can u give me a hint. i found hashes and username. how i use it?
Spoiler Removed - egre55
Spoiler Removed - egre55
Can anyone help nudge me with a pm for priv esc?
I think I have all of the necessary services identified. I can retrieve the output of my impersonated command, but am not successful using them as a credential. I am passing both the private and signed tokens with -i and see them being passed with -vvv, but the server is still denying access. Think I need just a little nudge.
@ZeusBot Look for a way to convert to a more useful format for your attack system.
I’m super stuck at the s********t stage, I have the hash but cannot seem to authenticate, pretty sure it’s something stupid – I’m not super familiar with this particular service (especially not when being used in this way). I keep getting a “Your credentials are bad” – any hints?
@jfredett said:
I’m super stuck at the s********t stage, I have the hash but cannot seem to authenticate, pretty sure it’s something stupid – I’m not super familiar with this particular service (especially not when being used in this way). I keep getting a “Your credentials are bad” – any hints?
man s*******t and see how to use the info you grabbed from the l**p
@sayyeah said:
@jfredett said:
I’m super stuck at the s********t stage, I have the hash but cannot seem to authenticate, pretty sure it’s something stupid – I’m not super familiar with this particular service (especially not when being used in this way). I keep getting a “Your credentials are bad” – any hints?man s*******t and see how to use the info you grabbed from the l**p
Are you talking about the --**-**-** option? Or did I not RTFM hard enough. I probably didn’t RTFM hard enough.
@jfredett said:
@sayyeah said:
@jfredett said:
I’m super stuck at the s********t stage, I have the hash but cannot seem to authenticate, pretty sure it’s something stupid – I’m not super familiar with this particular service (especially not when being used in this way). I keep getting a “Your credentials are bad” – any hints?man s*******t and see how to use the info you grabbed from the l**p
Are you talking about the
--**-**-**option? Or did I not RTFM hard enough. I probably didn’t RTFM hard enough.
I am talking about the --**- **- ****
Anyway, i am still stuck after got the user.txt
I must be missing something here… I’m logged in, know the thing with sudo, s**-k***** … but I don’t see where to privesc. Someone wants to help me?
Edit: I got the c**** command, seen a file where I found something about mry* … just stuck at the privesc… It should be pretty straight forward, but not seeing this.
Edit2: Got it.
@sayyeah said:
@jfredett said:
@sayyeah said:
@jfredett said:
I’m super stuck at the s********t stage, I have the hash but cannot seem to authenticate, pretty sure it’s something stupid – I’m not super familiar with this particular service (especially not when being used in this way). I keep getting a “Your credentials are bad” – any hints?man s*******t and see how to use the info you grabbed from the l**p
Are you talking about the
--**-**-**option? Or did I not RTFM hard enough. I probably didn’t RTFM hard enough.I am talking about the --**- **- ****
Anyway, i am still stuck after got the user.txt
Yah, I’ve got that, mind if I dm you my invocation – I can’t see anything super wrong with it, but it’s probably something dumb.
Thanks to @robel1889 for the hints, they was of great help.
Props to @AuxSarge for this machine, this was a great educational box - I still have questions about this box which I am looking into (the fact that even after I’ve rooted, I’m still looking into various tools to understand them better - ie why doing X doesn’t work, but doing Y does work - show how good this box is for learning)
User flag isn’t difficult, it’s getting root that’s tough but worthwhile. Great box.
With help from the excellent @sayyeah, managed to get user this morning (helps when you type the names right, folks). Pretty lost on root, I have a harebrained idea about using s**-*****n to generate a cert ain file and maybe use that to curl up into the mostly dead service, but I’m pretty sure that’s not it. More enumeration while I ponder, I suppose.
EDIT: I think my original idea is a dead end, I’m just plain lost now. 
@jfredett said:
With help from the excellent @sayyeah, managed to get user this morning (helps when you type the names right, folks). Pretty lost on root, I have a harebrained idea about using s**-*****n to generate a cert ain file and maybe use that to curl up into the mostly dead service, but I’m pretty sure that’s not it. More enumeration while I ponder, I suppose.EDIT: I think my original idea is a dead end, I’m just plain lost now.
Although I don’t know what you mean by “the mostly dead service”, I am pretty sure that your original idea is a good one. 
@bbz0r Oh? Maybe I just didn’t do it right. Hmm. My attempts at playful vagueness were unclear, but, uh – it’s the one service yet unused in any significant way, the one with the s*****h endpoint
@jfredett Ah! Got it (hence the verb you used ;))! So, that endpoint will probably provide crucial information to use in s**-*****n (I say “probably” because there are 2 similar endpoints but only one provides the desired info) .
@bbz0r Yah, I found one of the endpoints (the one with c*.b) by looking at the config for that service, the sh endpoint is interesting because it seems to correspond to an interesting file that b1 had, but I haven’t quite figured out how to exploit it yet. I’m guessing that that file that b****1 had might describe something useful later, right now I’m still trying to figure out exactly how I can use this certain file. I’m not really familiar with this kind of usage, so it’s definitely a learning experience.
This box was a very cool way to learn about new systems and commnds, especially the priv esc.
Can I pm someone on priv esc. Ive enumerated the web service, and the structure of the requests its wants, but I dont get anything other than what I currently have in hand. Will + rep for assistance.
Thanks to a nodge in the right direction from @23Y4D I finally got root. Cool box and cool learning experience!