Rooted
For root you don't need to edit anything the file you find can do the job.
The most important thing is how to use the script. Once you know that root is pretty simple.
Feel free to PM if you need help
Hello everybody
can anyone hint me please with user, i found 2nd user creds and enumerate all in S****L directory but cant find way to get user.txt
cant undestand where i wrong
Hello everybody
can anyone hint me please with user, i found 2nd user creds and enumerate all in S****L directory but cant find way to get user.txt
cant undestand where i wrong
If you've connected as the second user, have you looked at their desktop?
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I needed more than a few hints to get me going on this one. A few of the chaps on here introduced me to a few new tools to play with. Always good to add things to the toolbox.
Special shout out to @grav3m1ndbyte who became my shepherd through the cloud (hint) and steered me toward a vector I hadn't even considered!
Going Full Caveman during isolation. No shaving any hair for the duration.
Hello everybody
can anyone hint me please with user, i found 2nd user creds and enumerate all in S****L directory but cant find way to get user.txt
cant undestand where i wrong
If you've connected as the second user, have you looked at their desktop?
i connect by s*******t and cant find Desktop on u****$ (
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I've tried so many users and passwords on this bitch. Figures that the one account I got MSF to come up with the right 'password' was disabled. Damn it all. I've been using all the four to six users that come up in the scans, all the 'typical' users you might see, and so many passwords variations, blanks, everything... Can it really be that obvious?
I've tried so many users and passwords on this bitch. Figures that the one account I got MSF to come up with the right 'password' was disabled. Damn it all. I've been using all the four to six users that come up in the scans, all the 'typical' users you might see, and so many passwords variations, blanks, everything... Can it really be that obvious?
Annoyingly it really is that obvious when you find it.
All I can say is you might want to use CME rather than MSF and if you make a list of all the user accounts you can find and all the information you can find (domain names, profiles, usernames, timestamps, anything), you get it quite quickly.
The reality is if you've enumerated, you've seen the password.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Rooted. Fun box.
I've done many boxes harder than this one, but if it has taught me anything it was to just write down what I've found and chill. Think with what you have.
This post has everything anyone needs to root the box.
Foothold: What do you have? What your enumeration has told you? You can only go so far, so think what's the most important thing you need to continue. Before you bring in the big guns, try simple things. Sometimes the answer is just as simple.
User: Really a straightforward path from the foothold. You can do this, and then go there, etc. You'll get it.
Root: I only found a few relevant things to privesc, but one of them was screaming at my face, so I google it and got root under 10 minutes. There are some excellent writings, let me tell you.
@TazWake Thanks for the tip... OK, got it. I didn't have to enumerate anymore. I just had to look harder at the enum4linux output, and it was right near the top...dumb, really dumb.
Here are some of my tips to help those along the way.
Initial: Some people get hung up on the whole "lazy admin" advice. Let me assert as others have said, no brute-forcing is necessary and manually guessing (in my opinion) is generally wasteful because we don't all think the same. There is a tool that can test login credentials for the discovered port/service, and it contains a single variable you can set that'll help you get that initial foothold, provided you've done enough enumeration in obtaining usernames.
User: After you get a positive hit, you can use another tool to poke around and look for another set of credentials that are necessary to obtain user. Recursively searching through said service is suggested, as what you're looking for is fairly common.
Root: Standard user enumeration is required. What role does this user have? Are there any non-standard programs installed? Where can you write to on the system? Contrary to some had indicated, I experienced absolutely no issues with AV. If one method of file transfer onto the target isn't working, what other ways are useful? There are several posts that cover the root attack vector in various degrees of specificity, look for one that contains PoC or at least links to code.
Happy to help, but please PM me with where you are, what you've tried, etc - and I'll give you some advice.
RE: Initial -- is Sp***a the tool you are referring to?
After getting root today thanks to @TazWake and @VbScrub, now my review for this box.
the first step was also the most frustrating, but mostly because I just couldn't believe that I din't try that earlier ...
User: the 2nd creds and user are pretty straight forward. You even get a hint, what will be waiting for you during your search for root.
