Rooted.
I spent hours not knowing what to do, but after a while, when doing something else, I learned that there is a bug in my system in one of my tools, that was necessary to get root haha... Apparently the first thing I tried was actually the right thing, but it didn't work because of that... oh well. Things like this happen. That's why its important to keep notes - otherwise I would have forgotten why I thought that that wasn't the case, and I wouldn't have tried it again after I learned about the bug.
Anyway, feel free to PM me.
Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to wordlist the username. This is not needed!
TIL: don't run hashcat with --force in a VM
Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to enum the username. This is not needed!
TIL: don't run hashcat with --force in a VM
I'm having the same issue. hashcat with vmware --force is giving me a incorrect password. john did the same. using rockyou.txt
I see the process everyone is talking about for root, but do you normally just start messing with processes like this on normal pentests? How can I know what files that process uses, because it sounds like whatever root needs is in memory or on disk?
Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated
@StevenKennyIT said:
Quick question for anyone who has the time:
Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated
If you're using metasploit, the winrm modules don't work with the correct creds while the previously mentioned ruby scripts do work for it (like the shell version from alionder.net)
You'll need to crack all three passwords and try the users from l*******d.py with those passwords
Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated
To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination
Finally rooted and user'd
Thanks, @MinatoTW for such an amazing experience, that's my second box, and it was really fun and kinda hard for me.
Thanks to @jorgectf for his time and hints he provided
Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated
To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination
Thanks mate, this was the best advice received from many, thanks a ton. #Happyhacking
If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
Discord-cycl0ps#5219
Telegram-cycl0ps
For user:
Does getting the right username requires guessing? I found 4 usernames and 3 passwords, tried all the combinations and none worked. (on the higher port)
I'm trying to do a username brute force for now.
Check out a particular script from impacket that could help enumerate usernames.....
lo******d.p*
Hi,
i want to use this script with a password i found in the attachement. There's a ")" in the password and the script igive me errors. Any idea?
I'm honestly embarrassed about how long it took me to look in that directory to get root. Spent hours fumbling around nearby. But, I'm better with that interface and those search commands than I was.
Overall, it was a fun box. Now I've gotta go delete some things from my Windows box...
any one online? I have 3 passwords... I can authenticate on 445 with a username and password.. but can't seem to use the winrm shell etc to progress.. even after using the ruby code. any help appreciated
Rooted in a different way than the "process way". Would be curious to hear how others did using the "process way". Feel free to PM for discussion or nudges.
Hey can I get a hint about "Heist"? I found password then I cracked. I have usernames and passwords. But I don't know how can i use this informations? I couldn't find the user account inside the machine what should I do ? Please PM...
@krypt0cat said:
> Stuck on user
> successes:
>
>
> * using l*******d enum
> * cracking 3 passwords
> failures:
> -using evil-winrm (used all users with passwords cracked)
>
> Info: Starting Evil-WinRM shell v1.6
> Info: Establishing connection to remote endpoint
> Error: Can't establish connection. Check connection params
> Error: Exiting with code 1
>
> Can someone please DM me to help with using the ruby code?
Evil-WinRM works fine too. You just have to find the right combo of your obtained information about the users and the cracked passwords. Try every combination, there are not so many
Comments
Rooted.
I spent hours not knowing what to do, but after a while, when doing something else, I learned that there is a bug in my system in one of my tools, that was necessary to get root haha... Apparently the first thing I tried was actually the right thing, but it didn't work because of that... oh well. Things like this happen. That's why its important to keep notes - otherwise I would have forgotten why I thought that that wasn't the case, and I wouldn't have tried it again after I learned about the bug.
Anyway, feel free to PM me.
Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to wordlist the username. This is not needed!
