rooted 
, learn a lot of things
the root is easier than I thought. PM me if you are stuck 
Guy. How did you download the b*****.7z file to your localhost. I tried using SimpleHttpServer , but the server is dam slow to work.
Any hint?
do you have ssh access? if yes then there is a subsystem in ssh for filetransfare….
Nice box, thanks for the learnings!
@cater1257 said:
Guy. How did you download the b*****.7z file to your localhost. I tried using SimpleHttpServer , but the server is dam slow to work.Any hint?
SCP should do the trick.
Hi, i have ssh connection, i have 2 user’s h****s. So what should be the next step without any spoiler?
Could i get a pm hint on how to get user? I just can’t seem to figure out where to look…
If anyone has time. Could someone PM me a nudge on this one. I’m able to login to a shell, but i’m not able to capture credentials for ldapuser’s or escalate to root.
I feel stupid on this one. I logged it via ssh, and found a file under .cache/****/last…
Do I need to do something with the content of this file?
@zsemi02 said:
I feel stupid on this one. I logged it via ssh, and found a file under .cache/****/last…
Do I need to do something with the content of this file?
Nope not needed
having a nightmare with this one - anyone give me a hint for user?
Nice box, easy to overthink. The most interesting part for me was the privesc to root.
The only hint I would give for root is there is more than one tool capable of enumerating the files in infront of you.
any help on what command to use to copy ba****.7z as scp seem to fail when using command below.
scp ba****.7z root@10.10.15.58:/home
EDIT: my bad i didnt have ssh server installed on kali
@NullDay said:
any help on what command to use to copy ba****.7z as scp seem to fail when using command below.scp ba****.7z root@10.10.15.58:/home
EDIT: my bad i didnt have ssh server installed on kali
You can do this in reverse as well, which would be something like:
scp l*******@10.10.10.119:ba****.7z .
From your Kali box. That way is a little bit “safer” as well, because you’re not typing your local machine password into an intentionally vulnerable system.
Some hints in this topic were really confusing to me. I can tell you that the {crypt} hashes you find using Nmap cannot be cracked since the passwords don’t appear on wordlists. That does not mean that you should give up on authenticating as these users however, as they are needed for the path to root.
@bSpence7337 said:
@Glasgow said:
I’ve rooted the machine, but I had a question. Does anyone know why ps wasn’t outputting all processes? It was only returning the processes for the current user. What is limiting the results for ps here?se-lin*x
Not really… yes, Selinux is enforced, but that’s not the reason why you can only see your processes. Google is you friend!
can I get a hint how to get the user creds please i’m banging my head
Anyone else getting access denied trying to ssh in with any account creds?
I had never seen this attack vector, the initial part is quite interesting, nice machine
Initial Foothold
First I was in a HUGE rabbit hole using ldap****h, some have used Nmap and other enumeration tools in the protocol, the hashes of the users {crypto} are not very helpful, I was several days like this … the trick is to attack while being inside the machine, to ***** for a few minutes, and that result to analyze it in your world …
User
Following the above, you will see something interesting inside that, something similar to a kind of ****** … When you get one of the users, to reach the next user is to analyze the files of the house, it is difficult to say things without spoiler, some users have said interesting things in this thread …
Root
Once again analyze what is in front of your eyes, and see if those ******* allow you to bring the flag, you may enter another rabbit hole again …
Thanks to @Mezareph79
Luck!
well for transferring small files i use base64 than i copy the string on nano into my kali than base64 -d copy > file .any advice let me know