Hi guys so the last 2 days all I have done is read about wafs and how they work.
I can see 17 users to start with. I have also run a bypass using a ww tool but I am not getting anywhere. @MariaB I would appreciate if you can share the article with me as learning is more important than actually getting any flags for me.
Any hints or articles will be taken with open arms.
same exact point. have 17 employees. but cant get further. tried to fuzz with intruder but its too slow to finish. Focused on 403's and 401's but cant get any entrance point nor the hashes. I am definitely stucked.
Any learning material would be appreciated.
Finally got user!
It was insane. Thanks a lot @MariaB for sharing that useful article. It helped me bypassing WAF and getting the desired hashes.Cracking the hashes must be quick, yo don't need to complicate things.
AD enumeration was not easy. I had to write my own RIDiculous script for enumerate all the AD users.
Now on to root...
Rooted this badboy a couple of days ago. Best Windows box I have done on this platform! Kudos to the makers. Several new techniques picked up on user journey. User 1 to 2 was trickiest for me as the exploitable thing kept dying so needed to keep refreshing / updating my script. Thanks to @Frundrod and @syn4ps for reference articles.
Hey dear community, this machine may be a bit over my skill lvl, however i try to learn something new. Can someone give me some material about how to bypass the WAF? Im currently trying it with a common OWASP vuln but always get a 403 Forbidden
Hey dear community, this machine may be a bit over my skill lvl, however i try to learn something new. Can someone give me some material about how to bypass the WAF? Im currently trying it with a common OWASP vuln but always get a 403 Forbidden
Research different ways to encode characters as a way to bypass WAFs.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Not sure why my post was a spoiler and it was removed, there was only one mention on the first tool that someone will use in these cases. It will be great to have a message from the person that reported it as spoiler to describe what was wrong with it.
Rooted this box, thanks for all the hints in DM and forum.
HINTS:
initial-foothold: try to escape.
users: 2) unusual proc, 3) enum and search, 4) AD enum.
root: standard escalation but I had to brute force some.
Guys,
I am stuck at User2->User3 process. I found some creds but was not able to find where those are applicable. Can anyone give me a double check if I am (or not) in a blind spot?
Edit: NVM, just solved that. Lesson learnt: try all you can, after enumeration.
Edit: Rooted but without using DOG. Can anyone clarify where it was supposed to be used and how?
hello, can someone give me a nudge I have found user and hash, I have tried to crack the hash by searching in hashes.org but I am unable to found I have tried one every site I know but not able to get any password? The thing is my hashcat is not cracking passwords due to no GPU in my laptop and when i used --force still it aborts my cracking. Now how i supposed to crack hashes. any help ..
hhhm... got user very fast. I thought it would be harder. Now for root.
EDIT:
Got root.txt without admin user (unintended way, someone change some security attribute and don't restore it)
Got root shell (intended way, use all users)
Finally! Got User!
I'm depleted, I never enumerated sooo so so sooo much... tried users and passwords against everything with so many failures. That WAF initially drove me crazy...
However, definitely worth the hassle because I learned tons of new things.
But need some vacation now... :-)
Thanks to everyone who nudged me in the right direction!
So, it's taken me almost 4 weeks of on and off with this machine.
I have spent time learning S*** and A*****D** stuff on the OSCP labs
I have banged my head off the walls and the desk and god knows what else.....
But I finally own this beast
I have to say, some parts have been simple, others not so much and some have been a brain F**k.
I learnt a lot from this machine, thanks @egre55 and @MinatoTW
Even if i get the needed username (from the tool used for bypass) to login after cracking part. I am still obsessed with getting the must have info for the python part. can someone reach me who found that RD part manually, not by the script. cause i am starting to think about no one found that RD manually and convert it to useful shape.
Edit: @sc0rp9x dm me and help me to get that process but only difference with his encoding and mine was the capital letters on encoded string. Thx. to @apostatic , @MariaB for their patience.
+1 to above. I would like to know this too.
