Official Armageddon Discussion

1456810

Comments

  • Type your comment> @CrackerMan said:

    Type your comment> @menkar411 said:

    What's wrong with m***l? Can't log in

    Struggling with this one as well. Tried enumerating other services but not finding anything that is jumping out, got the creds but cant apply them, so could appreciate a cryptic hint.

    This stumped me, too, but hints in this thread and a bit of reading the man page for m***l showed me a way to run things without having to go all the way in...

  • edited April 9

    I've got a foothold and i'm currently logged as a***he user rn, but i cannot seem to find any of the services that people are giving hints about. Running "ps ax" or "systemctl" also yields no info and i certainly don't see any m***l service running. Maybe i need to reset the box? Or am i barking up the wrong tree?

  • Nevermind, my enumeration was poor. Got some m***l creds

  • My crafted s**p file doesn't work. I tried many things but nothing. Does anyone had the same problem? Thanks a lot!

  • Rooted this machine.

    Hints:
    Initial foothold: enumerate the web app and use google
    Getting a ssh session: find a user and keep asking access...
    Root: ask what you are allowed to do and use that to your advantage

    All in all a fun box, a little different than the usual and definitely one of the more real-life ones out there. Thanks to the creator!

  • edited April 10

    Am logged in as a****e with an adequate shell, can dump data from m****, have found something that looks like a hash in a table but none of my cracking tools are working. Am I just bad at hash cracking or am I down a rabbithole?

    EDIT: I was looking at the wrong thing because I didn't search exhaustively at first. Once I found the obvious right thing it was easy with either hashcat or john

    LegendarySpork

    LegendarySpork

  • Type your comment> @LegendarySpork said:

    Am logged in as a****e with an adequate shell, can dump data from m****, have found something that looks like a hash in a table but none of my cracking tools are working. Am I just bad at hash cracking or am I down a rabbithole?

    It should be cracked, are you using the good hashcat for example and with the good algo?
    Can dm for more explain if spoiler.

  • edited April 10

    Type your comment> @Ppair said:

    ... are you using the good hashcat for example and with the good algo?

    Hah, I'm using "a" hashcat trying a couple of algo's but it sounds like I need to keep trying.

    EDIT: oops I missed something really obvious and was trying to crack the wrong thing. Lesson learned: grab the whole mess first and search it all before searching selectively

    LegendarySpork

    LegendarySpork

  • Type your comment> @eMVee said:

    Type your comment> @rpthomps said:

    Can anyone message me a hint for root? I am going to try and craft something in curl but I am not overly confident....

    The hint is not needed, you are on the right path as I saw in your post before.
    Then look how you could use that information to gain more privileges. If you have found the way to go after and if you have crafted what you think you need there are ways to get it there.

    Sure curl -O can be used, but it is not needed.

    I hope i don't spoil to much for you

    Thanks for you help, @eMVee

  • Got initial foothold, and then got the user, but stuck at root.

    Crafted s**p doesn't seem to be working even with the special power of the user..Not sure where to go from here...Any nudges?

  • Type your comment> @Alfamyk said:

    Got initial foothold, and then got the user, but stuck at root.

    Crafted s**p doesn't seem to be working even with the special power of the user..Not sure where to go from here...Any nudges?

    Nvm, just needed a fresh perspective on the approach. Got root with slightly more crafting

  • Any help?

    Stuck as a**e user, can't find any creds or get ms*l to work to dump creds as suggested by others...

    rancilio

  • Spoiler Removed

  • Type your comment> @rancilio said:

    Any help?

    Stuck as a**e user, can't find any creds or get ms*l to work to dump creds as suggested by others...

    I know the struggle, if you have the correct stuff you should be able to work with it. I had the issue that my connection was broken after 1 query. So maybe a oneliner will do it for you.

  • @aliabdelmalek said:
    hey guys
    ......................
    any help please

    Not sure how to give a hint without spoiling, but if you think it should work, read the documentation how to use this thing.

  • i got everything the exploit worked for me but i couldn't get reverse shell i tried bash,netcat,python,perl reverse shells but i didn't recive anything in my listener please help me .. i don't wanna get the shell from the RAPID7 .... .... guid me plz or give me small hint and i ll be appricated

  • edited April 11

    Hello, i can't manage to work with ssh, i have a user and also password, but ssh seems not working, also reset machine doesn't help.

    Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 03:10 EDT
    Nmap scan report for 10.10.10.233
    Host is up (0.082s latency).

    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
    | ssh-hostkey:
    | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
    | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
    |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)

    ssh -v [email protected] 130 ⨯
    OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
    debug1: /etc/ssh/ssh_config line 21: Applying options for *
    debug1: Connecting to 10.10.10.233 [10.10.10.233] port 22.
    debug1: Connection established.
    debug1: identity file /home/kali/.ssh/id_rsa type -1
    debug1: identity file /home/kali/.ssh/id_rsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_dsa type -1
    debug1: identity file /home/kali/.ssh/id_dsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa_sk type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /home/kali/.ssh/id_ed25519 type -1
    debug1: identity file /home/kali/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/kali/.ssh/id_ed25519_sk type -1
    debug1: identity file /home/kali/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /home/kali/.ssh/id_xmss type -1
    debug1: identity file /home/kali/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
    debug1: match: OpenSSH_7.4 pat OpenSSH_7.0
    ,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7* compat 0x04000002
    debug1: Authenticating to 10.10.10.233:22 as 'XXXXXXX'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: [email protected] MAC: compression: none
    debug1: kex: client->server cipher: [email protected] MAC: compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    Connection closed by 10.10.10.233 port 22

    Any ideas?

