Resolute

12425262729

Comments

  • edited May 2020

    Amazing machine. Humble me too much.

    C:\Users\Administrator\Desktop>whoami 
    whoami 
    nt authority\system
    
    C:\Users\Administrator\Desktop>ipconfig
    ipconfig
    
    Windows IP Configuration
    
    
    Ethernet adapter Ethernet0:
    
       Connection-specific DNS Suffix  . : 
       IPv4 Address. . . . . . . . . . . : 10.10.10.169
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.10.10.2
    

    Hack The Box

  • Really good box! I was nervous seeing there was no http service like usual but it really helped be learn about some new tools and windows! Thanks to the creator!

  • Rooted! Interestingly, I was able to root this machine much more quickly than my previous Windows boxes, Sauna and Monteverde. As if what I have learned so far was being put to good use. All the useful hints are already available on this forum thread.

    user1: be diligent with your enumeration, I didn't expect to find the useful bit of information there, but I did it anyway, and it's there.
    user1->user2: hunt for a hidden place
    user2->root: check his group, what he can do with it, and inject the exploit

  • Argg..
    So I've got access to R & I've got a possible payload with I'm Packett running.....
    Bu I can't get access to it from R no matter what.
    All fine locally...
    Tried usual dir //somenumbers/etc.....am I missing something?

  • edited May 2020

    hello, i obtain user access but i have a problem for root access:
    the victim (resolute) don't come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:

    impacket-smbserver -debug share /tmp
    [] Config file parsed
    [
    ] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    [] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    [
    ] Config file parsed
    [] Config file parsed
    [
    ] Config file parsed

    and i execute the dnscmd command on ther server with the good options normally...

  • edited May 2020

    Finally got root.
    Delays were I admit my own fault, maybe trying too hard?
    Had to stop and start the root side from scratch.

    Think my neighbors are wondering what's happened.....bit of a cheer when that rev shell started working.

    Good box, learned a lot.
    Not to mention checking and trying the simplest solutions first.

  • Rooted. Good box, learned a ton. Be patient, what you tried once (or more times) that didn't work may suddenly start working. I suppose that is how it goes with shared boxes.

  • edited May 2020

    Ugh. Literally have every command setup for privesc to execute quickly but the damn box keeps timing out connections after one or two commands. Traceroute keeps going from one hop to 30 and timing out. VPN connection shows as stable too. Anyone else have issues with it? Tried on EU, AU, and USA servers.

  • Rooted. I learnt a lot, thanks to the creator of the machine.

    User: automatic enumeration and brute force are enough to get the credentials.

    User2: enumerate what you cannot see.

    Root: check privileges, google and create your payload. Msfvenom is your friend.

    If you need any nudge, feel free to PM me.

    antz
    If I helped you, it would be great to get your respect, and vice versa.

  • Rooted. Fun box.

    PM me for hint.

    User: Very easy. Enumerate service.
    Root: I liked this method technically. It's pretty easy to do. Check services and search google.

  • Rooted Finally!! Great Box
    User1: Enumerate all the services running. Sometimes peace is found underneath the trees of the forest
    User2: Some things are just there, you should be able to look at everything
    Root: What can I say, I tried the d** injection exploit. You should know the exploit beforehand otherwise its difficult to find. Groups are your friends.

    Also, if anyone would dm me about the second method to root, I will highly appreciate it :)

  • Could use some help with the last step to root, I believe I know what to do, however I can't get the command to call back to me at all. It says it was successful but not seeing anything callingback.

    Any one else seen this ? I don't seem able to check the registry so can't verify if the command has taken hold.

    Many thanks
    Wns

  • Another great and funny box! Thanks @egre55

    FOOTHOLD: enum4linux and test with each one
    USER1: WinRM, take your magnifying glass and/or your shovel
    USER2: enumeration (groups...)
    ROOT: find the right SERVICE NAME to use

    Fr0Ggi3sOnTour

  • Got first user as m****** but having trouble getting second user while using the shell with e*** ***** and searching the different files and folders.

    Any suggestions?

  • edited May 2020

    I would really appreciate some guidance over the root exploitation. It might be that my Windows skills are not that good, read all the forum and still not clear what to try, user was found (m******), but cannot advance anymore. Please PM me if you wish to help. Thanks!

    Piartz

  • Awesome box, learned new ways to attack AD, thanks!
    PM for nudges

  • Finally rooted. it was my second windows box and i learned many things from this box. The frustrating part for me was the priv esc beacase of some issues in my s********.p*. Anyway after hours of googling, sorted it out and got the root.txt

  • Rooted, MP me if you need help :)

    Hack The Box

    Write ups FR : https://hackingdom.io/

  • Rooted!! This box is very interesting...
    But the enum phase is crucial to another steps. I spent time in privilege escalation and get remote file. The groups in this system was essential to open my mind.

    Great box!

  • hi, can anyone PM me to give nudges,? i've found m******* creds and can't find any other useful services... Now i'm a little stuck...

    d3thman

  • D*****ins INJECT no work!!According to the information on Google, it doesn't seem to work properly,I wasted a few hours here. need help, please PM me, thanks

  • Type your comment> @n00baaa said:

    D*****ins INJECT no work!!According to the information on Google, it doesn't seem to work properly,I wasted a few hours here. need help, please PM me, thanks

    oh,root it! This road is right. sometimes "smbshare".py have problems,maybe use " -smb2support -debug " should be better.if it doesn't work,just try again and reset the box........

  • Got root there after a serious headache.

    Tried the DLL way for a few hours, 100% sure the syntax of my commands and the payload were correct and it wasn't working. Possibly because it was on a free box.

    Used the msf module instead, wish I'd done that from the start, only took a minute.

  • Nice box, learned a curious way to get root, nice work @egre55 !!

    666snippet

  • Awesome box, I always love learning LDAP enum methods. Thanks @egre55 for a fantastic box!! Any help I can be to anyone, shoot me a DM. Thanks.

  • Is normal that smb doesn't respond? seems to be down.

  • @g1anma5 said:

    Is normal that smb doesn't respond? seems to be down.

    SMB being down isn't normal.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited May 2020

    Possible Spoiler Removed
    Is it supposed to be that way ? It should not be I guess

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM

  • @ev1lm0rty said:

    Is it supposed to be that way ? It should not be I guess

    Chances are someone else left it in an unstable state when they rooted it. You can test this by resetting the box and trying it again (the password wont have changed).

    Alternatively, you have a valid short cut to root.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Well I'll try that. Requested a reset.

Sign In to comment.