Dante Discussion

Just to give some hints like classic machine lab discussion:

Century box:

  • user: trust the information you have and persevere with your own content

  • root: enumeration scripts most likely give you the solution

  • Pivot: SSH and SOCKS are common tools to do this

Edit: Disregard! :smile: (Started the lab today. This was just a comment about filtered ports.)

Hi guys. I have been stuck at privesc on NIX02 from F to root for a few days now. I have identified that we must be talking about p***** lib**** h******** but I simply cannot make it work (seems like the way the script gets called does not execute the code?). I have watched all Ippsec’s videos about it and googled. Could someone please PM me a hint. Thanks

Just to give some hints like classic machine lab discussion:

NIX02:

  • user: somtimes read is more usefull than execute

  • root: read files again

Type your comment> @michael7474 said:

Just to give some hints like classic machine lab discussion:

NIX02:

  • user: somtimes read is more usefull than execute

  • root: read files again

You are right, thank you!

Hmm… I got the first flag reasonably quickly, but am quite stuck with the second flag. After looking at the interesting information, I know that the target was not very wise. I’m assuming r******.*** is not the right way?

Edit: Finally got second flag… The small nudge from @michael7474 above helped! :smile:

Any nudge on NIX02 root? I’ve read the user flag but can’t seem to find anything regarding getting root. All possible paths for the vuln has been enumerated with no luck.

Hola everyone. Hoping to have a sanity check here. I’m on the initial machine. I’ve found the three ports, grabbed the info from the first, and have been trying for some time to brute force the WP login. Being as there doesn’t appear to be any vulnerable plugins or themes, I’m guessing the path is bruteforcing the login page.

Is this correct? And if so, is it doable with rockyou or is something else necessary? I’m 46,000 passwords in to rockyou and nothing yet.

Thanks!

@dievu5 said:

Is this correct? And if so, is it doable with rockyou or is something else necessary? I’m 46,000 passwords in to rockyou and nothing yet.

With a huge caveat that I haven’t looked at any of the problabs, so I could be totally wrong, but in general this would be a sign that its not the right way to go. As a rule of thumb, HTB shouldn’t need long brute force attacks.

Hopefully someone who has done this box will be able to add more context.

Type your comment> @TazWake said:

@dievu5 said:

Is this correct? And if so, is it doable with rockyou or is something else necessary? I’m 46,000 passwords in to rockyou and nothing yet.

With a huge caveat that I haven’t looked at any of the problabs, so I could be totally wrong, but in general this would be a sign that its not the right way to go. As a rule of thumb, HTB shouldn’t need long brute force attacks.

Hopefully someone who has done this box will be able to add more context.

My guess too. I don’t really do anything on this platform, so not sure what to expect.

Anyways, a nudge in the right direction is certainly appreciated.

Type your comment> @dievu5 said:

Anyways, a nudge in the right direction is certainly appreciated.

Research a tool that can help you generate a custom word list based on what you have been able to access.

Type your comment> @limelight said:

Type your comment> @dievu5 said:

Anyways, a nudge in the right direction is certainly appreciated.

Research a tool that can help you generate a custom word list based on what you have been able to access.

So you’re saying that a password list I can create with CeWL isn’t going to have a password that’s already in rockyou?

Using cewl to create a word list from scraping a unique site may give you words not in rockyou.

Type your comment> @limelight said:

Using cewl to create a word list from scraping a unique site may give you words not in rockyou.

Well isn’t that something. Thanks for the suggestion. :slight_smile: Interesting enough I killed wpscan’s bruteforce at 147,000. The password isn’t far off above it.

Any nudge about NIX04 ? i can read some flags but did not manage to get a shell…

any nudge with privesc on WS03? thank you

Got all flags execpt the flag “Again and again”. Could anyone please point me in the right direction? Thanks :slight_smile:

Type your comment> @achsooistdas said:

Got all flags execpt the flag “Again and again”. Could anyone please point me in the right direction? Thanks :slight_smile:

Fully enum the DB on NIX04

What is happening to Jenkins machine? Can’t access the webpage on it’s port. Can access anything else. If anybody used Jenkins to run their shell, please create a 2nd one after that shell and stop the one on jenkins dashboard.