Official Doctor Discussion

@TazWake said:

@in3vitab13 said:

got user s****
any hint for privesc , ?
i know s****k is the way…but how, to put approach!

Well you probably want a local privesc attack.

I think I am in the same place as @in3vitab13. I’ve done what I thought was the hard work and got a shell as s***n and thought I spotted the path to root quite easily. I am running the local version of a script to target the service (as the default creds can’t be used remotely), but it’s not working, so either I’m running the script wrong or the creds aren’t default. I don’t have permissions to read them from the service directory. Any gentle nudges? Have I missed some enum?

Gah! I had it all along. Just needed some sleep to see it…

Can I have some nudges, please?
I’m in with the user w** and found a password hash inside an slt* db for the user a**i* and now trying to crack it with Johnny as a bcrypt Blowfish but isn’t really cracking open. Otherwise I didn’t find many interesting things. Any help? Is this pass hash a rabbithole?

Type your comment> @rowra said:

Can I have some nudges, please?
I’m in with the user w** and found a password hash inside an slt* db for the user a**i* and now trying to crack it with Johnny as a bcrypt Blowfish but isn’t really cracking open. Otherwise I didn’t find many interesting things. Any help? Is this pass hash a rabbithole?

I think this is a rabbit hole, but your thoughts are correct in looking for “keys”…suggest you run some linux CLI juju to find what you are looking for in an automated way. There certainly is a way to narrow down “where” you need to look.

Hmm, I am pretty stuck on messaging bit…if anyone could give me a nudge that would be awesome…

A link you posted was not valid! <— this is driving me batty! lol

Type your comment> @Gizmet said:

Hmm, I am pretty stuck on messaging bit…if anyone could give me a nudge that would be awesome…

A link you posted was not valid! <— this is driving me batty! lol

you are probably enumerating for a specific vulnerability that is not there. check the http responses for a hint and then find a page that behaves consistent to that vulnerability.

ROOTED! Fun machine, learned about a new vulnerability today!

Foothold - #@$&%&, examine the unique http responses you get back, not the top 2 web services out there…then look for a page/s consistent with that vuln to enable you to trigger it.
User - Enumeration is that name of the game; recommend you stay away from scripts; use a built-in to search through files
Root - You know that one thing you tried first but then failed at? Yea try that…then research priv esc techniques, it’s all there.

totally got there in the end with no help! my fault, missed something stupid !

root.txt
cat root.txt


whoami
root

Do the succesful exploits in the fields generate a 500 error?

@rpthomps said:

Do the succesful exploits in the fields generate a 500 error?

It depends. If you do some tests, they should work and give you clear output showing it is the right path.

Then you can be confident it should work.

Is brute forcing the login on a specific page required, or is there a more intuitive way to get access?

@luckyUser said:

Is brute forcing the login on a specific page required, or is there a more intuitive way to get access?

Have you tried creating an account?

Type your comment> @TazWake said:

@luckyUser said:

Is brute forcing the login on a specific page required, or is there a more intuitive way to get access?

Have you tried creating an account?

Funny enough, I did right after posting that question. I need to get out of the habit of assuming registration doesn’t work on these boxes. Thanks for your help.

This box was definetly super funny. Learned a great deal.

User was tricky but root was easy.

You can send me a message if you need a nudge.

When running linpeas I get the following “newline’ unexpected when run shell script”. Any experience with this?

500 error page is not the one you are looking for, enum more.

Just got the flags about an hour ago. The most time consuming part was getting the syntax of the “message” that opened the rest of the doors.

Anybody able to give me some pointers…

Have checked out the ports that I’ve seen open with nmap and can’t find anything on the pages…

I feel like this isn’t an easy box…

Type your comment> @rancilio said:

Anybody able to give me some pointers…

Have checked out the ports open and can’t find anything!

I feel like this isn’t an easy box…

Not sure how to help but nmaping the target will reveal the right port

Type your comment> @C4P7A1NFlint said:

Type your comment> @rancilio said:

Anybody able to give me some pointers…

Have checked out the ports open and can’t find anything!

I feel like this isn’t an easy box…

Not sure how to help but nmaping the target will reveal the right port

Sorry, I was meant to say that I’ve checked the open ports that were revealed from my nmap scan, but can’t seem to find anything at all on the pages.