Resolute

13468930

Comments

  • The service is not stopping and starting correctly.

    Also, at-least on the free server, the box is being very unstable for me.
    Is anyone else facing similar issues, or is it just me ?

  • edited December 2019

    unlike other windows machines, here I can't stop a***m*****e interfering with uploads. Any hint?

    BadRain

  • i got the creds that were just "there", but they dont seem to work. Are they decoy or someone changed the password?

  • I don't know... maybe there are too many operations pending on the service, but remains that using the right architecture, the right injection... something goes wrong :(

    BadRain

  • @BadRain said:
    I don't know... maybe there are too many operations pending on the service, but remains that using the right architecture, the right injection... something goes wrong :(

    Same to me...add to this that every now and then the key is superseded by someone else who's trying to root and everything evaporates..

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • I can't get a user shell now with exactly the same creds and setup I used earlier. I'm on eu vip 2. Feels like someone changed the password.

  • I think box is boken idid the same last command :
    d**** to have my shell as system like other users , but it no working i caught an error
    ******ERROR_ACCESS_DENIED 5 0x5

    it's very upset , cause the box isbroken now

  • I'm seeing weird stuff too... my DLL did work at some point because i manage to run it within rundll32 as a check. It didn't run within the targeted thing though... and now it doesn't work even in my test...

    lebutter
    eCPPT | OSCP

  • this is my first box ever and I'm loving it so far :)

    almost done with root.. having issues creating the DLL.. not sure which arch/payload to use.. any hints would be appreciated :)

  • Can someone help me with the DLL ? i've litterally tried easily 20 versions, both archs to be sure, custom, MSF with various payloads, including cmd, none work, some partially work, in rundll32.exe, but never within that friggin service....

    lebutter
    eCPPT | OSCP

  • Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

  • edited December 2019

    @mike008 said:

    Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

    Yes, I've been able to stop/start the D** service with user R***.

  • Type your comment> @testmeister said:

    I think i found the exploit for root.
    But for executing this I need to compile some code with VS as far as I see. Since I dont have a Windows machine, is there a way to do this on linux?

    m*****om is tool you should probably try

  • edited December 2019

    EDIT problem solved, was me being stupid.

  • Need a small nudge finding second user...
    Been scouring C:\ for sometime now but still no luck.

  • If you need some nudges, DM me for a quick response.

    Hack The Box

  • after enum found this credentials : m****:W*******
    how can i use these to get user ????
    smb refuses connection with these
    am brand new here

  • edited December 2019

    Done!

    user: pretty easy after a small enum with basics and some try...
    evil-winrm is really your friend
    root: ..oh sh*t , hard or not? if you know "who are you?" and know tools on the system to live with your "power" then easier to build-, and use your self stuff. If not, then ask a nudge and learn as me did it Thanks @bertalting , @doctoreleven , @tekkenpc :D

    thanks for this great machine :)

    DM me if you need nudge too

  • Type your comment> @marcandrer said:

    @mike008 said:

    Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

    Yes, I've been able to stop/start the D** service with user R***.

    Is it so? I was under impression that the service was restarted in a given intervals.

    m4rc1n

  • the AV is very irritating. I tried many B****s tecnique, with no luck

    BadRain

  • edited December 2019

    Cannot get dll to work. I can see that windows is reaching for it but nothing happens next. I used binary from venom. Is there a simple way to get correct dll without crafting it? help please!

    upd. got root. the issue was not the dll but the impacket. somehow got it work

  • Type your comment> @rheaalleen said:

    Rooted

    User: You have one password, try to get it working. Something evil happens when SysAdmins are lazy. Then go to the roots and force your way in

    Root: You will find what you will abuse. After that I´ll say following: The file you will use can be remotely or on the machine. For the second way it doesn't matter where it is but you have to make it by yourself or the AV will nuke it, poison doesn't work.
    If you go by the remote path trust in impacket and his servers before you use a native tool. As bonus you will see with impacket if it really gets contacted and you will know that the file is on his way to the machine

    any further explanation for root part ?

  • edited December 2019

    Finally got Root!
    But damn that Anti-Virus is a pain.
    Thanks to @rholas @mimorikay

    Hack The Box

  • Managed to get in with the user creds but as a linux guy (the reason I have been trying to focus on windows boxes) I am having a lot of trouble moving over to R*** I see he is in the C********** group and I assume that gives me more privs. So any PM's welcome for any good tools or scripts that might help me enum and figure out the next steps. Or even a nudge in the right direction. All the scripts I have tried seem to get permission denied everywhere...

  • edited December 2019

    How did you guys bypass the defender ? I'm on the r... account to elevate the access but for some reason couldn't find a way to even execute sharphound as it gets deleted automatically by the defender (AMSI).

    Any help would be greatly appreciated, thanks.

    PS: Finally got the root, I was focusing too much on bypassing the defender where it wasn't even needed. Hope this hint helps to others.

  • I need a nudge to get going. I think I found the first password (I have an incredibly hard time believing anyone would actually put a password there) but I have no idea how to use it. I've tried using evi*-w**** but it requires a username that I have no idea how to find. Anyone wants to message me and help me out?

  • edited December 2019

    Type your comment> @m4rc1n said:

    Type your comment> @marcandrer said:

    @mike008 said:

    Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

    Yes, I've been able to stop/start the D** service with user R***.

    Is it so? I was under impression that the service was restarted in a given intervals.

    Thx @sassuwunnu, for the correct commands. It was restarted. Now to figure out why it is not pulling the dll from my s*b server using i******t.

    Also thx @FatPotato.

    Rooted. Had to try harder I guess.

  • edited December 2019

    Need some help!
    Started doing this box, nmap`d every port but havent found anything useful.
    Tried various impacket scripts and still nothing.

    Am i missing something
    A hint would be appreciated!

    UPD: got many users, but no passwords were found.

  • Can someone give me a nudge, I got the user flag, but now I'm stuck and I can't find anything useful on the file system.

  • Did anyone else get errors using E***-W****? using M**** and his PWD.

Sign In to comment.