Root: involved a lot of enumeration and searching for me. And when I finnally found the right thing I still struggled ... but in the end I got root
LIES I TELL YOU !!! LOL :: User: the 2nd creds and user are pretty straight forward
I have enumerated LP // I have list of users // I have used RC***** and scrapped all there is. Please assist.
Rooted
For root you don't need to edit anything the file you find can do the job.
The most important thing is how to use the script. Once you know that root is pretty simple.
Feel free to PM if you need help
HELP
I have enumerated LP // I have list of users // I have used RC***** and scrapped all there is. Please assist.
I hate that this is purely a guessing game. I have tried all the realistic bad passwords I can think of. I feel as though it should be disclosed somewhere or have a technical means of finding it...
yes I'm just frustrated... Also VbScrub gave a good tip to reduce time.... but I'm still stuck on "guessing" a password.
EDIT: GOT User... always check syntax!!! Thank you to those that assisted kicking me in my brain!
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Interesting machine, learned a couple more useful tools. Thanks to those of you who posted hints, including @th3y , @VbScrub, @TazWake .
User is easy, but not always so easy to guess...really dumb and lazy, as they say.
Root is like @plackyhacker said, doesn't require any modification to script, whatsoever. I had to place two files on the machine, an .exe and a .dll. It ran quickly and perfectly. The script started out as a Python version, and then someone turned it into another version.
Thanks @egre55 , for the machine. This was my fifth...
i have use enum4linux to brute username,but there is error,this is why?
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
i have use enum4linux to brute username,but there is error,this is why?
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
Try a different tool.
The problem with "enum" type scripts is that they run a lot of things and if you dont fully understand what they are doing, the output can be a bit confusing/overwhelming/misleading.
For example, I have zero idea why this response would happen, but it does imply it isn't the best tool for this job.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I'm tearing my hair out with this easy to guess/lazy password. I've enumerated the list of user names but despite looping them through what feels like every obvious password I can think of, I've had no joy. Based on output from early enumeration, I been poking at S**. Is that where I've gone wrong?
I'm tearing my hair out with this easy to guess/lazy password. I've enumerated the list of user names but despite looping them through what feels like every obvious password I can think of, I've had no joy. Based on output from early enumeration, I been poking at S**. Is that where I've gone wrong?
You approach is correct. Take all the information you have right now - domains, obvious passwords, guesses, accounts, etc., and use that as the password list to try.
When you get it, you will realise you currently have the password.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I've tried so many users and passwords on this bitch. Figures that the one account I got MSF to come up with the right 'password' was disabled. Damn it all. I've been using all the four to six users that come up in the scans, all the 'typical' users you might see, and so many passwords variations, blanks, everything... Can it really be that obvious?
Annoyingly it really is that obvious when you find it.
All I can say is you might want to use CME rather than MSF and if you make a list of all the user accounts you can find and all the information you can find (domain names, profiles, usernames, timestamps, anything), you get it quite quickly.
The reality is if you've enumerated, you've seen the password.
I have enumerated all 10 users. I'm not seeing it. Please DM me some direction.
Comments
Type your comment> @rootshooter said:
We meet again
Rooted
For root you don't need to edit anything the file you find can do the job.
The most important thing is how to use the script. Once you know that root is pretty simple.
Feel free to PM if you need help
Hello everybody
can anyone hint me please with user, i found 2nd user creds and enumerate all in S****L directory but cant find way to get user.txt
cant undestand where i wrong
@khekhe said:
If you've connected as the second user, have you looked at their desktop?
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Got root.
I needed more than a few hints to get me going on this one. A few of the chaps on here introduced me to a few new tools to play with. Always good to add things to the toolbox.
Special shout out to @grav3m1ndbyte who became my shepherd through the cloud (hint) and steered me toward a vector I hadn't even considered!
Going Full Caveman during isolation. No shaving any hair for the duration.
Type your comment> @TazWake said:
i connect by s*******t and cant find Desktop on u****$ (
@khekhe said:
Ok. Try Evil (which works) or the file system share (I dont know if this works)
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Root.
Thanks to @rootshooter again.
I've tried so many users and passwords on this bitch. Figures that the one account I got MSF to come up with the right 'password' was disabled. Damn it all. I've been using all the four to six users that come up in the scans, all the 'typical' users you might see, and so many passwords variations, blanks, everything... Can it really be that obvious?
