Writeup

Finally rooted, learned loads especially not to be dumb af
Hmu for help!

i told myself i was gonna try and hit a box strictly on my own, but lets face it im still too green to make that a feasible reality, so here i am wondering why the python script, no matter what version i run it in, wont co-operate and gives me, depending wich version, 2 types of syntax errors. Can i get a witness…

nm i fixed it…

can someone please tell me, before i bf the hash target from ypuffy, if thats the one i should focus on cuz it will take some time

can anyone available to give me nudge in root?

ok so now that exploit spit out creds, im wondering why /w*****/a**** wont accept them, am i missing something… User *** Pass rj***9 unless user is email?..where am i going wrong?

Rooted. Technically it is easy, but its not obvious. Thanks, it is a nice machine!

@jh305 said:
One thing I haven’t seen anyone mention is how they get p*** onto the machine. wget doesn’t seem to work?!

In Linux, once you have SSH you can always use SCP for file transfer. Failing that, set up a mini web server on your machine and use wget/curl. Or even, just use nc and pipe it.

Type your comment> @mmkhan said:

Type your comment> @clubby789 said:

@mmkhan said:
Hi. How do I speedup (or modify command) hashcat process ? it’s taking ages and CPU to crack credentials. And some hints on what to precisely look in pspy will be appreciated.

Have you put the hh and st in the right format, and set the cracking mode accordingly?

Not sure. Had a feeling it was not right but gave a try. I used md5($pass.$salt) with brute force & text file with /rockyou
-m 10 -a 3 -o </file with password hash : salt>
Lot many options to try and find the right one :frowning:

@mmkhan said:
Type your comment> @clubby789 said:

@mmkhan said:
Hi. How do I speedup (or modify command) hashcat process ? it’s taking ages and CPU to crack credentials. And some hints on what to precisely look in pspy will be appreciated.

Have you put the hh and st in the right format, and set the cracking mode accordingly?

Not sure. Had a feeling it was not right but gave a try. I used md5($pass.$salt) with brute force & text file with /rockyou
-m 10 -a 3 -o </file with password hash : salt>
Lot many options to try and find the right one :frowning:

Actually the C*S exploit does that for you so you dont need hashcat or any other tool

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

edit: user owned, onto root…

@0rbit4L said:

Actually the C*S exploit does that for you so you dont need hashcat or any other tool

Hashcat does it much faster for me at least

Type your comment> @KaniJX said:

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.

My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close :smile:

Type your comment> @0rbit4L said:

Type your comment> @KaniJX said:

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.

My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close :smile:

Look for other services in your nmap result :wink:

Please nudge for root.

I know where to look and what to manipulate but is not working.

EDIT:

ROOTED!. learned a lot, thank you @jkr

Can someone please give me a nudge on root. I seem to have the path but i can’t seem to exploit it.

Type your comment> @Expojetsu said:

Type your comment> @0rbit4L said:

Type your comment> @KaniJX said:

looking for some help with user

been banging my head against the wall running the c***s exploit, i keep getting a connection error. I’ve read that I need to toy with the t variable but i’ve tried many different values for it and nothing. pm me if you have any hints, thanks guys.

For me i just kept trying…and eventually it worked, at first i was changing the T var and nothing was working so i put it bck to default and left it for a short while and when i got back to it, it worked. Im not sure if it was just running it at a specific time that it worked or not.

My issue is where to plug in the creds, cuz they dont work on /w*****/a**** and the only other LI i know for this box is the home page NetSec and that didnt work either…would some kind soul pm me and point me in the right direction with a small hint im sooo close :smile:

Look for other services in your nmap result :wink:

if you mean port 22 ssh, ive tried it and nada :neutral:

Nvm thanks @Expojetsu you were right i was making dumb ■■■ noob error

I got user, and I’ll try to get root, but i dont have idea, i think that could be a recurrent process and overwrite daily process, someone could help me?

I think that i have a hint to privilage escalation, i’m into writable directory but i don’t have idea how to exploit this, I use some binaries, but don’t work, help me!!

got user… thanks @jkr for all your help just call me george j, onto root now.

Type your comment> @kazza said:

@jh305 said:
One thing I haven’t seen anyone mention is how they get p*** onto the machine. wget doesn’t seem to work?!

In Linux, once you have SSH you can always use SCP for file transfer. Failing that, set up a mini web server on your machine and use wget/curl. Or even, just use nc and pipe it.

Ended up using SCP and learning something new, thanks!

nvm i think i got it