Hello there gents...

I am a programmer trying to break in the Sec business...
I'm excited about all the new things to learn and cool people to meet here.

I have a question, i don't know if anyone here can offer some guidance.

I am "technically" done with the Practical part of the CPT as i've gained the root passwords for both of the VM's however, the instructions given to me dictate that i do a privilege escalation exploit on the second VM after i have obtained some level of access...

i did get root to the first VM and after getting all of the accounts on that one i got user level access to the other VM but after trying a gazzilion things i finally gave up and "pretended" i had physical access to the second VM, booted up a live image, got a copy of the shadow file to my attack VM via SSH and then managed to crack the root password with john.

Do you think this will be a problem? in the end i got the existing root pass which was my assignment but i am not sure if the CPT people are going to like the way i got the shadow file.

i know there are multiple ways to skin a cat but my expertise level was obviously not enough to do a local privilege esc.

Any help of guidance would be greatly appreciated.

ps: i dont want someone to tell me how to do it, i have really enjoyed the challenges and want to "EARN" my cert, however, i dont want to send my report like this and end up failing.

THANKS!

Good info, i will shoot them an email to ask...

does anyone have any pointers as to what angle to pursue for the local exploit?

I have downloaded, complied and ran about 30 to 50 different exploits with no success, i also spent a considerable amount of time exploring remote options with metasploit also with no success...

i've tried to attack services running as root, snmp, scripts etc... i really don't know what i'm missing here and im fresh out of ideas!!

Again, im not looking for someone to tell me how, but with my lack of linux experience im afraid the answer is staring right at me and i cant see it.

I did not do the boot camp with infosec, i'm doing the online course. and the info on the videos seems and feels a little outdated.

aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW's for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.

Weird how we all have different experiences. I got the password in under an hour (maybe 30ish or so minutes). Local "kernel" compromise/escalation (spoiler alert there) took me about 10 minutes off the uname.

I try to tell / write / inform testers, one needs to literally get a storage device, create dirs (Windows, Linux, Solaris, etc) then subdivide those folders into something like Local/Remote further subdivided again:

Exploits/Windows/Local/XP/Microsoft
Exploits/Windows/Local/XP/3rdParty/RealPlayer

Exploits/Unix/Linux/Local/Kernel/2.6.13
Exploits/Unix/Linux/Local/Kernel/2.6.20
Exploits/Unix/Linux/Local/Kernel/2.6General

Then go from there. On real world scenarios it cuts down so much time. If you REALLY wanna be spiffy  about it, get yourself some cloud storage so you can ALWAYS download your tools at will

Sometimes it not about finding a kernel level exploit that matches your EXACT kernel. Sometimes its about finding one that causes an outcome and investigating from there. E.g., If you're on say 2.4.20 and you can find something like a 2.6 exploit, try to see what occurs when running. Does it crash an application, if so can you figure out what its doing via gdb.

I think that ISI has different exam images. Its a good thing, if you did some looking, you can find an report but while the usernames were the same as my exam, all of the root passwords were different.