Resolute

1235730

Comments

  • edited December 2019

    Stuck on making m*r** cred work, any hint?

  • is the box down on the free servers ?

  • I am a bit confused with the difficulty of the servers. I am not good at all with Windows, this box and another one are the only one that seemed ranked on the easy side... well, i one of the easy box deals with JSON deserialization, so "easy" that it's not covered inmost of the entry-level courses or even the Webapp Hacker handbook, and this other one is this one, where none of the classical escalation channels (ie. misconfigured services/directory permissions) seem to apply either.

    lebutter
    eCPPT | OSCP

  • Type your comment> @imousrf said:

    is the box down on the free servers ?

    It's bleeding as hell on vip servers too

  • @lebutter said:
    I am a bit confused with the difficulty of the servers. I am not good at all with Windows, this box and another one are the only one that seemed ranked on the easy side... well, i one of the easy box deals with JSON deserialization, so "easy" that it's not covered inmost of the entry-level courses or even the Webapp Hacker handbook, and this other one is this one, where none of the classical escalation channels (ie. misconfigured services/directory permissions) seem to apply either.

    It's all about subjective assessments

  • Can someone give me a nudge for escalating from Ry** user to root i think i know what to do but what i have been doing is not working i can explain everything i have tried so far in a pm. Thanks

  • edited December 2019

    Easy machine

    -- User:
    - Basic enumeration + careful reading
    -- Root:
    - Creds
    - Groups
    - Exploit

  • edited December 2019

    I'm using off-the-shelf code to get root. It requires me to make a dns query, which i do using nslookup but nothing happens (the code is not executed upon the query). I have uploaded everything to the target.

    Any hints? I can elaborate further in PM.

    Edit: Got root. But i put the code in initialize() to get it. Would still like to know how to get it via query.

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/122308

  • w00t w00t! finally got root. thanks for a fun box @egre55!

  • Type your comment> @tang0 said:

    I'm using off-the-shelf code to get root. It requires me to make a dns query, which i do using nslookup but nothing happens (the code is not executed upon the query). I have uploaded everything to the target.

    Any hints? I can elaborate further in PM.

    Edit: Got root. But i put the code in initialize() to get it. Would still like to know how to get it via query.

    I think we used the same code. Thanx for the hint, was very useful.
    Nice machine, especially escalation to root very enjoyable. Well done author!!!

    m4rc1n

  • Chasing a nudge for root. 99% of the way!

  • edited December 2019
    Can`t create right DLL to work! Any article to read?
  • Type your comment> @sta1ker said:

    Can`t create right DLL to work! Any article to read?

    Most people forget the architecture of the box x86 or x64

    Hack The Box

  • edited December 2019

    Type your comment> @nav1n said:

    @sta1ker said:
    Can`t create right DLL to work! Any article to read?

    https://pentestlab.blog/2017/04/04/dll-injection/

    the AV blocks m***s****t payloads

    edit: got root

  • edited December 2019

    Got root. Another great windows box.

  • Type your comment> @sta1ker said:

    Type your comment> @nav1n said:

    @sta1ker said:
    Can`t create right DLL to work! Any article to read?

    https://pentestlab.blog/2017/04/04/dll-injection/

    the AV blocks m***s****t payloads

    Try to serve it to the box. Some packet will help you with this

    Hack The Box

  • @sta1ker said:
    Type your comment> @nav1n said:

    @sta1ker said:
    Can`t create right DLL to work! Any article to read?

    https://pentestlab.blog/2017/04/04/dll-injection/

    the AV blocks m***s****t payloads

    Block it, simple.

  • pheew....got root, didnt upload anything in the end...

    The Below Statement is True
    The Above Statement is False

  • I've connected with m****** with r*******t and with s**c****t on some shares, but no dice. This is my first Windows box, can someone give me a hint please?
    Thanks

  • @guihle at the same spot as you. Can't find anything in the shares. Wondering if I should be trying to get a shell using a different method.

  • edited December 2019

    @guihle
    @joe297

    Do nmap scan on high port manually. There is a service that is like ssh, but for windows.

    PM if you need more help

  • i need a nudge on user please ))

  • Rooted - main issue is there are two ways to launch i******* s** server one gets reverse shell the other doesn't - other than that online guide shows how to do exploit - though this is easier with straight forward running of payload - ignore mentions of mimikatz

  • edited December 2019

    Spoiler Removed

    Hack The Box

  • I think i found the exploit for root.
    But for executing this I need to compile some code with VS as far as I see. Since I dont have a Windows machine, is there a way to do this on linux?

  • Type your comment> @rheaalleen said:

    Rooted

    User: You have one password, try to get it working. Something evil happens when SysAdmins are lazy. Then go to the roots and force your way in

    Root: You will find what you will abuse. After that I´ll say following: The file you will use can be remotely or on the machine. For the second way it doesn't matter where it is but you have to make it by yourself or the AV will nuke it, poison doesn't work.
    If you go by the remote path trust in impacket and his servers before you use a native tool. As bonus you will see with impacket if it really gets contacted and you will know that the file is on his way to the machine

    Comments for Root are very helpful. Initially did not understand what it is. But once I observed thing, got to know what exactly this means. Thanks !

  • Nice box from bottom to top! Kudos to @egre55

  • edited December 2019

    Awesome Box.. Loved it

    whoami
    nt authority\system

    Hack The Box

  • edited December 2019

    Stuck with the r*** -> root via *** service. Made a special reverse shell d** for the service, but cannot stop it because of Type 2.
    That's a wrong way or I do not know smth obvious?

Sign In to comment.