or anything, and then, as someone else said: “credential stuffing”

Warning for those studying for OSCP and running their custom VM - seems the initial exploit is not in searchsploit.

Someone correct me if I’m wrong. Wasted a lot of time.

Obtaining User was a piece of cake but ROOT… not sure how this wokrs with p**** and the path. Please PM me to help for ROOT please

Type your comment> @qmi said:

Actually, here you won’t get a root shell by the usual exploit ways. You’ll need to enumerate. First check the processes with the pspy tool ,watch closely for a process executed by root incl. the command line. Take note a dir in the PATH. Then craft your own script against a well known binary, copy it over to a dir where you can write in the PATH. Your script will be executed instead of the binary with root privileges doing whatever you want. Done and dusted. You are root :smile:

This comment saved me. Thank you qmi ! finally rooted the box

Rooted! Learnt alot on this one.

Rooted finally. A BIG thanks to @qmi for ridding me of my stupidity lol. Lesson is : read well what you are trying to exploit.

Rooted. Feel free to PM.

Finally rooted, learned loads especially not to be dumb af
Hmu for help!

i told myself i was gonna try and hit a box strictly on my own, but lets face it im still too green to make that a feasible reality, so here i am wondering why the python script, no matter what version i run it in, wont co-operate and gives me, depending wich version, 2 types of syntax errors. Can i get a witness…

nm i fixed it…

can someone please tell me, before i bf the hash target from ypuffy, if thats the one i should focus on cuz it will take some time

can anyone available to give me nudge in root?

ok so now that exploit spit out creds, im wondering why /w*****/a**** wont accept them, am i missing something… User *** Pass rj***9 unless user is email?..where am i going wrong?

Rooted. Technically it is easy, but its not obvious. Thanks, it is a nice machine!

@jh305 said:
One thing I haven’t seen anyone mention is how they get p*** onto the machine. wget doesn’t seem to work?!

In Linux, once you have SSH you can always use SCP for file transfer. Failing that, set up a mini web server on your machine and use wget/curl. Or even, just use nc and pipe it.

Type your comment> @mmkhan said:

Type your comment> @clubby789 said:

@mmkhan said:
Hi. How do I speedup (or modify command) hashcat process ? it’s taking ages and CPU to crack credentials. And some hints on what to precisely look in pspy will be appreciated.

Have you put the hh and st in the right format, and set the cracking mode accordingly?

Not sure. Had a feeling it was not right but gave a try. I used md5($pass.$salt) with brute force & text file with /rockyou
-m 10 -a 3 -o </file with password hash : salt>
Lot many options to try and find the right one :frowning:

@mmkhan said:
Type your comment> @clubby789 said:

@mmkhan said:
Hi. How do I speedup (or modify command) hashcat process ? it’s taking ages and CPU to crack credentials. And some hints on what to precisely look in pspy will be appreciated.

Have you put the hh and st in the right format, and set the cracking mode accordingly?

Not sure. Had a feeling it was not right but gave a try. I used md5($pass.$salt) with brute force & text file with /rockyou
-m 10 -a 3 -o </file with password hash : salt>
Lot many options to try and find the right one :frowning:

Actually the C*S exploit does that for you so you dont need hashcat or any other tool

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

edit: user owned, onto root…

@0rbit4L said:

Actually the C*S exploit does that for you so you dont need hashcat or any other tool

Hashcat does it much faster for me at least

Type your comment> @KaniJX said:

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.

My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close :smile:

Type your comment> @0rbit4L said:

Type your comment> @KaniJX said:

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.

My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close :smile:

Look for other services in your nmap result :wink: