Zetta

Rooted cool box if you need hints pm me on discord icoNic#0097

Wow great box, bashing my head in all the way. Very cool exploits all the way around.

Type your comment> @s1m00n said:

Got user, funny so far. Curious for root. If somebody stucks, just give me a PM.

uid=0(root) gid=0(root) groups=0(root)
Great box. Good design with hints all the way. Thanks for it.

Finally got root. A great machine with a lot a techniques involved. @bumika @icoNic Thanks for your help. I learned a ton in this box which I didn’t before. Thanks for the creator.

root@zetta:~# whoami; id
root
uid=0(root) gid=0(root) groups=0(root)

I don’t know what I’m doing wrong but I’m stuck bing the r service. I’ve tried thousands of times. I don’t know the username either. First I tried the common ones like a**** or r*** but they didn’t work so I tried guessing r** and didn’t work either. Any hints?

I’m trying to b**** the r**** folders. Have written a bash script using the r**** command for listing. I’ve got a user from known p*** file. Is there other useful folders to help me get a shell ? at the moment my home made dirb isn’t finding anything

Type your comment> @chiefgreek said:

I’m trying to b**** the r**** folders. Have written a bash script using the r**** command for listing. I’ve got a user from known p*** file. Is there other useful folders to help me get a shell ? at the moment my home made dirb isn’t finding anything

Before you start b**** the r**** connection, you should get, read and understand the r**** configuration file.

@avz7 said:

I don’t know what I’m doing wrong but I’m stuck bing the r service. I’ve tried thousands of times. I don’t know the username either. First I tried the common ones like a**** or r*** but they didn’t work so I tried guessing r** and didn’t work either. Any hints?

You can use the service to dump a folder which contains what you need to find out what users are on the system.

Then a brute force approach has at least some hope of success.

@chiefgreek said:

I’m trying to b**** the r**** folders. Have written a bash script using the r**** command for listing. I’ve got a user from known p*** file. Is there other useful folders to help me get a shell ? at the moment my home made dirb isn’t finding anything

If you’ve got the right user, you are on the right track to get a shell. If you get the user’s password you can do much more with their account and this service.

The syntax is killing me. Replicated the environment and I see what is transmitted but no success with escaping. Happy for hints

root@zetta:~# id
uid=0(root) gid=0(root) groups=0(root)

It was an outstanding experience! Thank you, @jkr.

Small hint for everyone struggling you now where :

Nice one @jkr! Tu sir for a fine box. Not must of a hint for others other than when the penny finally drops on the info you have to privesc to root… you will double face palm yourself so hard for not seeing it earlier! lol!!

Nice machine, second user is the best part, root Is simple if you pay close attention to the note :wink:

I don’t know how to go beyond this error in r**** when I try to access any module

@ERROR: access denied to bin from UNDETERMINED (dead:beef:4::1234)

I though of using the f** server to do a bounce but I don’t think there’s any way to read the response while you send. You can only do one thing for a connection.
Any help?

Type your comment> @avz7 said:

I don’t know how to go beyond this error in r**** when I try to access any module

@ERROR: access denied to bin from UNDETERMINED (dead:beef:4::1234)

I though of using the f** server to do a bounce but I don’t think there’s any way to read the response while you send. You can only do one thing for a connection.
Any help?

One feature of rsync is that it is possible to whitelist certain modules as you have noticed when getting that error. Maybe there are other modules available but you can’t see them due to how the rsync is configured.

@ekenas Thank you, that was very helpful. I didn’t know modules could be unlisted like that. +respect

Okay, how many “rocks” do I need to throw at r****? I’ve thrown the top 500k rocks from my big sack of “rocks” so far with my script so far. Is it actually supposed to be so far down?

Type your comment> @avz7 said:

Okay, how many “rocks” do I need to throw at r****? I’ve thrown the top 500k rocks from my big sack of “rocks” so far with my script so far. Is it actually supposed to be so far down?

You know name of a few modules, don’t you? It is easy to guess what is missing.

@bumika Yeah, I found that. I was talking about the r**** password for r**