I spent nearly 2 days trying to convert the RID manually but the RID i was getting wasn't all unicode, it had some WINGDINGS font in it
I have never seen a machine like this in windows. This machine is ART.
Thank you @MinatoTW and @egre55 and congratulations for creating a monster like this.
OK feel like an idiot reading back over the posts. so without spoilers, I have 17 aka 4 hashes. thought I knew the format as hash-id said so, but trying to crack passwds nothing matches. tried online, wrote a python script comparing with hash(ry) etc. nothing matches hashes found. need a little nudge please. is the hash type one of the ones hash-id said... and hopefully no the hmac one....
DM/PM whatevs.
ok got hash type (with help). now back to working out how I should have known it
Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?
Update: Rooted! I sincerely enjoyed this box. It was a crazy challenge, learned many things, and completed my first insane box!
Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?
For me, everything on this box was hard but it is a mix of lots of enumeration and some lateral thinking.
If you are in the user account which gets the flag, enumerate all aspects of the account. If you find something which groups the account with other users, look at them because there is a good chance you'll need to get into almost every one of their accounts.
Look to see if you can find any interesting running processes that might be vulnerable to a public exploit. From there more enumeration and more enumeration (a popular puppy might help with last bit).
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Took 4 days to own this monster. Can't express the struggle. Frustating but awesome parts were initial shell and user2. Root was easy compared to that. Pm for nudges.
Comments
Type your comment> @idevilkz said:
same exact point. have 17 employees. but cant get further. tried to fuzz with intruder but its too slow to finish. Focused on 403's and 401's but cant get any entrance point nor the hashes. I am definitely stucked.
Any learning material would be appreciated.
@tuzz3232 @idevilkz i messaged to both of you .And it is not that you cant message me directly ? : )
Finally got user!
It was insane. Thanks a lot @MariaB for sharing that useful article. It helped me bypassing WAF and getting the desired hashes.Cracking the hashes must be quick, yo don't need to complicate things.
AD enumeration was not easy. I had to write my own RIDiculous script for enumerate all the AD users.
Now on to root...
Rooted this badboy a couple of days ago. Best Windows box I have done on this platform! Kudos to the makers. Several new techniques picked up on user journey. User 1 to 2 was trickiest for me as the exploitable thing kept dying so needed to keep refreshing / updating my script. Thanks to @Frundrod and @syn4ps for reference articles.
Type your comment> @MariaB said:
@MariaB I was scared
you sounded like a lady not to be messed with
.
Thanks for sending this over
Hey dear community, this machine may be a bit over my skill lvl, however i try to learn something new. Can someone give me some material about how to bypass the WAF? Im currently trying it with a common OWASP vuln but always get a 403 Forbidden
@sh0wa said:
Research different ways to encode characters as a way to bypass WAFs.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Hi, Can someone be kind enough to give me a little nudge towards user. I am close but struggling with r,s , id conversion I believe from the shell
its okay, the joy of getting to this point can't be explained
thank you @MariaB for your articles as they helped understand a lot.
Spoiler Removed
Not sure why my post was a spoiler and it was removed, there was only one mention on the first tool that someone will use in these cases. It will be great to have a message from the person that reported it as spoiler to describe what was wrong with it.
In any case if someone needs a hint ...
Rooted this box, thanks for all the hints in DM and forum.
HINTS:
initial-foothold: try to escape.
users: 2) unusual proc, 3) enum and search, 4) AD enum.
root: standard escalation but I had to brute force some.
why i am only geting some chinese chars. or null. But not giving up. Try harder till death
what the f*** i 've done i dont know but i got the needed user direct fr. s**-s**** . i swear i tried it for million times. but why this time
Finally rooted this box. Learnt a lot, thanks to the posts here and hints from @tupi, @dinosn and @MariaB !
Please +1 respect on my profile if I helped you
Guys,
I am stuck at User2->User3 process. I found some creds but was not able to find where those are applicable. Can anyone give me a double check if I am (or not) in a blind spot?
