Postman

got the foothold via manual process, owned user M*** now working on root. love the challenge.

Update - got roots

Fun box! Feel free to pm if you need help.

Tips (most of which have been covered, redact as necessary):

Initial: Many will find the initial foothold to be the most time consuming. There is enticing low hanging fruit, but hold off until you’ve done a full scan to see what you can work with. The vulnerable service has plenty of documentation and scripts available, but will require a little code bending to suit your environment. Read the documentation on the vulnerable service and figure out what commands will allow you to enumerate the system. Read error messages, too - they’re well covered for what you need to get your initial foothold.

User: System enumeration is much easier now. Acquiring user credentials is very similar to OpenAdmin and Traverxec, but you may find another step is necessary. So Understand why it’s occurring and try moving laterally.

Root: Don’t forget your initial enumeration and see if you can fill in the blanks. At this stage, if you’ve documented what you’ve come across thus far, it’s all on you to put the pieces together and you will have root. It’s not uncommon for folks to inadvertently get root before user.

Okay, so I got both flags at the same time. I must’ve missed something along the way…

Spoiler Removed

Type your comment> @iSmarsh said:

I’ve tried using the method on the Ethical Hacker cookbook, everything seems to work fine (I’ve written an .sh script to automate it all) but once it attempts to ssh in using my id_rsa key, it also asks for password. Any idea how to bypass this? Am I on the right path or is there something I’ve missed?

Please ignore the above! I had to set the correct user :wink:

I have the same problem! How have you solved it?

ROOTED

anyone able to ssh into the box? i have the paraphrase and the priv keys. Connection closed by 10.10.10.160 port 22 is what i get.

any nudge will help. Please PM me

got user. up next root.

ROOTED. PM FOR HINTS

got user, now we’ll try root

Changing the directory in r**** gives me a permissions denied. I also tried s** as root and get asked a password when both keys are set up.

Got root before user. I think I did this a more complicated way than what was needed. Thanks for a good box!

Hi,
Anyone can give me a nudge in pm for this box please?
I’ve found the r—s port, I managed to get c-----t key and r-- backup.
But now i’m locked, john don’t want these files.
Thanks

Type your comment> @MrCrame said:

Hi,
Anyone can give me a nudge in pm for this box please?
I’ve found the r—s port, I managed to get c-----t key and r-- backup.
But now i’m locked, john don’t want these files.
Thanks

Check to see what exploits exist for r—s, with one of them, you can have a shell with low privileges.

In my case I did it manually, it’s not complicated, it’s like 4 or 5 steps that you have to do.

Driving me mad this box! lol. I have tried alsorts of different approaches, and just as something looks promising, 2 minutes later I do the exact same and get different results. Grrrr

I suspect the correct approach is to import my own ssh keys, but I still can’t connect.

If anyone can help me along with a PM would be grateful.

rooted.

Initial foothold was the hardest part for me and took the most time. Spent way to much time on getting the path right. Once the access was there user and root was easy.

Rooted. PM if you need help. Foothold requires some enumeration in the file system, then after that the steps are similar to openadmin

Rooted, PM, if you need help.

got both flags :slight_smile: this was fun and educational! Thanks to @jlsangom for the nudge !! #respect

Can someone point me in the right direction please? Connected via r***** able to view c*t and copied it over. Now I got ask john to convert since it’s "invalid?

hello, found r… port, logged in, tested with m…t but no luck, tried to save my i…ey to the a…keys for the user that already has the p…b key on the machine.
i see the k…y is writed with lot of “\n”, but not abloe to login. any hint, not an expert in redis, found also there is a s… user.