Official Passage Discussion

Got root, thanks to some hints here and Gunroot.
Mainly a newbie to pentesting and Linux world in general so it’s fair to say I learnt a lot about what you can do :smile:

No idea how to get user.txt, I feel like I’ve looked around everywhere, can someone point me to the right direction? thank you.

@PapyrusTheGuru said:

No idea how to get user.txt, I feel like I’ve looked around everywhere, can someone point me to the right direction? thank you.

Its difficult to answer this because the simplest non-spoiler answer is to enumerate. Look in the files and folders. Make sure you know what you’ve found and dont assume because something looks like a random string of characters that it isn’t useful.

But there’s a lot of data to work through. Unfortunately, this is realistic - you might do a pentest and land on a box which has 30 user’s documents and you have to go through terabytes of tedious stuff to see if they’ve left credentials out.

The main thing I can say is dont go too far from where your shell lands. Look at the files. If its encoded, decode it. If its hashed try to crack it. etc.

Is their a tool that can automate this enumeration process? I have tried to zip the interesting directory and copied it to my machine and I’ve been using grep with a certain ‘rocking’ wordlist hinted in this thread but so far the only thing I’ve managed to achieve is freezing my vm due to the grep errors because of unescaped characters in the wordlist. Am I on the right path or am I digging in the completely wrong direction?

@0xR3tr0z said:

Is their a tool that can automate this enumeration process?

Not that I know of, but if you found yourself doing this a lot it might be worth creating one.

You can possibly script it with some bash.

I have tried to zip the interesting directory and copied it to my machine and I’ve been using grep with a certain ‘rocking’ wordlist hinted in this thread but so far the only thing I’ve managed to achieve is freezing my vm due to the grep errors because of unescaped characters in the wordlist. Am I on the right path or am I digging in the completely wrong direction?

You might have pulled down too much data but you are definitely in the right area. I don’t think running grep with a wordlist will get you what you need.

Thanks @ChefByzen, I enjoyed this machine a lot. Just right amount of CVE, guessing and enumeration.

Hints:
Foothold - check what is used and how old it is. Do it by hand if sploit fails.
User1 - search for interesting files, find interesting pattern. Maybe ask chef if he can help you.
User2 - check how can you login with that username. What would you use if you are User1?
Root - you are going places. Google if you are already famous?

Rooted !
Took me about 2hours on how to get the bus hhhhhh

Hey guys! I need a hint. So i have a ww-dta shell, got decrypted creds to pl and nv but i can’t drop to theirs accounts because w*-d*ta shell don’t take input, like su and ssh requires a key file. I should enumerate next too?

@MillyBilligan said:

Hey guys! I need a hint. So i have a ww-dta shell, got decrypted creds to ************* but i can’t drop to theirs accounts because w**-d*ta shell don’t take input, like su and ssh requires a key file. I should enumerate next too?

Have you tried getting a better shell?

Rooted. Happy to take PMs but I may not check often.

Type your comment> @MillyBilligan said:

Hey guys! I need a hint. So i have a ww-dta shell, got decrypted creds to pl and nv but i can’t drop to theirs accounts because w*-d*ta shell don’t take input, like su and ssh requires a key file. I should enumerate next too?

How did you decrypt the creds of n*v,
I was only able to decrypt p
l’s creds.

Could someone give me a hint? I found the /CeN*/ L**** p*** and now i don’t know what to do with it, I barely found it almost by accident without the dirbuster

Type your comment> @Limpskinz said:

Could someone give me a hint? I found the /CeN*/ L**** p*** and now i don’t know what to do with it, I barely found it almost by accident without the dirbuster

There is no need of dirbuster to get the shell. Just read everything on the webpage and use google.

Type your comment> @gs4l said:

Type your comment> @Limpskinz said:

Could someone give me a hint? I found the /CeN*/ L**** p*** and now i don’t know what to do with it, I barely found it almost by accident without the dirbuster

There is no need of dirbuster to get the shell. Just read everything on the webpage and use google.

after some googling i found an et and after running it i’m in a sl in www-data with a suspicious file named ex*** and a lot of .php files, am i on the right track?

Type your comment> @TazWake said:

@PapyrusTheGuru said:

No idea how to get user.txt, I feel like I’ve looked around everywhere, can someone point me to the right direction? thank you.

Its difficult to answer this because the simplest non-spoiler answer is to enumerate. Look in the files and folders. Make sure you know what you’ve found and dont assume because something looks like a random string of characters that it isn’t useful.

But there’s a lot of data to work through. Unfortunately, this is realistic - you might do a pentest and land on a box which has 30 user’s documents and you have to go through terabytes of tedious stuff to see if they’ve left credentials out.

The main thing I can say is dont go too far from where your shell lands. Look at the files. If its encoded, decode it. If its hashed try to crack it. etc.

Understood, nonetheless thank you so much! I appreciate whatever help I can get :slight_smile:

Type your comment> @TazWake said:

@MillyBilligan said:

Hey guys! I need a hint. So i have a ww-dta shell, got decrypted creds to ************* but i can’t drop to theirs accounts because w**-d*ta shell don’t take input, like su and ssh requires a key file. I should enumerate next too?

Have you tried getting a better shell?

Yea, i tried to upgrade shell but nothing…I should search a file on machine that can help me?

@MillyBilligan said:

Yea, i tried to upgrade shell but nothing…I should search a file on machine that can help me?

It might be better to try and work out why the upgrade isn’t working. I dont think there is anything else on the machine which would be useful.

I’ve got both user but now I am stuck at root. I’ve found the relevant article but I am not sure what to do after it, as far as I understand the exploit helps make r*** owned files, but I am not sure how I should be using it (considering the fact that I’ve logged as User2 but I don’t have the password so I can’t use sudo either).

A nudge would be much appreciated.

Type your comment> @0xR3tr0z said:

I’ve got both user but now I am stuck at root. I’ve found the relevant article but I am not sure what to do after it, as far as I understand the exploit helps make r*** owned files, but I am not sure how I should be using it (considering the fact that I’ve logged as User2 but I don’t have the password so I can’t use sudo either).

A nudge would be much appreciated.

You don’t need to use sudo, just stay at home make sure to liste all files, you will see something interesting !

STOP RESETTING THE MACHINE.
THE RESET BUTTON IT’S NOT A “PRESS ME I’M A FUNNY BUTTON”