Official Delivery Discussion

@vr0n said:

Can anyone confirm if the first step is currently not working? I am 99.9% I have it correct, as all of the parts fit together and make sense, but I am never receiving the updated t****t

I wouldn’t describe it as an “updated t____t”, rather it is an addition. If you have it open when you make the second stage, you can refresh and it should appear as part of the thread.

Type your comment> @TazWake said:

I wouldn’t describe it as an “updated t____t”, rather it is an addition. If you have it open when you make the second stage, you can refresh and it should appear as part of the thread.

That’s what isn’t working. Based on your response and everything else I’ve read in the thread, I’m 100% now that I’m doing it correctly. I guess I’ll just try the box again at another time in case it needs a reset.

i couldn’t find the hash!

please,DM me for hints

Type your comment> @CONFIANT said:

i couldn’t find the hash!

please,DM me for hints

Depends with where you have been looking for the hash…

Type your comment> @sicario1337 said:

Type your comment> @CONFIANT said:

i couldn’t find the hash!

please,DM me for hints

Depends with where you have been looking for the hash…

oh!
ok found it.
thanks

Type your comment> @CONFIANT said:

Type your comment> @sicario1337 said:

Type your comment> @CONFIANT said:

i couldn’t find the hash!

please,DM me for hints

Depends with where you have been looking for the hash…

oh!
ok found it.
thanks

Nice :smile:

root@Delivery:~# id ; hostname
uid=0(root) gid=0(root) groups=0(root)
Delivery

finally rooted.

foothold:
-As everyone said: follow the hints.
-Do it in the right order.

  • find a way to “verify” locally

User:
after you get the email play around there and you find it.

root:

  • first step is enumeration
  • second step use a tool mentioned in the hints you were given previously

Rooted!

Its a simple box to remind the importance of enumeration and the tools are just there to help you put the pieces together! Thanks @ippsec

The hints are sufficient but would like to add a point.

Keep the names same in email and username fields when you register. This is a very simple thing but I was stuck cos I used different names!

Feel free to report if this is a spoiler! Feel free to PM if need a nudge

Rooted! That was fun; thanks @ippsec - great box.

Thanks also to everyone who posted hints on here - they were very useful on a couple of occasions. Ws kicking myself when I got to the very end… I’m sure I made that last bit harder work than it needed to be!

i need a nudge got the he******* page for tic***, got to the mat******** page created what seems obvious to be created but can’t verify it… have looked everywhere not sure i can see the obvious

Hey everyone,

I need your help for privesc! So far I have uploaded a common enumeration script on the server (didn’t reveal anything) and read dozens of configuration files… I’ve been spending like 6 hours on that and feel retarded. I know that I’m looking for a hh, but it seems I can’t find it…
I have already prepared a custom wordlist with the hint given on MM. The only thing I’m missing is the h
h, and I’m too weak to dive once again in those configuration files randomly.
So would anyone be kind enough to PM me where to find it?
Or do I even need the hash? Are we supposed to create a wordlist and bruteforce something?

Thank you and happy hacking!

Type your comment> @Netpal said:

Hey everyone,

I need your help for privesc! So far I have uploaded a common enumeration script on the server (didn’t reveal anything) and read dozens of configuration files… I’ve been spending like 6 hours on that and feel retarded. I know that I’m looking for a hh, but it seems I can’t find it…
I have already prepared a custom wordlist with the hint given on MM. The only thing I’m missing is the h
h, and I’m too weak to dive once again in those configuration files randomly.
So would anyone be kind enough to PM me where to find it?
Or do I even need the hash? Are we supposed to create a wordlist and bruteforce something?

Thank you and happy hacking!

You need to read the configuration files strategically and not randomly … While you are at it… think of what you might find in the config files… do not tunnel focus on spotting a h**h…you might be missing a lot…

@sicario1337 Thank you for the hint! I was indeed tunnel focusing on finding a h**h… Reading files strategically sounds obvious and logical, but most of the time I have no clue about the strategy to adopt… Given what’s running on the machine I should have started there, but sometimes (if not always :D) I’m retarded…
Anyways, thanks again to you and also to @Elnirath for PMing me!

