Official Blunder Discussion

Type your comment> @TazWake said:

@6uta said:

So, I should let go “l * d” ?

I dont know what that is, but the short answer is “yes”.

Privesc is pretty simple if you do your enumeration.
Thank you.
I will just enumerate again from the beginning.


Rooted.
I found that I spent a whole day on enumerating a user which I should not enumerate.
My problem is super quick to switch from user H to user S…

Spoiler Removed

Hi,

I’m a bit stuck and could use a little help or a push in the right direction.

I have a shell like www … and I found an interesting file with two hashes. one from a user with which we could get a shell and a new one.

I identified the hash type and tested it with the known one. However, for the new hash I keep getting Exhausted, various word lists use a custom one and a frequently used one, the same for both.

Is this a rabbit hole and a completely wrong direction … or am I missing something?

Thanks for the push

@mrZapp said:

Is this a rabbit hole and a completely wrong direction … or am I missing something?

This is the correct direction. If it isn’t in your wordlist it won’t crack. Try an online tool such as a station which cracks.

Type your comment> @TazWake said:

@mrZapp said:

Is this a rabbit hole and a completely wrong direction … or am I missing something?

This is the correct direction. If it isn’t in your wordlist it won’t crack. Try an online tool such as a station which cracks.

Thank you ,

With your tip, it took me less than ten minutes and a new file to explore to get out. Sometimes we just have a blind spot :slight_smile:

now to root

Spoiler Removed

Learnt some new techniques from this. Also I now have a 15GB wordlist to use in the future, if the popular one fails. This box was trickier than I expected, but I really liked it.

Rooted.

There is an abundance of information here in the forums, which was good for me because I was really stuck on finding the file with the initial foothold username. Once I got that, however, the rest was pretty easy. Also, you can ignore the screenshots. The information in them is unhelpful and inaccurate.

Super fun box, very straightforward and the machine felt “lived in” which is nice. I am so rusty and made so many dumb mistakes, but 2’ish hours isnt too bad from boot to root after 6month break. yay learning!

Foothold: enum the main service and its vulns, fuzz for some specific file extensions to find juicy info, keep your cool, and dont forget to bring your towel. Defaults can be your downfall…

User: Directory enum (but not too far from where you start with your foothold account), hashcat or pyrit; beware: thar be red fish!

Root: There is a good john hammond or liveoverflow video (cant remember which) on how to do the root privesc with an indepth explanation, it was released in late 2019 iirc; gtfo of the recycling bins, and keep it to 1line.

PM me if you need some assistance, but I might be slow to respond.

The user was a bit tricky! once you find the username search for how to use cewl, and once you use it things should start to click!

Spoiler Removed

@himutyagi09 said:
Spoiler Removed

Watch the spoilers, please. :smiley:

I saw your post, before it was removed, and was having the same issue you were, but then saw several people in the forums saying they didn’t even use that tool at all but instead used a script developed by someone else. Do some Googling and see if you can find other tools which might exploit the vulnerability you found. When you find another tool, look the code over to see if anything needs to be changed before you run it. Then try using that other tool instead.

One other thing, I think it’s possible the reason the exploit fails sometimes may have something to do with “leftover” .******** files not being cleaned up. If that’s the case, maybe try rebooting the target system, setting up a ping process to see when it goes down (rebooting) and when it comes back up (reboot complete), and then send your exploit after it’s back up with the network online. The exploit may work more reliably on a “freshly rebooted” system.

Best of luck!

got root … need any help PM me

Finally rooted. I had some trouble getting a stable shell in the end. I had a problem elevating from the h user to root. If you are having problem with seeing your privileges, figure out how to get a full nc shell.

is there a wordlist recommendation?

Hi, Need a little nudge on login…

Need a bit help for initial. I found the username in a file using web crawler. I then used cewl but I am not getting any matches . A nudge would help

Spoiler Removed

@juanhk said:

SPOILERS

watch the spoilers with that username and maybe the command.

To answer your question, it’s (basically) the same reason you didn’t have a prompt or anything for your shell. Look up how to upgrade your shell to a full TTY. I’ve had a lot of luck using python and python3.

Need a bit of assistance on this one please!

I have the credentials of user “f” and can login, upload, etc. I have tried the 4****.py script but when I issue a command it does nothing. I tried to wget and i tail’ed my access.log and saw nothing. Tried ipconfig, whoami, nothing.

So do I need to do this manually, or is there something in the python script that I am missing?

Cheers!!