Official Armageddon Discussion

I have got br********* user salted hash password from ****l. But I don’t know what to do next it is salted. I am new to pentesting this is my second ctf. I just need hint.

Type your comment> @secretninja said:

I have got br********* user salted hash password from ****l. But I don’t know what to do next it is salted. I am new to pentesting this is my second ctf. I just need hint.

Crack that fucker. Hashcat took a whole 30 secs with the right word list on my ancient laptop.

Type your comment> @RageWire said:

Type your comment> @secretninja said:

I have got br********* user salted hash password from ****l. But I don’t know what to do next it is salted. I am new to pentesting this is my second ctf. I just need hint.

Crack that fucker. Hashcat took a whole 30 secs with the right word list on my ancient laptop.

Finally ! Drupal 7 uses different hashing mechanism but finally done it. Thanks for hashcat i was using sha512+salt but that is wrong

Type your comment> @ninja92001 said:

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

i tried writing payload to .s*** file and installing it. it is not working. i am not aware of any method to run bash command via sc.yaml file. Help!!

Type your comment> @secretninja said:

Type your comment> @ninja92001 said:

(Quote)
i tried writing payload to .s*** file and installing it. it is not working. i am not aware of any method to run bash command via sc.yaml file. Help!!

Check out config and install hooks. Also remember there are only a few shared locations in the filesystem. Etc is one.

Type your comment> @RageWire said:

Type your comment> @secretninja said:

Type your comment> @ninja92001 said:

(Quote)
i tried writing payload to .s*** file and installing it. it is not working. i am not aware of any method to run bash command via sc.yaml file. Help!!

Check out config and install hooks. Also remember there are only a few shared locations in the filesystem. Etc is one.

RageWire, can I DM you?

Type your comment> @ninja92001 said:

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

Have you read a comment on top of the TRJAN_S**P ‘’'paload definition’‘’ in the Python script? You don’t need anything more :wink:

@0x746b72 said:
Type your comment> @ninja92001 said:

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

Have you read a comment on top of the TRJAN_S**P ‘’'paload definition’‘’ in the Python script? You don’t need anything more :wink:

Yes I saw that in the dirty “foot covering”.

But I am still learning how to snap my fingers, if you know what i mean.

Do I need to run m***l in a specific directory? I believe I have the command right but it keeps dumping me the “man” page instead of my query.

Type your comment> @ninja92001 said:

Type your comment> @RageWire said:

(Quote)
RageWire, can I DM you?

Sure. No problem.

Finally rooted. root was a bit tricky but fun nevertheless.

I must be silly but can’t open a shell with the well know exploit… something I missed? Maybe a misconfiguration. If anyone has any nudge I would be thankful.

Can anyone please help me with root. I crafted the s*** payload but it seems like a wrong direction …

Thanks for this box. I have learned something totally new which took me 2 days to get this working as expected :slight_smile:

for foothold simply run the basic enumerations and check what you have on your box to help you to get in.

for user simply review what you got from foothold and how to use also existing tools on your box to get in.

for root: don’t make it too complex but understand what the tool is doing and how to manage this.

Oh my god finally rooted, struggling a lot for this part. I had to write code to craft the payload myself, idk if anyone has a better approach
Foothold: Need some enumeration + CVE
User: Think about how the whole website work and connected, you’ll find your way
Root: Understand what the tool is doing and how to use it, then you can create your own s*** :wink:

How can I get root, I was reading about dirty sock, but it returns the error that my version is not vulnerable

@quangvo said:
Oh my god finally rooted, struggling a lot for this part. I had to write code to craft the payload myself, idk if anyone has a better approach
Foothold: Need some enumeration + CVE
User: Think about how the whole website work and connected, you’ll find your way
Root: Understand what the tool is doing and how to use it, then you can create your own s*** :wink:

well, this was finally working with some simplification of the existing craft :wink: But I struggled with the same until I understood how this works. I have tested this first on another VM running on ub**** just to investigate how this works :slight_smile:

Foothold and user were ‘business as usual’

Root was definitely something new and interesting, which needed some research, but it was definitely worth it. My hint is to not over-complicate your way from user to root. User has some special power, so use it! I had trouble forging the right tool in kali, so I had to do it on my ubuntu machine. The prepared tool is only useful the first time the user combines it with its special power, afterwards it’s just a useless hook.

I got a meterpreter shell but commands are not working,
example: meterpreter > pwd
unknown command : pwd

need help.

Type your comment> @ub007 said:

I got a meterpreter shell but commands are not working,
example: meterpreter > pwd
unknown command : pwd

need help.

Drop to a shell it should work