Postman

Type your comment> @theonemcp said:

Type your comment> @nuxmorpheus01 said:

Hi guys. Starting to work on this machine but got stucked on the very beggining. Already found the service I am suposed to exploit to get initail shell, but for it to work I need a username. How do you guys enumerate the usernames?

Maybe its the wrong exploit/service to use? Enumerate more. Maybe you stumble accross another service you can exploit.

The service I am trying on is the r***s. I think is the same everyone else is using.

I am such a noob, ive worked on this for 3 days and I know its my first box but i just cant get a start. I found the services R**** and W***** but have no clue what to do. I used dirbuster,nikto and burb on http but still, i am lost and do not know what im looking for. Pm me for a nudge please.

First active box rooted. Learned a lot. PM if you need some hints.

Can someone PM me? I’m mega stuck on foodholt.

Found R****, but none of the exploits seem to be working. I tried tinkering around with the EDB-options in metasploit, and even alternative exploit methods altogether, but nothing really seems to work here. just errors / dead-silence galore.

i have a little question. I don’t know if I’m on the right path

Redis (error)   NOAUTH Authentication requeired.

Currently on low priv shell and found the key. But when i use its giving me an error Connection closed on port 22. Pm me for nudges please.

Could someone pm me with help on user. the writeups for re** are not working.

Very good machine, takes time to reveal the right ports to attack, for that its important learn from this lesson.

Initial, you need to use your tool but pay attention in what you see, with the time probably you find so many rabbit holes but keep on mind your goal … creds.

User, this was very surprising, but quick to learn, its obviusly to even ours somethins forget to delete some older files, remember older, so this its just a step to keep going.

Root. you have everything that you need, this last creds help you with the missing element for you first exploit, and done.

Thanks to creator, great machine, great lessons.

if this result in a spoiler, please remove.

Ok, so this is my second rooted box, thanks for them little hints, people.

Without u i would be stuck forever on just discovering the foothold service, hehe.
Also search for the manual exploit was bit of a pain, but hey, I’m beginner and it was very educative.

Initial: Don’t use automated scripts, u can do it yourself manually, scan wide range of ports
Root: Well, i have read user flag from the root account, so if someone know, how would u get to the user flag before actually owning the root, could u please contact me?
But, getting the root account is very easy, u most probably already seen that exploit, when u were searching for the initial foothold. (protip. ssh is not the way)

Thanks for this box.

Is it possible that root exploit is not working for some reason? I’m getting that exploit worked but I can’t get session. I used correct exploit, I’ve seen people writing about not working sometimes. Can someone PM me if I’m doing something wrong?

Rooted!

Motto-of-the-box: "remember your past"

Initial:

  • Make sure to be thorough with your scans, this box is a sneaky one.
  • Blue isn’t really my favorite color…
  • Don’t be a script kiddie on this one- the best approach is often step by step.
  • Aslo don’t be dettered if things dont work immdiately, patience goes a long way ont his phase.

User:

  • basic enumeration.
  • see motto.

Root:

  • see motto. Something you definitely found early on is going to be incredibly useful now.

Hopefully none of this spoils too much. Just wanted to give some guidance, as I think the inital stages were some of the more confusing parts, especially with others constantly editing / breaking certain parts of the box.

So I got the initial (I followed a well known text that seemed the least intrusive script-wise and didn’t take too much time…if people would stop flushing all my work every 5 seconds…)

Anyway, I also found the interesting i*.k file using in the /**t/ directory.
I recently learned how to convert this file so my buddy J
R can read it. But he is having a helluva time…over an hour and no progress. Other nudges here don’t mention any rules or modifications needed, so should I change something else? What was the experience of those who cracked it already, about how long?

EDIT: As I was writing this he cracked it…interesting because the only thing I changed is going through the steps again of getting the file from the box. I wonder is someone changed somehow the initial file I grabbed? eh…either way sorry to waste time!

i know i have to find r**** service ( from hints in forum) but my nmap scan not find anything about that i am using this command
nmap -sC -sV -T4 -oN result.nmap -p- 10.10.10.160
but i only find 22,80,10000 am i doing anything wrong or the box has some problems?

Never-mind i doped all options and it works. i think it’s because machine latancy

HI im not very familiar with r… for the first step on the machine if someone can point me fill free to dm, thanks

stuck on this because r…-c… give me changing directory permission denied, someone to help fill free to dm me

For those who still stuck on this machine:
User:
You need to look for a file which you can decrypt its contains.
After finding the file and decrypting it, just think about different ways that you can go into a local account.
Root:
CVE is all you need. By using nmap you find some ports open, you used one of them already to grant foothold privilege, now you need to use another one to access root. Find that port and google for its CVEs.
CVE + metasploit + creds (you found) = root

when you find the CVE, look at metasploit options carefully, you need to change something which is not required!

Being someone that never used r**** I lost a pair of hours trying to understand why the candidate exploit does not work (and m** did not help marking his exploit check as exploitable…). Then I switched to a more logical approach: read some pentesting guides for that service. Some minutes later gained access to the machine and from there is just a piece of cake to obtain the user and root flags.

Postman rooted , success :slight_smile: next Traverxec

Hi,

I am having some problem with the initial foothold on this machine. I know that r**** has a couple attack vectors so I tried enumerating users with a custom python script so that I could connect with S** but no matter what name list I use I can’t find the home directory. The other vector I tried was trying to drop a shell to the webserver and I can find the directory I want to drop the shell in but when I try to save my key after creating it I get an error which I assume is because redis doesn’t have write access to that folder.

But if someone can help me with the initial foothold I’d be really glad. ^^

@enpassant said:

Hi,

I am having some problem with the initial foothold on this machine. I know that r**** has a couple attack vectors so I tried enumerating users with a custom python script so that I could connect with S** but no matter what name list I use I can’t find the home directory. The other vector I tried was trying to drop a shell to the webserver and I can find the directory I want to drop the shell in but when I try to save my key after creating it I get an error which I assume is because redis doesn’t have write access to that folder.

But if someone can help me with the initial foothold I’d be really glad. ^^

The book mentioned previously gives you about 99% of what you need to know to get a foothold. You need to make some changes, largely around who you are trying to impersonate, but it is easy to work out.