Type your comment> @Netpal said:

Hey everyone,

I need your help for privesc! So far I have uploaded a common enumeration script on the server (didn’t reveal anything) and read dozens of configuration files… I’ve been spending like 6 hours on that and feel retarded. I know that I’m looking for a hh, but it seems I can’t find it…
I have already prepared a custom wordlist with the hint given on MM. The only thing I’m missing is the h
h, and I’m too weak to dive once again in those configuration files randomly.
So would anyone be kind enough to PM me where to find it?
Or do I even need the hash? Are we supposed to create a wordlist and bruteforce something?

Thank you and happy hacking!

Enumeration is the key here. If you search for files related to the user you should be targeting, there are only a few things you need to check.

Enumeration scripts don’t tend to work well for this.

Type your comment> @TazWake said:

Enumeration is the key here. If you search for files related to the user you should be targeting, there are only a few things you need to check.

Enumeration scripts don’t tend to work well for this.

Hi TazWake, thank you for your insight. Even though I have what I was looking for now, what do you mean by “files related to the user”? Isn’t it rather files related to a service?
I tried looking at writable files and directories for the current user with "find / -writable -type d 2>/dev/null (and f for files). I also looked at files permissions for that user, but that didn’t really help.

When it comes to enumeration, I just lack experience and methodology. I feel like there are so many possible things to do, it’s like finding a needle in a haystack. But I have no doubt it will get better with time :slight_smile:

Thanks and see you around!

@Netpal said:

Hi TazWake, thank you for your insight. Even though I have what I was looking for now, what do you mean by “files related to the user”? Isn’t it rather files related to a service?

No. Look at the usernames on the system. The clear distinction between user and service is more a windows thing. For example, sshd is a “service” but if you look at the passwd file you will often see an entry along the lines of:

sshd:x:118:65534::/run/sshd:/usr/sbin/nologin

There is a “username” on the system of sshd.

You could run find / -user sshd 2>/dev/null and find all the files owned by that “user” account. (if there are any).

But on this box, the account in question is one that allows users to log in, so it is definitely worth investigating further.

When it comes to enumeration, I just lack experience and methodology. I feel like there are so many possible things to do, it’s like finding a needle in a haystack. But I have no doubt it will get better with time :slight_smile:

There is no one-size-fits-all answer. It is simply about trying things and working through them until you find something you can use.

Enumeration scripts like LinPEAS and LinEnum are great but only work about 40% of the time. This shows that it is really, really difficult to build a consistent methodology.

I find the best approach is to just try to “profile” the file system. What accounts exist, what privs those accounts have, what is running, what executable files exist, etc. Then use this to try possible attack paths. It can be very tedious.

Rooted the Box Finally ! , it took longer than i anticipated. Kudos to the maker @ippsec . Watched his own videos for the cracking part. Foothold and user were interesting.

Type your comment> @TazWake said:

No. Look at the usernames on the system. The clear distinction between user and service is more a windows thing. For example, sshd is a “service” but if you look at the passwd file you will often see an entry along the lines of:

sshd:x:118:65534::/run/sshd:/usr/sbin/nologin

There is a “username” on the system of sshd.

You could run find / -user sshd 2>/dev/null and find all the files owned by that “user” account. (if there are any).

I never thought about that, thank you for the info!

There is no one-size-fits-all answer. It is simply about trying things and working through them until you find something you can use.

Enumeration scripts like LinPEAS and LinEnum are great but only work about 40% of the time. This shows that it is really, really difficult to build a consistent methodology.

I find the best approach is to just try to “profile” the file system. What accounts exist, what privs those accounts have, what is running, what executable files exist, etc. Then use this to try possible attack paths. It can be very tedious.

Got it, I’ll try to do that on the next box! See you around :slight_smile:

I thought the first bit really didn’t make sense at first since it’s a ticketing system…

Rooted. Really nice box,
The foothold part was kind of misleading, but thanks to the hints hidden in this thread I managed to organize what to do.
User part super easy
Root was something new that I learned with ha**t

Thanks to @ippsec