So I have found temp user creds,
Retrieved files under ruscanner etc.
Read them and Found a username and hash.
Read all the other files I can find like xmls but not just unsure of where to go, how I leverage this hash I don’t see any exe?
The high port doesn’t debug the hash either.
Despite the claims, this is really not an “easy” box. If this is your first one, you might struggle a lot with what is asked to get user/root. Dont beat yourself up about this, just accept the fact that this would have been better off marked Medium. You might even want to look at Open Admin instead as a nice starter box.
Having said this.
Read all the files. One points to a place you think you cant go, but you can. Go there and find the new stuff.
Use the new stuff to convert the hash you have into a password.
Use the username and password to access, this will allow you to find more stuff.
Use the new stuff you have to access the high port in a more meaningful manner.
Now you can find a more powerful user’s hash but you need to decompile the binary to know what’s changed when it comes to reversing it to a cleartext password.
When you get the cleartext password, you can go back to the first port and connect to the filesystem as the more powerful user. Root look awaits.
For those of you who are using Linux and hit the programming portion of this box. The lang here uses libs only available on Windows and it will not work on mono or anything that uses it. HOWEVER just use the portion of code that converts the pass
with Rfc2898DeriveBytes and dump the bytes to a file and convert the rest with python. EZ mode. Far easier then fighting with the lang on Linux for sure.
rooted,
What a journey that was.
I had fun for sure, but the user flag did my head in lol - not my strong point in the method used there but never give up - Fiddler is your friend (at least for me)
Thank you @VbScrub for creating this.