Carrier

HTB Content Machines
41

ok, managed to get user.txt and shell as the root user. However I’m not sure where root.txt is, or what to do next? any clues

42

Can anyone point me kinda in the right direction after logging-in?

43

For the root flag, do I need pivoting?

44

I only got user.txt so far, and from what I can tell… seems like, we are in only one of the containers within a multitude of containers (that horror)…

I think I know why this box is called carrier… (that horror again)…

45

@Center said:
Can anyone point me kinda in the right direction after logging-in?

Would appreciate a hint too…

EDIT:
Now needing help to form a rev shell
EDIT2:
Rev shell obtained, wokring on root.

46

@wilsonnkwan said:

I think I know why this box is called carrier… (that horror again)…

I think I have the same suspicion as you and it is breaking my heart…

47

@dragonitesec said:

@AlexanderNagy said:
Could someone please send me a hint about the RCE. Thanks!

if your login has been successful, analyze the only point which “executes” something…

In hindsight this is a very, very useful tip. I wish I’d seen it earlier…

48

Anyone know if you have to b** something with a q to another box?

49

Just look at the routing table. :scream:

50

I got user. And I got a private key. However when I try to ssh in, it asks me for a password. I assume the key has a password on it as well?

Dumb question - BUT IM LEARNING :bleep_bloop:

51

@Underworld said:
I got user. And I got a private key. However when I try to ssh in, it asks me for a password. I assume the key has a password on it as well?

Dumb question - BUT IM LEARNING :bleep_bloop:

The private key you have is not exactly in the Carrier IP.
Check ifconfig on the machine…

52

Who well know network and got root, using only B**?

53

@AuxSarge said:

@opt1kz said:
I just started poking at it, so I’m still enumerating and working on user. Is the serial number thing a dead end? Edit: It is not a dead end. Just had to enumerate more.

Thank you for this. I have been scratching my head for too many minutes.

@taytay said:

@0xlc said:

@taytay said:
struggling to even get user. any help would be appreciated :slight_smile: thanks

did you find the doc? it seems we need to get default user/pwd from the chasiss but enumerating with common tools and wordlists didn’t work out for me

I have found a few documents yes, still not able to find any chassis that it refers to. i’ll pm you.

same boat

54

hint on login creds…?

55

Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly…

56

@sakyb said:
hint on login creds…?

something on some open ports… NOT on the TCP range

57

@Kykli said:
Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly…

try a different rev shell :wink:

58

@0xlc said:

@Kykli said:
Hints for the reverse shell? I am able to execute commands but no luck getting reverse shell. It shuts down the connection always instantly…

try a different rev shell :wink:

Have tried so many ways already and nothing is working :astonished:

59

any hint after rce …? got the Shell!

60

@sakyb said:
any hint after rce …? got the Shell!

Same boat.

Found some IPs and found a service is running on one of the IP. Login the service, but there is nothing. Any hint…?