Hint for Sunday

I’m also stuck on the priv esc from the first user, if someone can PM me with some hints, it would be greatly appreciated

Wow, enumeration really is your bread and butter, I’m kicking myself for not checking (spoiler) location first, I was able to get the second user within five minutes after looking there

Everyone seems to have guessed the initial password easily. I have enumerated users using the service on the lowest port and tried hydra -e nsr + other guesses based on the name of the box to authenticate to port xx0xx. Brute forcing with a larger wordlist would take days over my connection. What else should I be trying?

Ive read that peopl are getting more than 2 ports open on their scans. I was able to enumerate users on one of the services but get authentication errors on the other port. I am only getting those two ports and nothing else. When trying to scan on the Free servers it is taking ridiculously long. Is this normal, can someone point me in the right direction?

ok… I got user.txt and am having trouble with root… I really have no idea what to do next :frowning:

alright nevermind… I got it finally… fml!

Any subtle hints on how to Privesc using that **do application? Cant see any thing i can use to leverage on.

the idiot that keeps changing the sudeors file. YOU DONTTTT NEEEEEDDDDDD TO CHANGEEE ANYY FILEEEE!!! worst case, if you edit it and you see an error JUSTTTT GETT ITT BACK THE SAME ■■■ IT WASSSSSS. HTB should ban people that crash the box for like 30 min from using it

so i’ve got some users enumerated… i’ve found out the ports open, but i really cannot get in… there seems to be something that i am missing… many of the comments have confused me… need a nudge how to get an initial foothold.

@pzylence - I am in the same position. Found a bunch of default users, and tried to guess the password… which should be something super obvious that’s often done on HTB or in CTFs in general. Seems I have no luck this time - I managed to guess the obvious / “in your face” credentials for Nibbles and Valentine, but I find this challenge e much more difficult and less obvious. So far I tried - unsuccessfully - with a wordlist of my own with about 200 seemingly obvious guesses for passwords (trying to apply my Nibbles or Valentine mindset ;-)), tested against all the users I know.

As all the users that I could find easily are default users, and none of them had logged on before, I wonder if you also have to guess additional users / use a more exhaustive wordlist for users. I already tried some “obvious” additional users not on the default wordlist (that the enum tool uses that I suppose many here are using).

But I am not ready to give up and use a huge wordlist - I take a break and wait for inspiration to hit me with ideas for new “obvious” usernames and passwords :slight_smile:

I’ve tried all sort of things with the s*** from Sammy, I cannot read nor download files with no permissions. Overwriting important files is not working either. Can I get some hint? I’ve read certain man pages like 5 times now…

I need help for priv esc, PM me please

Shoutout to everyone who feels the need to change all the passwords.

I see the tool I need to use for root but keep getting “No permission to list directory.” Any hints would be rad.

@s2233 said:
Shoutout to everyone who feels the need to change all the passwords.

fwiw this is not malicious - root escalation gone wrong/done badly blame google.

@3lpsy said:
If you’re struggling going from user to root, you may want to start over with your enumeration. It’s aggressively simple. I know that sucks to hear if you’re struggling, but once you see it, you’ll have root in less than a minute. My hint is to ask “what can this user do”? Also when you do see it, you do not need to mess things up to get the flag so be considerate as, according to this forum, many people are trying to to modify sensitive files when it’s not necessary.

Any clues? have enumerated multiple times with various scripts but can’t see a vuln. or anything to run to get root without exploit or changing anything :confused:

Any clue for be sammy?

Spoiler Removed - Arrexel

Okay Finally got root flag, but not sure if it was correct.

Just want to confirm, if you can’t say please PM me but can you actually get root shell or is it just CTF on this box. I am rather new so still learning :smile:

Also this would of been a lot quicker if people did not keep breaking the box, just need enumeration, there is enough clues in this thread, the most important one is “What can this user do?”.

No idea why someone deleted the passwd file :disappointed:

Ok I was trying with the wrong user
There is a sa… And a su…

Enumerate 667544 times to get it