The host that I thought would be an easy root turned out to be a bit more difficult than I anticipated. I am still confident that my path to exploit is still the right track, I just need to “try harder” in order to get any form of execution. I found a write-up last night that I think covers exactly what I need with just a bit of modification. I did manage to root Ralph last night. The obvious exploit was simple but requires some additional infomration in order to be successful. This was the first clear case of “enumerate everything”.. Really, if you feel that you have enumerated enough and there is a single file you haven’t throroughly investigated - you are not finished. Once I had the information I needed, it was a matter of getting my shell and with a few windows commands later I had everything from him that I needed.
So far I have not came across anything too unusual, though I have had some moments where I wanted to bang my head against a wall for missing something so obvious. KISS - Keep It Simple Stupid, really applies here. I’ve tried going down crazy exploit paths when there was a very simple one right there. Sometimes it is literally as easy as just looking. As it stands I have the credentials for two - Ralph and Alice. I haven’t been able to PTH or use them, but I do have both of the plain-texts after a bit of cracking. I don’t know for sure that any of these will lead to anything, but I definitely want to keep track of them.
Three down and a lot more to go!
Roots: Alice, Mike, Ralph