  • Type your comment> @yolocalhost said:

    Hello, i can't manage to work with ssh, i have a user and also password, but ssh seems not working, also reset machine doesn't help.

    Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 03:10 EDT
    Nmap scan report for 10.10.10.233
    Host is up (0.082s latency).

    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
    | ssh-hostkey:
    | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
    | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
    |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)

    ssh -v [email protected] 130 ⨯
    OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
    debug1: /etc/ssh/ssh_config line 21: Applying options for *
    debug1: Connecting to 10.10.10.233 [10.10.10.233] port 22.
    debug1: Connection established.
    debug1: identity file /home/kali/.ssh/id_rsa type -1
    debug1: identity file /home/kali/.ssh/id_rsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_dsa type -1
    debug1: identity file /home/kali/.ssh/id_dsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa_sk type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /home/kali/.ssh/id_ed25519 type -1
    debug1: identity file /home/kali/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/kali/.ssh/id_ed25519_sk type -1
    debug1: identity file /home/kali/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /home/kali/.ssh/id_xmss type -1
    debug1: identity file /home/kali/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
    debug1: match: OpenSSH_7.4 pat OpenSSH_7.0
    ,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7* compat 0x04000002
    debug1: Authenticating to 10.10.10.233:22 as 'XXXXXXX'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: [email protected] MAC: compression: none
    debug1: kex: client->server cipher: [email protected] MAC: compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    Connection closed by 10.10.10.233 port 22

    Any ideas?

    Please make sure your password is correct
    The password is simple without any symbols
    j**n Cracking the hash may produce some strange symbols

  • @dj3bb4ran0n said:
    i got everything the exploit worked for me but i couldn't get reverse shell i tried bash,netcat,python,perl reverse shells but i didn't recive anything in my listener please help me .. i don't wanna get the shell from the RAPID7 .... .... guid me plz or give me small hint and i ll be appricated

    Try the commonly used ports

  • Rooted. Thks to all the nudges on this page. DM me if you want some help. I'm pretty new and I will try my best to help.

  • Type your comment> @rancilio said:

    Any help?

    Stuck as a**e user, can't find any creds or get ms*l to work to dump creds as suggested by others...

    If you haven't found any creds yet, you should enumerate more. Always have a look at things you can read in the context of the user you're logged in.

    dragonista

  • edited April 11

    Rooted.
    Foothold: in the famous hacker tool (remind the name of the machine) you will find what you need, beware to use the correct payload. Needed to stabilize my foot in with a better shell.
    User: Poke around where you spawned (no need to run the enum script) to find something interesting. Enumerate what you have and use what you've found. After some magics you'll obtain the thing to have stable access
    Root: enumerate what you can do and do some Google-fu. In my case needed to use a fraction of what is available.

    Thanks for the box!

    alemusix

  • Could someone DM me a nudge? have basic shell with a****. found default m**** creds but they are not working. Want to run what I am doing past someone who has rooted to see if i am on correct track or not.

  • Hello, i can't manage to work with ssh, i have a user and also passw, buy ssh seems not working, also reset machine does'nt help.

    @backK said:
    Type your comment> @yolocalhost said:

    Hello, i can't manage to work with ssh, i have a user and also password, but ssh seems not working, also reset machine doesn't help.

    Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 03:10 EDT
    Nmap scan report for 10.10.10.233
    Host is up (0.082s latency).

    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
    | ssh-hostkey:
    | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
    | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
    |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)

    ssh -v [email protected] 130 ⨯
    OpenSSH_8.4p1 Debian-5, OpenSSL 1.1.1k 25 Mar 2021
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/.conf matched no files
    debug1: /etc/ssh/ssh_config line 21: Applying options for *
    debug1: Connecting to 10.10.10.233 [10.10.10.233] port 22.
    debug1: Connection established.
    debug1: identity file /home/kali/.ssh/id_rsa type -1
    debug1: identity file /home/kali/.ssh/id_rsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_dsa type -1
    debug1: identity file /home/kali/.ssh/id_dsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa_sk type -1
    debug1: identity file /home/kali/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /home/kali/.ssh/id_ed25519 type -1
    debug1: identity file /home/kali/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/kali/.ssh/id_ed25519_sk type -1
    debug1: identity file /home/kali/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /home/kali/.ssh/id_xmss type -1
    debug1: identity file /home/kali/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
    debug1: match: OpenSSH_7.4 pat OpenSSH_7.0
    ,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7* compat 0x04000002
    debug1: Authenticating to 10.10.10.233:22 as 'XXXXXXX'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: [email protected] MAC: compression: none
    debug1: kex: client->server cipher: [email protected] MAC: compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    Connection closed by 10.10.10.233 port 22

    Any ideas?

    Please make sure your password is correct
    The password is simple without any symbols
    j**n Cracking the hash may produce some strange symbols

    passw was correct, but no ssh connection to server, support resolved this issue.

  • Finally owned.

  • I found 3 credential on db u**r but ,how i can bruteforce password??? Give me references
  • Type your comment> @psfauzi said:
    > I found 3 credential on db u**r but ,how i can bruteforce password??? Give me references

    Hydra,dictionary
  • rooted. dang @bertolis that was a tough "easy" box. Thanks to @philralph, @SackOfHacks and @ironman2 for the nudges/conversation.

  • edited April 14
    Finally rooted! Thank you guys for the hints in the discussion and thru PM!
  • Nice box. Enjoyed pwning it. Thanks...

Sign In to comment.