@6062055 said:
Annoyingly it really is that obvious when you find it.
All I can say is you might want to use CME rather than MSF and if you make a list of all the user accounts you can find and all the information you can find (domain names, profiles, usernames, timestamps, anything), you get it quite quickly.
The reality is if you've enumerated, you've seen the password.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Rooted. Fun box.
I've done many boxes harder than this one, but if it has taught me anything it was to just write down what I've found and chill. Think with what you have.
This post has everything anyone needs to root the box.
Foothold: What do you have? What your enumeration has told you? You can only go so far, so think what's the most important thing you need to continue. Before you bring in the big guns, try simple things. Sometimes the answer is just as simple.
User: Really a straightforward path from the foothold. You can do this, and then go there, etc. You'll get it.
Root: I only found a few relevant things to privesc, but one of them was screaming at my face, so I google it and got root under 10 minutes. There are some excellent writings, let me tell you.
Can someone confirm that the article with the PoC that everyone is talking about here was written by a D-j M****** ? Or do I have to keep searching?
@TazWake Thanks for the tip... OK, got it. I didn't have to enumerate anymore. I just had to look harder at the enum4linux output, and it was right near the top...dumb, really dumb.
@SpiffyLich Thanks for your tips, as well.
EDIT: Crap, thought that would work, but nope
Got a different output, but wasn't what I thought...oh, well...on to the next thing.
What is the best way to use CME? I ran it, and seems like it does the exact same thing as MSF smb_login.
2nd EDIT: OK, nevermind. Just one of them I hadn't tried, but yes, easy to guess, actually.
Type your comment
Type your comment> @Kulz said:
RE: Initial -- is Sp***a the tool you are referring to?
Type your comment> @theonemcp said:
LIES I TELL YOU !!! LOL :: User: the 2nd creds and user are pretty straight forward
I have enumerated LP // I have list of users // I have used RC***** and scrapped all there is. Please assist.
Type your comment> @FDS said:
HELP
I have enumerated LP // I have list of users // I have used RC***** and scrapped all there is. Please assist.
Type your comment> @nebulousanchor said:
Please share said " good tip to reduce time"
TYIA
@Hackalicious said:
He's referring to a comment I made in this thread. Look through the thread and find it
My youtube tutorials: http://youtube.com/vbscrub
Twitter: https://twitter.com/VbScrub
@Hackalicious said:
You have the credentials you need to access the system. Try a tool which enumerates S**.
C*********** works here.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Rooted
User: Enumerate, try things that happen in real life with the users you meet.
Root: needs some help investigating. Thanks to @plackyhacker for help. Once you know how the process works, it's not complex.
Interesting machine, learned a couple more useful tools. Thanks to those of you who posted hints, including @th3y , @VbScrub, @TazWake .
User is easy, but not always so easy to guess...really dumb and lazy, as they say.
Root is like @plackyhacker said, doesn't require any modification to script, whatsoever. I had to place two files on the machine, an .exe and a .dll. It ran quickly and perfectly. The script started out as a Python version, and then someone turned it into another version.
Thanks @egre55 , for the machine. This was my fifth...
i have use enum4linux to brute username,but there is error,this is why?
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
@littleheary said:
Try a different tool.
The problem with "enum" type scripts is that they run a lot of things and if you dont fully understand what they are doing, the output can be a bit confusing/overwhelming/misleading.
For example, I have zero idea why this response would happen, but it does imply it isn't the best tool for this job.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I'm tearing my hair out with this easy to guess/lazy password. I've enumerated the list of user names but despite looping them through what feels like every obvious password I can think of, I've had no joy. Based on output from early enumeration, I been poking at S**. Is that where I've gone wrong?
@paddanada said:
You approach is correct. Take all the information you have right now - domains, obvious passwords, guesses, accounts, etc., and use that as the password list to try.
When you get it, you will realise you currently have the password.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Type your comment> @TazWake said:
Thank you for your hint) user done
Type your comment> @TazWake said:
I have enumerated all 10 users. I'm not seeing it. Please DM me some direction.
Type your comment> @secucyber said:
I have enumerated ldap. been looking and looking. I don't see it. Please DM me some direction. TYIA
Stuck looking at ldap. LOL
Please assist