Spoiler Removed - Arrexel
This was a fun box, for sure! Especially since I have been studying this authentication service on my way towards my CISSP certification - I really like it when boxes have real-world implications.
A few notes:
- User was pretty easy after some basic enumeration.
- Root was pretty easy once I figured out how to do what I needed to do. I knew what I needed to do but finding the right tools to do it was the hard part.
- I never needed to use redtest, Im*****t was all I needed to get the hash.
- I guess I lucked out - hashcat on my Kali VM worked fine. As always, the key is choosing the right wordlist.
The following site (along with parts 2 and 3) really helped me get root. It doesn’t walk you to root but it gave me enough examples to figure out how to make the tools work. I’ve bookmarked it for future boxes.
i am using rockyou.txt and didn’t find anything with hashcat, john instead still running…
i am not sure if am trying to crack the right thing… anycan can pm me?
Interesting box, user was easy, root was much harder then I expected, but a good step forward.
Everything you need is in this forum, almost all tools in Kali.
anyone available for a slight nudge on root.txt
I got user.txt
At last I finished this box 
PM me for hints.
For those stuck at cracking for priv esc: i tried different hashes even one from another user (which he cracked it) with the correct password in the wordlist and i did not manage to crack it. tried on both macos and kali. hashcat 4.2.1 or 4.0. (hashcat cmd args are fine)
still did not find the issue.
Capturing user was pretty easy. You need to use correct tools for acquiring root.txt All of them is written under this post.
This was a nice machine. Learned a lot on Windows Systems (More a Linux guy). Thanx to @Leonishan for the hint…
Rooted. Good box.
@0xlc said:
For those stuck at cracking for priv esc: i tried different hashes even one from another user (which he cracked it) with the correct password in the wordlist and i did not manage to crack it. tried on both macos and kali. hashcat 4.2.1 or 4.0. (hashcat cmd args are fine)still did not find the issue.
I used Hashcat with rockyou.txt and best64.rule - Do you have the right hash type? (-m 13100)?
@Phr33fall said:
@0xlc said:
For those stuck at cracking for priv esc: i tried different hashes even one from another user (which he cracked it) with the correct password in the wordlist and i did not manage to crack it. tried on both macos and kali. hashcat 4.2.1 or 4.0. (hashcat cmd args are fine)still did not find the issue.
I used Hashcat with rockyou.txt and best64.rule - Do you have the right hash type? (-m 13100)?
yes i do
Send me your hash in a PM dude and I will run it from mine 
Hey guys. can anyone pm me for getting root? i think i am on the right way, but i’am sill stuck at a point…thank you
R000TED - H*****T a nightmare, kept running on local machine did not crack tried running on VM finally found correct syntax - ensure hash is exported to file not copied. Great Box - thanks @eks and @mrb3n . No need for special exploit thanks @Mapperist excellent link
I am stumped, I know that I somehow have to get a hash to then use it with something else, but I have no idea how I go about getting said hash to begin with…
Could anyone throw me a bone on how to do it?
EDIT: Disregard, it appears that I have learned to read and figured it out…
Rooted very nice box . Great learning experience.
I feel like I got the right tools, but I’m missing the priv esc foothold. Anyone willing to provide a nudge in PM?
OK I’ve gotten a bit stuck. Any one I could PM for some hints?
I don’t have user.txt yet. I’ve found a username and encrypted password through sc***. I managed to decrypt the password.
I’ve tried to m***t using the username/password but I get a Permission denied.
@Underworld said:
OK I’ve gotten a bit stuck. Any one I could PM for some hints?
I don’t have user.txt yet. I’ve found a username and encrypted password through sc***. I managed to decrypt the password.I’ve tried to m***t using the username/password but I get a Permission denied.
Seems like you’re on the right track. Check your command syntax. Feel free to PM.