Finally root!!
don’t over think user just try different CVEs (like a pro script-kiddy :p)
root:watch closely p***64 program, know the problem with non-absolute paths, work with that…it doesn’t work–> then watch more closely to see what root is trying to do
Actually, here you won’t get a root shell by the usual exploit ways. You’ll need to enumerate. First check the processes with the pspy tool ,watch closely for a process executed by root incl. the command line. Take note a dir in the PATH. Then craft your own script against a well known binary, copy it over to a dir where you can write in the PATH. Your script will be executed instead of the binary with root privileges doing whatever you want. Done and dusted. You are root
This comment saved me. Thank you qmi ! finally rooted the box
i told myself i was gonna try and hit a box strictly on my own, but lets face it im still too green to make that a feasible reality, so here i am wondering why the python script, no matter what version i run it in, wont co-operate and gives me, depending wich version, 2 types of syntax errors. Can i get a witness…
ok so now that exploit spit out creds, im wondering why /w*****/a**** wont accept them, am i missing something… User *** Pass rj***9 unless user is email?..where am i going wrong?
@jh305 said:
One thing I haven’t seen anyone mention is how they get p*** onto the machine. wget doesn’t seem to work?!
In Linux, once you have SSH you can always use SCP for file transfer. Failing that, set up a mini web server on your machine and use wget/curl. Or even, just use nc and pipe it.
@mmkhan said:
Hi. How do I speedup (or modify command) hashcat process ? it’s taking ages and CPU to crack credentials. And some hints on what to precisely look in pspy will be appreciated.
Have you put the hh and st in the right format, and set the cracking mode accordingly?
Not sure. Had a feeling it was not right but gave a try. I used md5($pass.$salt) with brute force & text file with /rockyou
-m 10 -a 3 -o </file with password hash : salt>
Lot many options to try and find the right one
@mmkhan said:
Hi. How do I speedup (or modify command) hashcat process ? it’s taking ages and CPU to crack credentials. And some hints on what to precisely look in pspy will be appreciated.
Have you put the hh and st in the right format, and set the cracking mode accordingly?
Not sure. Had a feeling it was not right but gave a try. I used md5($pass.$salt) with brute force & text file with /rockyou
-m 10 -a 3 -o </file with password hash : salt>
Lot many options to try and find the right one
Actually the C*S exploit does that for you so you dont need hashcat or any other tool
been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.
been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.
For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.
My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close
been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.
For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.
My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close