Edit: NVM, just solved that. Lesson learnt: try all you can, after enumeration.
Edit: Rooted but without using DOG. Can anyone clarify where it was supposed to be used and how?
After 2 painful weeks
finally managed to root this awesome box, hints in the post are more than enough to get the root 
hello, can someone give me a nudge I have found user and hash, I have tried to crack the hash by searching in hashes.org but I am unable to found I have tried one every site I know but not able to get any password? The thing is my hashcat is not cracking passwords due to no GPU in my laptop and when i used --force still it aborts my cracking. Now how i supposed to crack hashes. any help ..
If i helped you and tried to explained you! just give me a respect. click on the img to get my profile link.!
Profile : https://www.hackthebox.eu/home/users/profile/17564
Thanks @MinatoTW & @egre55 for the insane box, after few days i managed to root it.
Lot of enumeration for this one, the WAF Bypass drove me crazy.
C:\Windows\system32>whoami
whoami
nt authority\system
Feel free to pm me if u need help
'These violent delights have violent ends'
EDIT:
Got root.txt without admin user (unintended way, someone change some security attribute and don't restore it)
Got root shell (intended way, use all users)
Nice box! It's my first insane windows box)
Finally! Got User!
I'm depleted, I never enumerated sooo so so sooo much... tried users and passwords against everything with so many failures. That WAF initially drove me crazy...
However, definitely worth the hassle because I learned tons of new things.
But need some vacation now... :-)
Thanks to everyone who nudged me in the right direction!
So, it's taken me almost 4 weeks of on and off with this machine.
I have spent time learning S*** and A*****D** stuff on the OSCP labs
I have banged my head off the walls and the desk and god knows what else.....
But I finally own this beast
I have to say, some parts have been simple, others not so much and some have been a brain F**k.
I learnt a lot from this machine, thanks @egre55 and @MinatoTW
rooted this monster....
its a great box, thank you @MariaB for your articles, after that it was funny....
Just like real world scenarios,
thanks @egre55 and @MinatoTW keep doing this amazing job with AD machines.
Keep Hacking and Keep Safe.
Even if i get the needed username (from the tool used for bypass) to login after cracking part. I am still obsessed with getting the must have info for the python part. can someone reach me who found that RD part manually, not by the script. cause i am starting to think about no one found that RD manually and convert it to useful shape.
Edit: @sc0rp9x dm me and help me to get that process but only difference with his encoding and mine was the capital letters on encoded string. Thx. to @apostatic , @MariaB for their patience.
I spent nearly 2 days trying to convert the RID manually but the RID i was getting wasn't all unicode, it had some WINGDINGS font in it
I have never seen a machine like this in windows. This machine is ART.

Thank you @MinatoTW and @egre55 and congratulations for creating a monster like this.
Hi,
I got all the usernames from the injection... but looks like all credentials I recovered could not do evil..... I need help... xD
OK feel like an idiot reading back over the posts. so without spoilers, I have 17 aka 4 hashes. thought I knew the format as hash-id said so, but trying to crack passwds nothing matches. tried online, wrote a python script comparing with hash(ry) etc. nothing matches hashes found. need a little nudge please. is the hash type one of the ones hash-id said... and hopefully no the hmac one....

DM/PM whatevs.
ok got hash type (with help). now back to working out how I should have known it
Great box, really great box.
Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?
Update: Rooted! I sincerely enjoyed this box. It was a crazy challenge, learned many things, and completed my first insane box!
@applepyguy said:
For me, everything on this box was hard but it is a mix of lots of enumeration and some lateral thinking.
If you are in the user account which gets the flag, enumerate all aspects of the account. If you find something which groups the account with other users, look at them because there is a good chance you'll need to get into almost every one of their accounts.
Look to see if you can find any interesting running processes that might be vulnerable to a public exploit. From there more enumeration and more enumeration (a popular puppy might help with last bit).
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.