Alright, I’m doing something wrong but I can’t figure out what. I have my reverse shell as zab*** but I see nothing in the /home. At one point I did and I could actually see user.txt but I couldn’t cat it.
Any hints would be welcomed!
Thanks!
Edit: If someone PMs me, I can tell you what I have done so far - not looking for a handout, just a hand up.
@houserenren said:
May I ask a hint for dictionary? I was trying to use rockyou, but the machine is always be re-set. I cannot finish my brute force attack.
Or, I am totally wrong? I do not need to use dictionary? or I need to focus on something else?
you should definitely try putting together your own wordlists based on some basic initial enumeration. rockyou will take you way too long
@houserenren said:
May I ask a hint for dictionary? I was trying to use rockyou, but the machine is always be re-set. I cannot finish my brute force attack.
Or, I am totally wrong? I do not need to use dictionary? or I need to focus on something else?
dont use rockyou. if u wanna use a dictionary attack then use a custom list. but no need for dictionary attack!
@Mapperist said:
Alright, I’m doing something wrong but I can’t figure out what. I have my reverse shell as zab*** but I see nothing in the /home. At one point I did and I could actually see user.txt but I couldn’t cat it.
Any hints would be welcomed!
Thanks!
Edit: If someone PMs me, I can tell you what I have done so far - not looking for a handout, just a hand up.
Read through the previous hints…if you think you’re in the wrong place, you probably are. No user.txt in home folder would be a good indication of that
For USER:
Make sure you get a shell to the right location or host. Ensure your reverse shell settings are correct. If your reverse shell box’s hostname looks random, you’re in the wrong spot.
Upgrading your reverse shell user:
Look around for some custom scripts and see if you notice anything interesting about them. How could you use that information to get from one user to another?
For ROOT:
This one took me a while to get right even though it’s pretty simple. Research common priv esc methods. Do you have something available to you that matches one of those methods? Once you identify which method to use, do some research about why the exploit works and why it tricks the system into giving you root. Then figure out what system commands that thing is actually performing with the input you give it. How could you trick it into running different, custom commands that would pop a root shell for you?
Please report if you feel like this is too much of a spoiler, it won’t offend me
@Senpaisol said:
Finally got root. This is an amazing box!
USER:
use your own wordlist not rockyou! But before creating your wordlist gather as much info as possible and look for typos.
If you find something useful and working in searchsploit modify it to fit your needs.
With the right items you have to take massive action to get a stable shell.
ROOT:
You dont need msfvenom if you can compile C
You don’t need to compile C if you can use bash (but either way works fine). And yeah, good advice about the wordlist stuff. It sounds like there’s a way to do this with an exploit and a way to do this with the GUI, so don’t think you’re limited to just one method of gaining access.
So it appears to not be 39937 as it makes you go to the wrong server…no gui access for the login…no brute forcing…guest access doesnt do much…what gives