Postman

I got a shell on postman. Having and issue downloading the root.txt for the hash. Anybody else having an issue navigating with the python shell?

My very first box rooted. Definitely not an easy process.
Thanks to the community for the amazing support!

̶C̶a̶n̶ ̶a̶n̶y̶o̶n̶e̶ ̶c̶o̶n̶f̶i̶r̶m̶ ̶i̶f̶ ̶t̶h̶e̶r̶e̶’̶s̶ ̶a̶ ̶p̶r̶o̶b̶l̶e̶m̶ ̶w̶i̶t̶h̶ ̶t̶h̶e̶ ̶s̶h̶e̶l̶l̶/̶m̶a̶c̶h̶i̶n̶e̶?̶ ̶I̶’̶v̶e̶ ̶u̶s̶e̶d̶ ̶t̶h̶e̶ ̶u̶s̶e̶r̶ ̶c̶r̶e̶d̶e̶n̶t̶i̶a̶l̶s̶ ̶I̶ ̶f̶o̶u̶n̶d̶ ̶(̶M̶̶̶̶ ̶a̶n̶d̶ ̶c̶̶̶̶̶̶̶̶̶̶̶8̶)̶ ̶ ̶a̶n̶d̶ ̶u̶s̶i̶n̶g̶ ̶t̶h̶e̶ ̶e̶x̶p̶l̶o̶i̶t̶ ̶o̶n̶ ̶m̶̶f̶ ̶g̶o̶t̶ ̶i̶n̶.̶ ̶I̶’̶v̶e̶ ̶b̶e̶e̶n̶ ̶u̶n̶a̶b̶l̶e̶ ̶t̶o̶ ̶n̶a̶v̶i̶g̶a̶t̶e̶ ̶d̶i̶r̶e̶c̶t̶o̶r̶i̶e̶s̶ ̶i̶n̶ ̶W̶̶̶̶̶*̶ ̶a̶n̶d̶ ̶c̶a̶n̶ ̶o̶n̶l̶y̶ ̶s̶e̶e̶ ̶f̶i̶l̶e̶s̶ ̶i̶n̶ ̶t̶h̶e̶ ̶o̶n̶e̶ ̶f̶o̶l̶d̶e̶r̶.̶ ̶c̶d̶ ̶c̶o̶m̶m̶a̶n̶d̶ ̶d̶o̶e̶s̶ ̶n̶o̶t̶ ̶w̶o̶r̶k̶,̶ ̶w̶h̶o̶a̶m̶i̶ ̶s̶h̶o̶w̶s̶ ̶r̶o̶o̶t̶ ̶-̶ ̶b̶u̶t̶ ̶n̶o̶t̶h̶i̶n̶g̶ ̶w̶o̶r̶k̶s̶.̶ ̶C̶a̶n̶ ̶a̶n̶y̶o̶n̶e̶ ̶t̶e̶l̶l̶ ̶m̶e̶ ̶w̶h̶a̶t̶’̶s̶ ̶h̶a̶p̶p̶e̶n̶i̶n̶g̶ ̶h̶e̶r̶e̶?̶ ̶I̶t̶’̶s̶ ̶b̶e̶e̶n̶ ̶t̶h̶i̶s̶ ̶w̶a̶y̶ ̶f̶o̶r̶ ̶m̶o̶r̶e̶ ̶t̶h̶a̶n̶ ̶a̶ ̶d̶a̶y̶ ̶s̶o̶ ̶f̶a̶r̶.̶

edit: nvm i figured it out. It was right there dunno how i missed it.

Just rooted!

For the ones who stuck after finding M*** and c****8, just think where you can else use this other than UI (for owning user). Think simple.

I can help without spoiling from PMs as well.

Ssh connection time out. ???

Finally rooted also this box. The user own was very easy… I had more difficults with the root flag. It’s an Easy box all you need is a good enumeration, find all credentials and use It for get the root. The right exploit is the Key from my perspective

Rooted ! nice box thanks to TheCyberGeek

PM if you want hints

I am trying to run the r****s exploit, but i get the below error. As a noob, I am unsure of what to do to resolve this… Help :slight_smile: Please

Exploit failed: Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/r**s/module.c
[
] Exploit completed, but no session was created.

Rooted! Thank you @TheCyberGeek, learned a lot about a certain service.
Foothold: That service isn’t supposed to be public-facing…
User: Enumeration will give you something to use on that other service. Flag will not come until later.
Root: searchsploit

PM me if you need any help!

Rooted. Almost gave up on getting initial shell. Went through all the hints here and still wasn’t searching in the right place for the longest time. Once I got the shell L*****m quickly found the interesting file. After that, escalated straight to root via W****n exploit. Very new at this, so every box a learning experience. Thanks, @TheCyberGeek!

Hey guys, am at what I think is the final part of the box. I got entry shell then user creds for *T. Tried said creds for the high port number logged in and came right there, moved on to M but keep getting a "Exploit failed: Errno::ENOTCONN Transport endpoint is not connected - getpeername(2): error when I try to run the exploit. Have I missed something. this has been going on for a while now. Gentle nudge would be appreciated. P.S. if I have given away to much info here PM me and I will delete.

EDIT:
Nevermind, got him! In front of my eyes the whole time as usual! Rooted!

I’m stuck trying to figure out how to find usernames on the system. I’m aware of r****-c** and I believe I know the exploit, but It needs a username, and I’m new enough at this where I’m having trouble figuring out how to find it. Any hints?

Found the webmin password with hydra [10000][http-post-form] host: 10.10.10.160 login: root password: XXXXXXXXXXXXX.

When I try to login I keep getting this message : Access denied for 10.10.14.X. The host has been blocked because of too many authentication failures.

help ?

whoami
root
id
uid=0(root) gid=0(root) groups=0(root)

exploit for user was hard to find But root is very easy

wow that r****s did a number onme…we keep overwriting eachother lol
anyway thanks for the box
all the exploits are cve goodluck
peaceout

Rooted! I really enjoyed this machine!
User exploit and root exploit are pretty easy to find online.
Thank you for all the tips!

Just rooted Postman !!! thanks to @Schex @AidBucket @Arbitrary @Maddy

Rooted finally and learned so much about r****s on this one. Thanks to all those who gave tips.

Type your comment> @xorcist said:

Finally, got a root privilege. Straightforward box.
Everybody knows enumeration is key, but I have missed and stuck in rabbit hole.
I generally use ‘nmap -sC -sV’ options, but do we always have to use nmap deep scan at the first stage? Once we investigated few vulnerabilities against unusual services, then following processes were similar to Traverxec. If anyone still in the cloud,message me. :slight_smile:

@fearlessmcp said:
i found ik and i decrypt it and i got c8.Then I used it to login user @M*** but it say Connection closed by 10.10.10.160 port 22

same here…no luckk

Type your comment