[upl04d3r]

any tip on how to get from www-data to marcus?

find database and hash

 after that????????

ohh really? you have hash user password, maybe try hashcat

[wtfduw]

from www-data to marcus: check /var/www/html/cacti/include/config.php where you'll find database connection credentials, connect to mariadb and get the password hash of marcus, crack it and you got your user flag

---

Any idea on privesc from duplicati to root?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[aasdawejkasjdkasd]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

They aren't really trolling.
Create a backup from /source/home/marcus to /source/tmp/test1
Restore created backup to /source/tmp/test2

Get id_rsa

I jumped a step. You can do this for the root flag directly without even getting marcus.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[wtfduw]

can somebody drop the hash this shit is taking forever

dont do time-based, other injection methods work too

The only thing that worked was Stacked Query, basically changing the admin password hash to something like md5 of '1234' and using that pw to login, but I don't see anything interesting and the hashes can't be cracked with rockyou and john.

What do you mean it's faster? Elaborate please

They aren't really trolling.
Create a backup from /source/home/marcus to /source/tmp/test1
Restore created backup to /source/tmp/test2

Get id_rsa

I jumped a step. You can do this for the root flag directly without even getting marcus.

What are the exact steps you did?

---

I did create a backup for /root/root.txt and stored it in /tmp/flag
Then everytime I do a restore backup I get ``Failed to connect: No filesets found on remote target``

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[olkn00b]

from www-data to marcus: check /var/www/html/cacti/include/config.php where you'll find database connection credentials, connect to mariadb and get the password hash of marcus, crack it and you got your user flag

---

Any idea on privesc from duplicati to root?

you don't need to do any of that you can just set marcus password in cacti , but I can't connect to marcus via ssh , it's not allowed with a password.

www-data@monitorsthree:/tmp$ cat /etc/ssh/sshd_config | grep -i PasswordAuthentication
<tc/ssh/sshd_config | grep -i PasswordAuthentication
PasswordAuthentication no
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication


what am i doing wrong?

[hollb_geek]

I'm curious to know how you guys got the cacti creds, I found the 4 hashes through SQLi, but none was cracked using hashcat
hashcat -m 0 -a 0 hashes.txt rockyou.txt
Session..........: hashcat
Status...........: Exhausted

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[osamy7593]

for marcus : 12345678910 don't waste time

---

after marcus port forward 8200 ... and bypass auth
https://medium.com/@STarXT/duplicati-byp...4d6991e9ee

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[hollb_geek]

for marcus : 12345678910 don't waste time

---

after marcus port forward 8200 ... and bypass auth
https://medium.com/@STarXT/duplicati-byp...4d6991e9ee

Thanks, I don't waste time, I just want to take my time to understand.
Having marcus password was easier using the below :
.\hashcat.exe -m 3200 .\marcus.hash .\rockyou.txt

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[metasan]

You need to use -m 0

[z0mbieh04x]

i got duplicatti db file and just browsing it, what next? all i see is file:///source/opt/backups/cacti/

em too sleepy maybe. Tell me guys what to do? em dumb rn. wont sleep until i find root flag