Official Spectra Discussion

uh saw many ppl said root was easy… but i’ve been stuck for couple hours now. lol.

  1. Enumerate web server properly and find interesting files.
  2. Use the info found in the file to get control of cms.
  3. Again after initial shell enumerate os directories and try to find interesting files.
  4. For Root is google is your friend.
    PM for nudges but be ready to explain what have you already done.

Type your comment> @SlaCk3rxD said:

uh saw many ppl said root was easy… but i’ve been stuck for couple hours now. lol.

With a bit of basic reading on how the service that you need to exploit works… getting root, its a piece of cake :smile:

having trouble with user.

been looking through files and finding interesting stuff (or it appears to be).
found hashes but they dont seem to be valid for user, ke or ch*s.
am i on the right track?

@ninja92001 said:

having trouble with user.

been looking through files and finding interesting stuff (or it appears to be).
found hashes but they dont seem to be valid for user, ke or ch*s.
am i on the right track?

I think it is a rabbit hole. I don’t recall cracking any hashes on this box.

Rooted! Getting a stable enough shell to do some things took quite some time but once that was done everything fell into place.

Clean-up after yourself people. Don’t just leave the root privesc in place for others to stumble over…

I did it the intended way but I could have easily rooted with zero effort.

okay just rooted. i swear to god. its not easy like most ppl says… =(

Type your comment> @SlaCk3rxD said:

okay just rooted. i swear to god. its not easy like most ppl says… =(

Nice work :smile:

Someone removed the root.txt file. Cracked it still can’t get the hash code :frowning:

Rooted, it was a nice box overall. Good for refreshing enum skills :wink:

I liked this one. If you’re not quick with it you’ll lose track of what you’re doing. It’s too bad I was looking for “flag.txt” for a solid 30 minutes. I might be stupid.

I have been stuck on user for days now.
I have a shell with m********r with a user n****x…however I am trying to pivot to one of the other users and start working from there to root. However I can’t seem to figure out what I need to look for. I have found hashes which have not proven useful (yet). I also found some ssh stuff, but it doesn’t match up with users in the home directory or even that of passwd. Can someone give me a nudge?

Type your comment> @ninja92001 said:

I have been stuck on user for days now.
I have a shell with m********r with a user n****x…however I am trying to pivot to one of the other users and start working from there to root. However I can’t seem to figure out what I need to look for. I have found hashes which have not proven useful (yet). I also found some ssh stuff, but it doesn’t match up with users in the home directory or even that of passwd. Can someone give me a nudge?

■■■■ IT FINALY!!! GOT USER!!!

ROOTED!

thanks @TazWake

I’ve got root without lateral movement… There is more than one way to PE.

Type your comment> @ninja92001 said:

I have been stuck on user for days now.
I have a shell with m********r with a user n****x…however I am trying to pivot to one of the other users and start working from there to root. However I can’t seem to figure out what I need to look for. I have found hashes which have not proven useful (yet). I also found some ssh stuff, but it doesn’t match up with users in the home directory or even that of passwd. Can someone give me a nudge?

I really don’t know how ppl got the mr working, mine never worked. Found another solution to get a shell but that’s kinda weird it didn’t worked out…
If people are stuck with m
r not working I suggest you should see how to run wp* php files.

I can’t find the root.txt file

@Diabulous said:

I can’t find the root.txt file

It should be in the default location. If you have looked there and there is no flag, then its worth resetting the box. If that doesn’t solve it, you might need to open a jira ticket with HTB.

Double-check you have the right permissions to read it before you do this though.

i got everything the exploit worked for me but i couldn’t get reverse shell i tried bash,netcat,python,perl reverse shells but i didn’t recive anything in my listener please help me … i don’t wanna get the shell from the RAPID7 … … guid me plz or give me small hint and i ll be appricated