12 hours and finally got root. Rās was pretty new to me and was quite the learning curve.
Tips:
Foothold:
0. READ and RE READ all the messages in this thread, there are a lot of useful nuggets.
KISS. Yes to get a foothold you will need to implement a technique which is hinted at throughout this threadā¦ however, if you find yourself not being able to use s----m-eāc (or anything similar), as well has M----E LāD; you may not be a strong follower of K.I.S.S
Pwn User:
0. Ditto Foothold, regarding keeping it simple.
Pentesting follows a set of steps. As mentioned elsewhere on this thread, a detailed search of what you have available can save a lot time. Note: this is just good general advise, and is intended as such, the fact it may or may not apply here, just shows how good this general advise really is. Again K.I.S.S.
Pop the box (owning root)
0. Ditto and Ditto
By this point the path forward should seem clear, again take stock of assets and make sure you do not forget about the other elephant in the room.
Any box that gives me the chance to learn things I did not know prior to starting is a good box. Thank you to the creator for putting this fun little project together.
Iāve got access through r***s. Iāve discovered 4 potential attacks,
webshell ā not working (no write access)
copy ss*-related file in home dir ā not working (no access)
inject cronjob ā not working (no access)
Master/Slave exec payload ā not working (missing command MOD***)
what iām missing? is it one of the 4 options i discovered?
Option 4 seemed the most promising to me. Ive worked through this thread, but as it seems i dont understand the breadcrumbs at all.
This is my first box. Managed to get user, but stuck getting root. Have been trying exploits in m*f on w***** with user credentials but unable to get a session. Would be grateful for a PM with any hints/nudges.
Iāve got access through r***s. Iāve discovered 4 potential attacks,
webshell ā not working (no write access)
copy ss*-related file in home dir ā not working (no access)
inject cronjob ā not working (no access)
Master/Slave exec payload ā not working (missing command MOD***)
what iām missing? is it one of the 4 options i discovered?
Option 4 seemed the most promising to me. Ive worked through this thread, but as it seems i dont understand the breadcrumbs at all.
One of them works. Think about directory aspect againā¦
I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.
Was able to decrypt the i*****.**k , although always getting āConnection closed by 10.10.10.160ā , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?
@tekkenpc said:
Was able to decrypt the i*****.**k , although always getting āConnection closed by 10.10.10.160ā , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?
Iāve been having a ton of overall issues connecting to the box lately so i donāt think youāre alone. not sure if anything has changed, but some others have been saying ākeep trying til it worksā
I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.
There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.
Purpose of these settings are exclusion of alternative solutions.
@tekkenpc said:
Was able to decrypt the i*****.**k , although always getting āConnection closed by 10.10.10.160ā , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?
Iāve been having a ton of overall issues connecting to the box lately so i donāt think youāre alone. not sure if anything has changed, but some others have been saying ākeep trying til it worksā
Letās just say, if youāre already in one of the houseās rooms, donāt just walk out and ring the doorbell again.
I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.
There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.
Purpose of these settings are exclusion of alternative solutions.
So this would be atypical of how a default r**s would be setup? From my understanding of how the accounts for services should be setup, even in a testing environment, is that none of my attacks should have worked. Iām just curious if this is something you actually see in the wild.
Man Iām at a wall and I know it is going to be something stupid got user M*** and I know people are saying to go to the beginning but I must have missed something enumeratingā¦ Please PM! Great so far haha