TIL: don't run hashcat with --force in a VM
Type your comment> @UCLogical said:
I'm having the same issue. hashcat with vmware --force is giving me a incorrect password. john did the same. using rockyou.txt
Where's a good list of these enumeration basics everyone keeps talking about? This is what I currently use as reference:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf#h.9htblqaresn8
https://guif.re/windowseop
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
I see the process everyone is talking about for root, but do you normally just start messing with processes like this on normal pentests? How can I know what files that process uses, because it sounds like whatever root needs is in memory or on disk?
Quick question for anyone who has the time:
Am I meant to be able to successfully login/authenticate to the w***m service using the h****d account? Or, am I meant to do password guessing against the users obtained from l*******d.py ? Any help is appreciated
If you're using metasploit, the winrm modules don't work with the correct creds while the previously mentioned ruby scripts do work for it (like the shell version from alionder.net)
You'll need to crack all three passwords and try the users from l*******d.py with those passwords
edit got it
Do you need to brute force the profile password after getting user?
Type your comment> @StevenKennyIT said:
To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination
Complicating the root process myself. Just keep enumerate, there's no need to do it in fancy way. Pm me for hints.
Finally rooted and user'd
Thanks, @MinatoTW for such an amazing experience, that's my second box, and it was really fun and kinda hard for me.
Thanks to @jorgectf for his time and hints he provided
Type your comment> @L1vra said:
Thanks mate, this was the best advice received from many, thanks a ton. #Happyhacking
If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments). And remember to +respect me if I helped you ; )
Discord-cycl0ps#5219
Telegram-cycl0ps
Type your comment> @Phase said:
Hi,
i want to use this script with a password i found in the attachement. There's a ")" in the password and the script igive me errors. Any idea?
I'm stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?
I like this box; great job author.
I'd say there's a number of misleading hints in this thread leading to a rabbithole(s). Don't rely on tips in here and figure it out on your own.
If you want to use a value with a ")" or similar in it enclose the value in quotation marks. E.g. "aaaa)aaaa".
Thank you.
I'm honestly embarrassed about how long it took me to look in that directory to get root. Spent hours fumbling around nearby. But, I'm better with that interface and those search commands than I was.
Overall, it was a fun box. Now I've gotta go delete some things from my Windows box...
Type your comment> @bergi said:
Watch the processes, you will find something interesting.
Type your comment> @ivnnn1 said:
use hashcat and choose the format of hash correctly
any one online? I have 3 passwords... I can authenticate on 445 with a username and password.. but can't seem to use the winrm shell etc to progress.. even after using the ruby code. any help appreciated
@Seepckoa said:
I already tried but didn't find anything, because I am not really sure what I am even looking for.
Rooted in a different way than the "process way". Would be curious to hear how others did using the "process way". Feel free to PM for discussion or nudges.
Banging my head against a wall the l*****.*y tool. Cannot get it to return anything...
Disregard! Onto user!
Nice machine!
Some hints:
User: after get the first user, use it to enumerate more users.
Root: where user apps information is stored in windows?
Just to clear the "process way" is the real way. The other way is due to some idiot doing stupid stuff online.
Don't let the box pwn you!!
Hey can I get a hint about "Heist"? I found password then I cracked. I have usernames and passwords. But I don't know how can i use this informations? I couldn't find the user account inside the machine what should I do ? Please PM...
Stuck on user
successes:
failures:
-using evil-winrm (used all users with passwords cracked)
Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
Error: Can't establish connection. Check connection params
Error: Exiting with code 1
Can someone please DM me to help with using the ruby code?
> Stuck on user
> successes:
>
>
> * using l*******d enum
> * cracking 3 passwords
> failures:
> -using evil-winrm (used all users with passwords cracked)
>
> Info: Starting Evil-WinRM shell v1.6
> Info: Establishing connection to remote endpoint
> Error: Can't establish connection. Check connection params
> Error: Exiting with code 1
>
> Can someone please DM me to help with using the ruby code?
Evil-WinRM works fine too. You just have to find the right combo of your obtained information about the users and the cracked passwords. Try every combination, there are not so many