Zetta

After 6 hours its enough for today. I’ve gotten nowhere but learned alot :smiley:
Thx in advance for this machine.

Really stuck on the s*** syntax for p******* user. A little nudge would be greatly appreciated!

Got user, funny so far. Curious for root. If somebody stucks, just give me a PM.

I’ve been bruting poor r** for the past 6 and half years. I’ve tried custom bash scripts, custom nmap. And manual caressing with IT Crowd related references. I feel like I’m not understanding the more than generous hints already provided… Can anyone nudge?

Edit: Got it, wasn’t using r***c correctly. :confused:

Got user flag, but can’t seem to get foothold. Any hints?

Great box, thanks @jkr!

I like machines that use less hyped but often used protocols and presents some vulnerabilities belong to them. There are a few nice concepts in Zetta, and I think the user access part is extremely good. The first part of the root access caused several frustrating hours but finally I managed to understand what @f00l8r1t3 had wrote. Thx for it.

finally!!!

root@zetta:~# id
uid=0(root) gid=0(root) groups=0(root)

Hey. I’m on foothold part. Is it really required to scan the ip6? I think it is a rabbit hole. It takes around 6 hours straight to scan it. But got nothing yet, it is at 99.99% for more than a hour. I really feel helpless here. Anyone please give me a hand to overcome this ip6 nmap part.

Remember “ping ipv6” still works for me, no reset was done. Got my head locked into the scanning part.

@gunroot said:

Hey. I’m on foothold part. Is it really required to scan the ip6? I think it is a rabbit hole. It takes around 6 hours straight to scan it. But got nothing yet, it is at 99.99% for more than a hour. I really feel helpless here. Anyone please give me a hand to overcome this ip6 nmap part.

Remember “ping ipv6” still works for me, no reset was done. Got my head locked into the scanning part.

I dont think you need to scan all 65536 ports on the IPv6 address, but it shouldn’t take that long - its an identical TCP scan to a full port scan on IPv4.

Is throwing rocks a requirement for getting the user?

finally rooted, this was very interesting box, thx @jkr

root@zetta:~# hostname; id;ip addr show|grep inet
zetta
uid=0(root) gid=0(root) groups=0(root)
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
inet 10.10.10.156/24 brd 10.10.10.255 scope global ens32
inet6 [removed]/64 scope global dynamic mngtmpaddr
inet6 [removed]/64 scope link
root@zetta:~#

A bit annoyed that the IPv6 address changes sometimes.
I found the higher port and service, queried it for enumeration.
Stuck there.
I see people commenting about bruteforcing the creds for the user? like ssh bruteforce?

I’m logged as r** but I cant go further…
I’m a bit lost for the p******s shell everyone is talking about.
I found the password but it looks like a rabbit hole.

If someone can PM for this part pls. I’m already guesssing what to do after that, this another service looks pretty interesting…

Well, finally I rooted.

This box’s pure pain for me. Big thanks to @TazWake without his support I wouldn’t able to solve this box.

##These are my hints

User

  • After initial dir listing, don’t waste your time, focus on the service.
  • Try to find a way to obtain the “other” IP of the machine. A tool is available.
  • When you have the “other” IP start the process again and you will discover a new service.
  • Fuzz this something new to discover the especial dir and brute for the password. You have to do it on your way. Be careful with the speed of the process.
  • Get the shell.

Root

  • Find across the files that you get in the first part and try to realize what’s happening with the logs and how it’s configured. If you needed, you can try to reproduce it locally.
  • Discover the DB system and fight with it.
  • You will need to get a previous shell before the jump to root.
  • Discover the common thing to everyone and use it(I waste 1 hour before I realize). Enumerate, enumerate and enumerate.

I hope that it isn’t considered a spoiler. If it’s, delete it.

Thanks!

If you need help, feel free to ask!

Type your comment> @luminougat said:

… First, I developed a poc working on a local environment, it translated to the box without issues and due to some “attacker-friendly” settings I didn’t have activated (was using the default settings on the local environment) the actual exploitation process was easier than expected… If you’re stuck at that point I guess its a good idea to mirror the environment in a certain aspect as best as you can and use all the debugging options available.

Losing my mind here. I’ve mirrored and matched almost exactly (ident shouldn’t matter?) and hit it with so many different combinations of escapes and not escapes and tweaking possible “attacker-friendly” settings and l----r from a file or from echo -e .... I just can’t for the life of me get rid of the ■■■■ escaped q----s.

Someone take pity with a nudge?

Edit: Thanks to @bumika @tmogg and @ekenas for the nudges. Sad to say I was unaware of that feature. Rooted and finally put to bed.

Type your comment> @resonant said:

Type your comment> @luminougat said:

(Quote)
Losing my mind here. I’ve mirrored and matched almost exactly (ident shouldn’t matter?) and hit it with so many different combinations of escapes and not escapes and tweaking possible “attacker-friendly” settings and l----r from a file or from echo -e … I just can’t for the life of me get rid of the ■■■■ escaped q----s.

Someone take pity with a nudge?

You need only one q… because you can use another element in other places.

Rooted cool box if you need hints pm me on discord icoNic#0097

Wow great box, bashing my head in all the way. Very cool exploits all the way around.

Type your comment> @s1m00n said:

Got user, funny so far. Curious for root. If somebody stucks, just give me a PM.

uid=0(root) gid=0(root) groups=0(root)
Great box. Good design with hints all the way. Thanks for it.