Multimaster

24567

Comments

  • Type your comment> @init5 said:

    @clubby789 said:
    @init5 said:

    I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. 😣

    It's crackable, just not the first thing you see

    I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
    I am guessing I'm moving in the wrong direction.

    You're not moving in the wrong direction. Try harder :)


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • cracked hashes.. aaaand they aren't leading anywhere😐
  • Type your comment> @init5 said:

    cracked hashes.. aaaand they aren't leading anywhere😐

    I'm at the same point lol

  • @idomino said:

    Type your comment> @init5 said:

    cracked hashes.. aaaand they aren't leading anywhere😐

    I'm at the same point lol

    Try harder ;)

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • So if you have the passwords maybe you miss the other part...

  • edited March 2020

    I'm trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can't access D**********, found new information in ****** that I'm not sure yet how useful it is. Is that the way?

    Edit: sorry was an idiot, got the user flag :)

    Edit2: aaaaand it was decided that the 'patch' will reset all progress... not cool.

  • Spoiler Removed

    clubby789

    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Ok. I guess i miss something..
    I have no pb to get a list of users (with 2 methods: k*****te and web front end) and i don't see any waf blocking me. by the way actually i can't enumerate web front end (the waf thing must be here :)) and.. i'm lost.
    Can't get any hash from users i found (even changing domain etc..) so can't get any real entrypoint. (nor dictionnary, nor dog, nor evil etc..)
    So my only question is: should i work harder to scan web front end or should i work harder with tools like im*****t or is there another way i totally missed :) ?

  • Is rockyou supposed to be used for the hash? Tried that with about 10 other dicts and nothing so far

  • edited March 2020

    Type your comment> @idomino said:

    I'm trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can't access D**********, found new information in ****** that I'm not sure yet how useful it is. Is that the way?

    Edit: sorry was an idiot, got the user flag :)

    Edit2: aaaaand it was decided that the 'patch' will reset all progress... not cool.

    I didn't find the user reset to be that bad actually... It was almost the exact same thing, you just couldn't abuse the original tool and wordlist.

    Edit: Rooted. Pretty tough box, especially after those user runs. Happily learned quite a bit from this one.

    Foothold: Refer to @clubby789 as his comment is spot on here. The bypass isn't as difficult as you think. Once you know how to bypass the WAF, enumerate away!

    User: Your username wordlist may be a bit too short right now... Try harder :smile:

    Root: AD is a monster. Send the hounds. Common enumeration/privesc techniques should be enough to get you through this one.


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • I might be a little bit out of my league here, but found the users along with the homage users , currently trying to exhaust all possibilities for where the hashes are, so far feeling pretty good not feeling beat down by the box yet... I'll check in tomorrow to see if i have more gray hairs

  • edited March 2020

    Trying to get the needed username. I think I know what to do, but because of the WAF I cannot reuse any code, but instead need to write my own.

    This part is really frustrating... If anyone has gotten the needed user to login the intended way, could you PM me, so I can check if my script is correct?

    Nice learning experience so far though. :)

    Edit: Finally got user!
    This was really tough. I liked the part to get user though. Really made me look deep into a lot of things a never really even thought about.

    Thanks to @MinatoTW and @egre55 for the painful, but awesome experience so far.

    Root must wait till tomorrow... This was really exhausting.

    Edit 2: Got root!
    Really interesting walk through AD.
    However, the box has a bit of a design-flaw so that it can easily spoil other users....

  • Ok got the user the intended way now as well :) I'm worried what root will be like, because so far this wasn't really Insane. Medium/Hard at best depending on your comfort level with certain things.

  • Are the 403s expected? really annoying

    Hack The Box

  • @gu4r15m0 said:
    Are the 403s expected? really annoying

    Yes, it's part of the game ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • Finally got root, really nice machine!

    Anyone that owned the machine willing to discuss different approaches to own the entire domain? Please PM me.

  • Hi, found 17 but not sure if need to find anything else from there, took 17 and push to packet but nothing, any advice?
  • edited March 2020

    Rooted.

    One of the best machine i ever did from now. Thanks to @MinatoTW & @egre55, i learned a bunch of new things.

    User hint: Take a look on the principal running services we always use to perform a certains kind of attacks and try a way to breach.

    Root hint: Lateral and enum, lateral and enum, lateral and..

    Hack The Box

  • Rooted! This was a tough box, but a great learning experience for abusing Windows/Active Directory. Finding the right username for the user part was where I got stuck, but thanks to @idomino for the nudge in the right direction. I learned a new technique. :smiley:

    After that, as has been mentioned, it's just lots of enum and lateral movement. I liked that each lateral movement could serve as a "checkpoint" you could return to pretty easily (in case of resets, fatigue).

    I learned a lot and got to put into practice a lot of techniques I've mostly read about. Thanks for the great box @MinatoTW and @egre55.

    OSCP, SSCP
    seekorswim

  • edited March 2020

    Type your comment> @init5 said:

    cracked hashes.. aaaand they aren't leading anywhere😐

    can you hint how you cracked them I tried everything with the unique ones

    EDIT: got user
    Edit: Finally got root very thanks to my friend @rootSySdk for his nudges and patience
    learned a lot of things thanks to @MinatoTW and @egre55 for this great box

  • Anyone wanna throw a nudge towards bypassing that WAF? I feel like i've tried to tamper with everything.

  • Rooted! Khm at least got the root flag :) Will come back at some point to get a full shell. Insanely fun machine, more of a marathon than a sprint. Thank you @seekorswim and Shusaku for those 2 nudges in the right direction. Great box @MinatoTW and @egre55!

  • edited March 2020
    Type your comment> @farbs said:
    > Validated users and dumped a hash. Onward! :)
    >
    > Edit: Passwords obtained!

    Any hint about how to find the hash? Impacket or Web? Or any reading material?

    Thanks!
  • Spoiler Removed

  • Spoiler Removed

  • Spoiler Removed

  • finally rooted!!! All the initial foothold is in this forum.. Thanks for the root nudges @PwnAddict

  • Type your comment> @dinkar said:
    > finally rooted!!! All the initial foothold is in this forum.. Thanks for the root nudges @PwnAddict

    Welcome bro!
  • From https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers:

    The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.

    limbernie
    Write-ups | Discord - limbernie#0386

  • Finally got root , a very long but very interesting way to root
    I learned a bunch
    Thanks for this box !
    pm me for hints

Sign In to comment.