Postman

1679111238

Comments

  • edited November 2019

    This is my second box and I am trying to get root, I have a few ideas but some trouble with em. Please PM me a nudge if you can :)

    EDIT: Got root in 5 minutes, for some reason what I tried to do last night didn't work until this morning. feel free to DM me if you need a nudge :)

  • Nice box just rooted. Anyone rooted the box without using the msf module pm me. I get disconnected when tried using the gui for higher port.

  • Type your comment> @Dinesh42 said:

    Got user access @M**t

    YOU GAVE AWAYYYY i had low shell and M**t and THE PAssword for matt but you gave away!! :( nvm...

    gg tho

    Arrexel
    OSCP | OSCE half way!

  • Rooted !!
    Hints in the forum are more than enough to get yourself going. If any problem don't stop yourself from DM :)

  • need hint for user

  • 12 hours and finally got root. R---s was pretty new to me and was quite the learning curve.

    Tips:

    Foothold:
    0. READ and RE READ all the messages in this thread, there are a lot of useful nuggets.
    1. KISS. Yes to get a foothold you will need to implement a technique which is hinted at throughout this thread... however, if you find yourself not being able to use s----m-e--c (or anything similar), as well has M----E L--D; you may not be a strong follower of K.I.S.S

    Pwn User:
    0. Ditto Foothold, regarding keeping it simple.
    1. Pentesting follows a set of steps. As mentioned elsewhere on this thread, a detailed search of what you have available can save a lot time. Note: this is just good general advise, and is intended as such, the fact it may or may not apply here, just shows how good this general advise really is. Again K.I.S.S.

    Pop the box (owning root)
    0. Ditto and Ditto
    1. By this point the path forward should seem clear, again take stock of assets and make sure you do not forget about the other elephant in the room.

    Any box that gives me the chance to learn things I did not know prior to starting is a good box. Thank you to the creator for putting this fun little project together.

  • @c1cada hey man i rooted in 1 hours. the whole machine but there one issue! i think i did unintended wanna share how you rooted..

    Arrexel
    OSCP | OSCE half way!

  • edited November 2019

    Spoiler Removed

  • someone plz pm me i am stuck in user need of help for privilege escalation??

  • I got creds for low user but not able to login anywhere, can anyone give a little push?

    cycl0ps
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
    Discord-cycl0ps#5219
    Telegram-cycl0ps

  • Type your comment> @cycl0ps said:

    I got creds for low user but not able to login anywhere, can anyone give a little push?

    Got in, I was messing with case. :D

    cycl0ps
    If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
    Discord-cycl0ps#5219
    Telegram-cycl0ps

  • edited November 2019

    I've got access through r**s. I've discovered 4 potential attacks,
    1) webshell -> not working (no write access)
    2) copy ss
    -related file in home dir -> not working (no access)
    3) inject cronjob -> not working (no access)
    4) Master/Slave exec payload -> not working (missing command MOD***)
    what i'm missing? is it one of the 4 options i discovered?
    Option 4 seemed the most promising to me. Ive worked through this thread, but as it seems i dont understand the breadcrumbs at all.

  • edited November 2019

    This is my first box. Managed to get user, but stuck getting root. Have been trying exploits in m*f on w***** with user credentials but unable to get a session. Would be grateful for a PM with any hints/nudges.

    Got it! Overlooked an option. Thanks to @usernamestaken and @Lucyn .

  • ssh -i id_rsa r****@10.10.10.160
    r****@10.10.10.160's password:
    Permission denied, please try again.
    anyone can help? i input correctly but i can't login

  • Stuck in the same place as @zikuto. Is it correct way to solve it? Or am I something missing here?

  • Type your comment> @d4rk5p07 said:

    I've got access through r**s. I've discovered 4 potential attacks,
    1) webshell -> not working (no write access)
    2) copy ss
    -related file in home dir -> not working (no access)
    3) inject cronjob -> not working (no access)
    4) Master/Slave exec payload -> not working (missing command MOD***)
    what i'm missing? is it one of the 4 options i discovered?
    Option 4 seemed the most promising to me. Ive worked through this thread, but as it seems i dont understand the breadcrumbs at all.

