Zetta

@noi said:

Im badly stuck user to get p***** shell. I found creds, found exploit, I cant figure l***** parameters. Any nudge after for this

All I can really say is lots and lots of trial and error. I didn’t find a good resource on this and as others have asked, I didn’t keep a note of my final choices.

Try different escape characters and look up the various syntax options for the initial tool.

Finally:

id
uid=0(root) gid=0(root) groups=0(root)

I learnt alot from that box, but I dont like that last guessing part!

Generally nice box! If need help you can ask about in pm.

got a “shell” of ps, but don’t know where to go next
checked r
g config using g
* s***, but seems that it will only write to a table of p******s
if it is reading the table, then i know it is injectable, but it is writing only, not sure how to inject

Finally~~~

root@zetta:~# id
uid=0(root) gid=0(root) groups=0(root)

Learned a lot from the box.

hi I have an i**6 ending on e2c6 but when I try to use it I get No address associated with hostname

Is it the correct address?

Please advise

Type your comment> @jvlavl said:

hi I have an i**6 ending on e2c6 but when I try to use it I get No address associated with hostname

Is it the correct address?

Please advise

The Ipv6 adress changes everytime zetta resets

I got shell for r** but stuck on post****. I found the bad creds in g** but not sure where to go next. DM if anyone has any hints

After 6 hours its enough for today. I’ve gotten nowhere but learned alot :smiley:
Thx in advance for this machine.

Really stuck on the s*** syntax for p******* user. A little nudge would be greatly appreciated!

Got user, funny so far. Curious for root. If somebody stucks, just give me a PM.

I’ve been bruting poor r** for the past 6 and half years. I’ve tried custom bash scripts, custom nmap. And manual caressing with IT Crowd related references. I feel like I’m not understanding the more than generous hints already provided… Can anyone nudge?

Edit: Got it, wasn’t using r***c correctly. :confused:

Got user flag, but can’t seem to get foothold. Any hints?

Great box, thanks @jkr!

I like machines that use less hyped but often used protocols and presents some vulnerabilities belong to them. There are a few nice concepts in Zetta, and I think the user access part is extremely good. The first part of the root access caused several frustrating hours but finally I managed to understand what @f00l8r1t3 had wrote. Thx for it.

finally!!!

root@zetta:~# id
uid=0(root) gid=0(root) groups=0(root)

Hey. I’m on foothold part. Is it really required to scan the ip6? I think it is a rabbit hole. It takes around 6 hours straight to scan it. But got nothing yet, it is at 99.99% for more than a hour. I really feel helpless here. Anyone please give me a hand to overcome this ip6 nmap part.

Remember “ping ipv6” still works for me, no reset was done. Got my head locked into the scanning part.

@gunroot said:

Hey. I’m on foothold part. Is it really required to scan the ip6? I think it is a rabbit hole. It takes around 6 hours straight to scan it. But got nothing yet, it is at 99.99% for more than a hour. I really feel helpless here. Anyone please give me a hand to overcome this ip6 nmap part.

Remember “ping ipv6” still works for me, no reset was done. Got my head locked into the scanning part.

I dont think you need to scan all 65536 ports on the IPv6 address, but it shouldn’t take that long - its an identical TCP scan to a full port scan on IPv4.

Is throwing rocks a requirement for getting the user?

finally rooted, this was very interesting box, thx @jkr

root@zetta:~# hostname; id;ip addr show|grep inet
zetta
uid=0(root) gid=0(root) groups=0(root)
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 10.10.10.156/24 brd 10.10.10.255 scope global ens32
inet6 [removed]/64 scope global dynamic mngtmpaddr
inet6 [removed]/64 scope link
root@zetta:~#

A bit annoyed that the IPv6 address changes sometimes.
I found the higher port and service, queried it for enumeration.
Stuck there.
I see people commenting about bruteforcing the creds for the user? like ssh bruteforce?

I’m logged as r** but I cant go further…
I’m a bit lost for the p******s shell everyone is talking about.
I found the password but it looks like a rabbit hole.

If someone can PM for this part pls. I’m already guesssing what to do after that, this another service looks pretty interesting…