Dante Discussion

Anyone able to give some hints for moving off the foothold machine? I’ve found a few things and got a few ideas but having trouble getting anything to work.

hello everyone, i feel like i’m running in circles enumerating the DC-01… i’m stuck on WS-01 and SQL-01 too, anyone has an idea on what to do?

Anyone out here who can help me out a bit on the initial foothold? Got first flag, know which user to target, got the text file, however, rockyou is not helping me out at all. Been stuck pretty long ;c

Type your comment> @Mayseve said:

Anyone out here who can help me out a bit on the initial foothold? Got first flag, know which user to target, got the text file, however, rockyou is not helping me out at all. Been stuck pretty long ;c

for a hint on foothold feel free to dm me

Anybody out there willing to give me a pointer on the foothold for DANTE-SQL1 or the box running Jenkins?

Type your comment> @f3eDme said:

hello everyone, i feel like i’m running in circles enumerating the DC-01… i’m stuck on WS-01 and SQL-01 too, anyone has an idea on what to do?

Edit: Got both DC-01 and WS-02 (mistyped the firt time) moving on to SQL-01

Anybody completed the Jenkins box? I have a hunch of what is required, however I’m not sure how to pull it off without a POC?

Have completed half the lab, so PM me if anyone needs pointers, and i may be able to help.

I’ve got everything but WS02. Based on the flag name and position in the list I have a hunch about what computer I might need to look at for a foothold on WS02, but I haven’t found a way yet. Would appreciate a hint…

Also willing to give hints on the other machines. Just PM me.

Edit: Finally got it. Thanks for feedback.

Got the 1st flag. Anyone can give me a nudge on the 2nd?I have an idea and I’m trying it, if not this, I don’t know. Can someone DM me a hint please? Thank you!

Guys, is the .100 w*******s pass changed? Cause I can’t login.

Just to give some hints like classic machine lab discussion:

Century box:

  • user: trust the information you have and persevere with your own content

  • root: enumeration scripts most likely give you the solution

  • Pivot: SSH and SOCKS are common tools to do this

Edit: Disregard! :smile: (Started the lab today. This was just a comment about filtered ports.)

Hi guys. I have been stuck at privesc on NIX02 from F to root for a few days now. I have identified that we must be talking about p***** lib**** h******** but I simply cannot make it work (seems like the way the script gets called does not execute the code?). I have watched all Ippsec’s videos about it and googled. Could someone please PM me a hint. Thanks

Just to give some hints like classic machine lab discussion:

NIX02:

  • user: somtimes read is more usefull than execute

  • root: read files again

Type your comment> @michael7474 said:

Just to give some hints like classic machine lab discussion:

NIX02:

  • user: somtimes read is more usefull than execute

  • root: read files again

You are right, thank you!

Hmm… I got the first flag reasonably quickly, but am quite stuck with the second flag. After looking at the interesting information, I know that the target was not very wise. I’m assuming r******.*** is not the right way?

Edit: Finally got second flag… The small nudge from @michael7474 above helped! :smile:

Any nudge on NIX02 root? I’ve read the user flag but can’t seem to find anything regarding getting root. All possible paths for the vuln has been enumerated with no luck.

Hola everyone. Hoping to have a sanity check here. I’m on the initial machine. I’ve found the three ports, grabbed the info from the first, and have been trying for some time to brute force the WP login. Being as there doesn’t appear to be any vulnerable plugins or themes, I’m guessing the path is bruteforcing the login page.

Is this correct? And if so, is it doable with rockyou or is something else necessary? I’m 46,000 passwords in to rockyou and nothing yet.

Thanks!

@dievu5 said:

Is this correct? And if so, is it doable with rockyou or is something else necessary? I’m 46,000 passwords in to rockyou and nothing yet.

With a huge caveat that I haven’t looked at any of the problabs, so I could be totally wrong, but in general this would be a sign that its not the right way to go. As a rule of thumb, HTB shouldn’t need long brute force attacks.

Hopefully someone who has done this box will be able to add more context.

Type your comment> @TazWake said:

@dievu5 said:

Is this correct? And if so, is it doable with rockyou or is something else necessary? I’m 46,000 passwords in to rockyou and nothing yet.

With a huge caveat that I haven’t looked at any of the problabs, so I could be totally wrong, but in general this would be a sign that its not the right way to go. As a rule of thumb, HTB shouldn’t need long brute force attacks.

Hopefully someone who has done this box will be able to add more context.

My guess too. I don’t really do anything on this platform, so not sure what to expect.