Resolute

1242526272830»

Comments

  • Type your comment> @TazWake said:

    @g1anma5 said:

    Is normal that smb doesn't respond? seems to be down.

    SMB being down isn't normal.

    After a reset, it seems to work properly.

    Finally ROOT! fun and instructive windows machine. User was easy. Root was hard to me, wastes a lot of time. Try hard!

    My hints:
    USER1: just enumerate all you can see...
    USER2: ...and you CAN'T see.

    ROOT: If you think that you are in correct way, rembember to restart the right service.

    PM me if needs more hints!

  • edited May 2020

    Rooted after 1.5 days of work.

    Users are pretty straightforward and people in this forum have already mentioned everything you need.

    Initial foothold - enumerate (a classic tool and comes installed with kali). Use the value obtained and try it everywhere you can possibly find.

    User - Once you find the right credentials, this should be pretty straightforward.

    Root - You should have the credentials to 2 users by now, but you need to gain access to another user. To find it, imagine yourself as a user that tries to HIDE information from other users. That user can do some stuff related to d**, from here google your way to privesc. Just to note, off the shelf payload is fine but architecture is important!

    Hope this doesn't give away too much. If you need a nudge, feel free to PM me.

  • I'm struggling with priv escalation part
    Tried dn**Adm dll injection several times
    I don't figure out the catch for the momemt
    !!!! Any suggestions please??
  • Type your comment> @djnux said:

    I'm struggling with priv escalation part
    Tried dn**Adm dll injection several times
    I don't figure out the catch for the momemt
    !!!! Any suggestions please??

    Architecture of the target machine is important, make sure you are restarting the right service. Sometimes other people are on the machine doing the same things too.

  • The arch is x64 and then scxxx things
  • login with 1st user, now stuck with 2nd user r*** any tips??

  • Type your comment> @DeeKay911 said:

    login with 1st user, now stuck with 2nd user r*** any tips??

    You want to start looking around. Looking for things that you might not see if you aren't looking for everything.

  • edited May 2020

    got the second user r***, and know that he is in d******n g****p.
    I also made the payload with the poison, shared it via s*** to the host, done the "dn****d .." command part and after that the restart, but got no reverse shell. also tried x86 and x64 architecture and different encoding types with poison.
    help would be very appreciated!

  • edited May 2020

    Type your comment> @grab0id said:

    Type your comment> @DeeKay911 said:

    login with 1st user, now stuck with 2nd user r*** any tips??

    You want to start looking around. Looking for things that you might not see if you aren't looking for everything.

    Thanks @grab0id, found the way for r***

  • Type your comment> @Cooper24 said:

    got the second user r***, and know that he is in d******n g****p.
    I also made the payload with the poison, shared it via s*** to the host, done the "dn****d .." command part and after that the restart, but got no reverse shell. also tried x86 and x64 architecture and different encoding types with poison.
    help would be very appreciated!

    i am facing same issue, have you got any solution ?

  • just got the Admin. first AD box, lots of learning....

  • edited May 2020

    Wow! This box was hard for me am not great on Windows but learned a lot through this!

    user 1: You need to take your outside enumeration tools to the next generation!
    user 2: When enumeration making sure you're listing ALL files
    root: Pay attention to the output of whoami /all and then do some research. On this step I had no problem with AV even without adding anything fancy to my output.

  • Protip:

    Your exploit will not be loaded from s*b until you restart the service. That caused me an hour of headache :)

    Hack The Box

  • Type your comment> @steby33 said:

    hello, i obtain user access but i have a problem for root access:
    the victim (resolute) don't come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:

    impacket-smbserver -debug share /tmp
    [] Config file parsed
    [
    ] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    [] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    [
    ] Config file parsed
    [] Config file parsed
    [
    ] Config file parsed

    and i execute the dnscmd command on ther server with the good options normally...

    Any luck, I am stuck here as well. :/

  • Type your comment> @MrSHolmes said:

    Type your comment> @steby33 said:

    hello, i obtain user access but i have a problem for root access:
    the victim (resolute) don't come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:

    impacket-smbserver -debug share /tmp
    [] Config file parsed
    [
    ] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    [] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    [
    ] Config file parsed
    [] Config file parsed
    [
    ] Config file parsed

    and i execute the dnscmd command on ther server with the good options normally...

    Any luck, I am stuck here as well. :/

    I had the same issue, add the parameter "-smb2support" when you create the share, e.g.:
    smbserver.py -smb2support -debug SHARE /path/to/share/

  • Loved this box, Resolute!
    Definitely loved it, even because it has been my first box on HTB!
    It took a lot of time! :smiley:

    I learned so much on Win Env, I was not used to it anymore, rooted first the "unintended way", then the intended one using a writeup ;-)

    It's so sad knowing it will be retired during this coming weekend...

    Bye, Resolute! So long, and thanks for all the fish... (quote)

  • edited September 2020

    Can anyone PM. why i get this error , or how to fix

    I get this when trying to connect

    Evil-WinRM shell v2.3

    Info: Establishing connection to remote endpoint

    /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated

    /usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated

    Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired

    Error: Exiting with code 1

Sign In to comment.