    One of them works. Think about directory aspect again...

    bumika

  • First machine and finally got root! Lessons learned and i thought it was a fun box !

  • I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

  • Was able to decrypt the i*****.**k , although always getting "Connection closed by 10.10.10.160" , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?

  • edited November 2019

    @tekkenpc said:
    Was able to decrypt the i*****.**k , although always getting "Connection closed by 10.10.10.160" , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?

    I've been having a ton of overall issues connecting to the box lately so i don't think you're alone. not sure if anything has changed, but some others have been saying "keep trying til it works" :/

    passkwall

  • edited November 2019

    Type your comment> @nob0dy73 said:

    I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

    There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.

    Purpose of these settings are exclusion of alternative solutions.

    bumika

  • Type your comment> @passkwall said:

    @tekkenpc said:
    Was able to decrypt the i*****.**k , although always getting "Connection closed by 10.10.10.160" , looking into the sshd config i can see that the user is actually denied to login via ssh, is this expected?

    I've been having a ton of overall issues connecting to the box lately so i don't think you're alone. not sure if anything has changed, but some others have been saying "keep trying til it works" :/

    Let's just say, if you're already in one of the house's rooms, don't just walk out and ring the doorbell again.

  • Nice box, learned something new and yes, there are already more than enough hints in the previous comments. Special thanks to @TheCyberGeek

  • Type your comment> @bumika said:

    Type your comment> @nob0dy73 said:

    I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

    There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.

    Purpose of these settings are exclusion of alternative solutions.

    So this would be atypical of how a default r**s would be setup? From my understanding of how the accounts for services should be setup, even in a testing environment, is that none of my attacks should have worked. I'm just curious if this is something you actually see in the wild.

  • Man I'm at a wall and I know it is going to be something stupid got user M*** and I know people are saying to go to the beginning but I must have missed something enumerating.. Please PM! Great so far haha

  • Type your comment> @nob0dy73 said:

    Type your comment> @bumika said:

    Type your comment> @nob0dy73 said:

    I just rooted the box and have some questions about the initial foothold. The way that r**s is set up on the box, is that a normal setup? I was surprised how my attack actually worked.

    There are more than one configuration items which bears the imprint of a CTF-like implementation. One of them is applying the DenyUser option in sshd_config, and an other one is using the command rename option in the r***s configuration file.

    Purpose of these settings are exclusion of alternative solutions.

    So this would be atypical of how a default r**s would be setup? From my understanding of how the accounts for services should be setup, even in a testing environment, is that none of my attacks should have worked. I'm just curious if this is something you actually see in the wild.

    I think several r***s services run as root and accessible without authentication in the wild. In that case all mentioned attacks can be successful.

    bumika

  • edited November 2019

    Someone can PM me a hint to get root? i have the user M*** and im in with his shell

    Edit: rooted

  • Very nice, I think this was my first root.

    All the hints are pretty straightforward. I would suggest a clean restart of the box before you get started; there are some pretty tempting configurations that can be changed, which will throw you off quite a bit.

    As a side note, for those that have completed it, I wrote a script for the r* part, but it doesn't work -- but when I run a few other commands (that are in the script) it lets me in. Anyone else seeing that?

  • edited November 2019

    Got user a few days ago, but it is very frustrating that people reset the box every time they think an exploit for the initial shell is not working, while it can easily be solved by a few simple commands to that could be sent to r***s that will solve the error message people get....

    STOP RESETTING WHEN THE SERVICE IS IN READONLY MODE, BUT JUST SEND THE CORRECT COMMANDS THAT FIX IT!!!

    Anyways:

    [email protected]:~# hostname; id; date
    Postman
    uid=0(root) gid=0(root) groups=0(root)
    Mon Nov 11 19:19:46 GMT 2019
    [email protected]:~# 
    

    Root was way to easy... the hardest part was fighting the resets...

  • edited November 2019

    Rooted. Thanks @Chantal2019 for the nudge. PM for hints.

Sign In to comment.