Poison

@dodoa4 said:
how x11 service (vnc) can help me in the challenge ?
can somone pm me hint or resource

I am working on the same page…
Actually I can c, two services that look promising: One is the 3-letter you mention, the other one is s******il service.
Currently I m focus on tha 1st one…

  1. I have made port forwarding to test it (ahm… access it) from my local box but no luck.
  2. Trying to import (the secret) as… config file or something… no luck.
  3. Trying to execute the secret on the server or locally… no luck
  4. Trying to pass the secret in a connection to specific port (using netcat)… no luck…

the question is… am I on the correct path… or i m totally lost?

thnx for your enlightenment :wink:

This link was already posted before, but I drop it in again. Read it. But the most important, understand it. Understand how it works together, and also how the components work. You have to understand the services to see the next step. And I mean it. Dont just think you know how it works, but know it. Maybe you know how the general usage of the services, but do you know all the options they have? Know it how it can work and what are the possible options. When you get that, the picture will be complete. https://www.cl.cam.ac.uk/research/dtg/attarchive/vnc/sshvnc.html

@Thiseas

I have followed the same path, tried everything you have tried as well, I feel that I’m very close and going in the right direction, but I’m stuck here, unable to progress further going by trial and error realizing that I have not idea of what I’m doing and I definitely lack the knowledge required to understand this box.

I’m still searching for an hint or an idea while trying different random things, reading papers, as well as learning how the service in question works, but I still miss something… I got the user access easily but I have spent the past 3 days to find a way to get the root account. I guess I’m going to put this box on hold for a while and work on some retired machines, maybe i will have some “inspiration”…

@NixAvem
I believe I am the same position. My very rough goal is: to access from my local box, the XXX service that runs under ‘root’. I suppose this must be done somehow by pivoting the user C****x (that i actually have access). The above link that @bergabman gave, put some light. I am working now with the ‘-g’ flag, but… what i miss (and this is because of the lack of knowledge too) is that i have NO IDEA how to use the secret file in this… “process”.

Overwhelming?.. well maybe! The sure is that I miss some important fact (call it knowledge) on this. But we R here to learn… huh? :wink: this is the goal…
Also, according to the way I would like to approach the solutions, I prefer to study more on this box, than to focus to another one… :wink:

@Thiseas

What I’m pretty sure is that the whole thing has to be wrapped with ssh, but I can’t get the right parameters, and I don’t understand why i always receive “invalid format” when I’m passing the key, my head hurts, I guess I’m a retard…

EDIT: nvm

Have you guys read the man pages for both services? Its all in there. Let me know if you need more hint, Im happy to help.

@bergabman
I need help with secret.zip i know the password but how can i use that file after extracting it ?

Finally, rooted this bi***, if you need a tip @Thiseas feel free to msg me, but try to get there by yourself, read the file that @bergabman posted (thanx man!) that should pop a light-bulb over your head :slight_smile:

@bergabman said:
Have you guys read the man pages for both services? Its all in there. Let me know if you need more hint, Im happy to help.

I 've done port frwrding, i open vnc, but my existing credentials not working . What i suppose to do is to pass the secret file, to make the correct connection.
Maybe my hypothesis is completely wrong btw… since I read some posts about a… gray screen… etc (that make no sense for now)…

btw
I m just start reading all possible param/s for ssh and then for vnc. My goal is to find a parameter that accept a file (and this is not -F configuration file…)

@bergabman thnx 4 your help budy. I appreciate…

@NixAvem @bergabman OK Guys… I just got r00t!

I was sooooo close all this time.
I had made the whole connections correctly and i left out only the last easy parameter from the … second (the easy one) connection!!!

wtf!! thx guys, anyway ;)… & I hope 2 c u on next challenges :wink:

@@Thiseas Grats man! It was so hard, and so easy…after off course :slight_smile:
Keep it up!

@Thiseas thats what Im talkin’ about. Good job. See, you just have to read the man pages. I know the feeling when you read it and boom. You get it. Up for the new boxes/challenges!

Is this box getting continually messed with or something?

Ive extracted the file, found the “suspicious” service, done some “digging” and even tried to use the secret file in another way besides reading it. Half the time the relevant ports arent open, and when they are they change numbers

do i need to redownload secret.zip each time? I was able to get it all to work but even then i didnt have any privileges. Ever since then, doing the exact same things, i get either “too many tries” or “error 111” which is when the ports arent open or just auth failed.

can someone pm me a small hint on what to do if i can get connected again?

you know whats sad is that I havent even been able to escalate from www to charix! haha. much less to root! Ive been on this box for at least 8 hours a week for a month.

i got vnc screen but still what to hit… no idea… need just hint… if anybody can PM.

Hi guys, I downloaded the zip file to my pc, I don’t know the password, I heard I shouldn’t bruteforce it, and I tried passwords such as poison, charix and charix’ password.

Any hint/help?
THanks in advance!

try one of those things again, but make sure you’re typing it right

@JohnVanBoxtel said:
Hi guys, I downloaded the zip file to my pc, I don’t know the password, I heard I shouldn’t bruteforce it, and I tried passwords such as poison, charix and charix’ password.

Any hint/help?
THanks in advance!

Try to open it in your local box… using what @granadm1 suggested.

@Djinn45SQL99 said:
you know whats sad is that I havent even been able to escalate from www to charix! haha. much less to root! Ive been on this box for at least 8 hours a week for a month.

B coolz my friend & don’t blame your self… Just try to take advantage of the 1st vulnerability u find by examining specific files contents that can give both info…
Hint: u need to explore more than one file to get all cred/s.