Hello guys, was wondering if anyone can PM me the root password of an either active or retired machine. Using john takes too long. All I need is the root password to ssh to it in order to learn pivoting tests from Ippsec’s videos.
Thanks ahead!
If you’re not VIP, you cannot access retired boxes. If you’re not accessing retired boxes, you’re basically asking for free-flags and cannot be bothered to take the 10 minutes it takes to break an easy machine. If you’re not bothered breaking an easy box, what do you really expect to learn on this platform? Maybe a simple VM multi-linux setup on your home computer is a better solution for you?
I am VIP, and I have broken into 7 retired and 2 currently active machines none of which actually gave me the root password. As I said, I have root - meaning I have the passwd and shadow files but de-crypting them takes too long with john without rainbow tables, that is why I am nicely asking someone who has de-crypted the passwords or actually gotten them somehow, to share them with me so I can ssh as root in order to do more pivoting tests.
@hendrikvb said:
If you’re not VIP, you cannot access retired boxes. If you’re not accessing retired boxes, you’re basically asking for free-flags and cannot be bothered to take the 10 minutes it takes to break an easy machine. If you’re not bothered breaking an easy box, what do you really expect to learn on this platform? Maybe a simple VM multi-linux setup on your home computer is a better solution for you?
I might have misunderstood the question here. If you want the root password which comes from a passwd+shadow file, you need to tell people where you got the data.
If i give you the root password to box X it wont help you get into box Y.
If you are following an Ippsec video on a specific box, he will show you how to do it. I actually love his tutorials.
If you have a box on HtB which is taking more than about an hour to crack, you are probably doing it wrong. Not every box needs you to crack root passwords and shell in. You have already got system on 7 machines, use one of them.
Basically this all revolves around the question being a bit vague.
If you are just looking for any box to practice pivoting on, then spin up a default Ubuntu 12.04 vm where you can practice exploiting vulns and migrating services.
If you have already broken boxes, just use those for your pivots. You don’t need root password. Plus, if you do it on boxes where root password is not exposed, it won’t matter if you change it in the chance that you do need to password.
A lot of the machines like devoops also have a ssh pvt key in the root directory if you finish those machines you can copy the key and enter as root anytime you want
If you have root, why don’t you just, you know, replace the password with whatever you want?
Best not to change passwords unless absolutely necessary as part of an exploit (rarely needed) as this may spoil it for others if the password/hash (think e.g. pth) is required as part of an intended way to exploit the box. There may be more than one way to exploit a box so don’t assume either.
If you want direct root access for further examination of the box (depending on the security config e.g. ssh is available) just create another root user (e.g. using your HtB name so people have a clue it has been added) or e.g. add your public key to authorized_keys for ssh access, etc.
When finished always clean up and undo your changes.
Well obviously changing the root password could screw up the box for other people. But as @it4chi said, I guess I can look for the private ssh key in one of the machines I completed.
But basically, it would be easier if anyone could just give me a root password to a retired machine so if I am going to ssh to it, I don’t need to ssh to the non-root user, nor use metasploit in order to get root. The machines are retired anyways and have writeups, why are you guys being so weird?
And yes I could create another root user on a completed box, but then again, if someone resets it I have to do the whole thing over again.
sounds like you need a home lab
Here’s another thing… if you want root password for retired machine, it means people have found it through normal approach (as it otherwise would not have been known). Why not make it a learning experience yourself and walk through the writeup (or even just read the writeup and so if it’s there). It may be me but it sounds like you’re trying not to put the effort in to learn 
I am most certainly trying to put in the effort, that’s why I am here! My logic was to do the retired machines in order to expand my knowledge so I can do more active ones.
Thank you for the help anyways! 
This is why I think a lot of the problem is around the vagueness of the question.
The retired machines have write-ups, so you can follow that and expand knowledge or even just follow that and extract a root password if that’s important.
If you simply want to practice pivoting from one foothold to another, then the best option is to spin up an old Ubuntu distro and turn everything one (web, MySQL etc). Then you have the root password and can carve it to bits without spoiling anyone else’s activities or risking a reset mid exploit.
If you are following an Ippsec tutorial then you probably should use the box he is talking about.
If you want the root password to a specific box (whichever one you were running John against), then you need to ask about that box. Getting the password to a different one won’t help you. If you have carved the shadow file off a box, you might already have ways to get all the root privileges you need.
As @it4chi advised, I completed the Dev0ops machine and got a private ssh key which I can use anytime.
Basically got what I wanted. Thank you all again!
Awesome
Glad you got a leg up. It would be a good idea to read the ssh man page and understand why you do not need the root password or even the root private key to ssh in as root, and therefore do do pivots.
You dont need the password to do ssh pivoting.
Just add your Kali
/root/.ssh/id_rsa.pub
into
/root/.ssh/authorized_keys
on a box you have root access too.