Multimaster

12346

Comments

  • edited May 2020

    i can not get any thing in response when i use un*** operation i know there is injection for that i use U**C*** bypass it work for some statement but for un*** response is []

    i am missing someting ?? PM

    edit : working fine

  • edited May 2020

    Is there any trick to read the root flag?
    I'm getting an md5-like content from "root.txt" but HTB says that the flag is wrong. I don't see alternate streams or similar.
    Is this a problem with the flag submitting system?

  • @Hashut said:

    Is this a problem with the flag submitting system?

    I think Multimaster uses a dynamic flag - and it was one of the first to do so. The main advice here is to submit as soon as you root and if that doesn't work, reset the box, wait a bit and see if there is a new flag you can use.

    If you are having problems, it's definitely worth raising a Jira ticket https://hackthebox.atlassian.net/servicedesk/customer/portal/1

    I think the biggest issue is on boxes where you have to do several steps to get root - resetting and retrying may well become tedious. However, on this box it should be ok as you can log in & exploit fairly quickly.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake said:

    The main advice here is to submit as soon as you root and if that doesn't work, reset the box, wait a bit and see if there is a new flag you can use.

    Yes, that worked. Thanks a lot.

  • edited May 2020

    i am suck at user i got hash but i don't know users try all 17 but don't get anything
    need help
    edit : got a way to get the users with m*****-d***.py

    edit : m*****-d***.py need modification or run command menually

  • Hey. I got valid creds for user *********mo and the pass **nan**1. I verified it with winrm utility login in MSF. Yeah it is working. But when I try to login with those creds using evil-winrm.. "execution expired" .. this is the only message I'm getting. Did a lot of resets and updated my ruby, rubygems and evil-winrm also. But yet the result is same as dump. Can anyone please show me a way how to fix this?
    It took a week to enum the valid creds but this error really killing me.
    Please dm me if you have any solution.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Hey all got a valid user login via msfconsole, but when trying with evil-winrm get Timeout error? anyone else getting this?

  • Hey @COVID19 . I have the same issue and haven't found any fixes. If you have any solution, please share here.
    Thanks

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Maybe someone is skewing around with you ?

    image

  • Type your comment> @Warlord711 said:

    Maybe someone is skewing around with you ?

    Turns out it was my own VPN was blocking the connections

  • Finally, a box that makes me question my existence.

  • OMG! What an insane box!
    This is the first active Insane Rated box I ever owned.
    It just took 13 days to complete with a lot lot of help from Friends and forum.
    So proud that I did it.
    Learned a lot along every steps.
    Thanks for the creator.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited May 2020

    ***EDIT - Got it, thanks to a kind soul who helped me.

    I can make a query to look up anyone/thing using the D, but I can't quite figure out how to make a query to find where the user I need is within in the large range of possible R's. Is there a way to query all possible? If someone can DM me, I can explain better. I am trying not to give anything away here.

  • edited May 2020

    Finally got user in this insane machine, and thanks from info by @hasky and @syn4ps

    Edit: rooted, very difficult machine, used all the windows skills to try

    Arrexel

  • Did something change on this box and open up more than was intended?

    I harvested the 4 hashes and cracked 3 of them, and I have been trying to figure out login with no success. Today, while showing my non-tech GF that you can determine if a username exists or not in a domain, I reran an uncredentialed script from yesterday and got different output, specifically a newly crackable hash for a user that turns out to be a server admin.

    Did the box just need a reset, or was this not the intended path?

  • Woow... finally rooted. But I don't get the name of the box ¿?

    ompamo

  • edited May 2020

    Hello guys, I have a problem I'm trying to bypass W*F and I already know what I need to do, it was not hard to know actually, but its not working it gives errors on the execution, i tried to change the file correctly I thing but still doesn't work. Can someone PM me to help me?

    Edit: Got it, omg im so stupid I forgot about one - ;_;

  • Type your comment> @TU0K said:

    Did something change on this box and open up more than was intended?

    I harvested the 4 hashes and cracked 3 of them, and I have been trying to figure out login with no success. Today, while showing my non-tech GF that you can determine if a username exists or not in a domain, I reran an uncredentialed script from yesterday and got different output, specifically a newly crackable hash for a user that turns out to be a server admin.

    Did the box just need a reset, or was this not the intended path?

    I would be willing to wager someone enabled the option that made the uncredentialed script to work. That was the way I got it

  • edited June 2020

    :( found 17 users (only 14 may be active using GetN*** ), but nothing else
    tried with l*s****, nl****, rc*****, sm**, nc on all the port found the R** port but b***k*** exploit not work
    I read the forum but no clue

    Some one may help me? I think I need some more tool
    thanks

    Edit: Ok now I'm inside the DB, so take the hashes but no new users in the tables, now I enumerating everything, but is very hard, I tried on all the table that I know but nothing :D :D

    2° Edit: got the user and learn some more about SqlServer

  • could someone dm regarding escalation to user1->use2 tried to exploit c**e with c******g.exe but no execution.

  • hey guys i feel so stupied right now, i dont know if it's because i dont sleep for a day or what but I got c******g but there is no .exe and the documentation says it needs .exe,
    I got to manage the rest because I used someones .exe that was already on the machine but it got reset so i lost it ;_;

  • Hello guys, so I downloaded C*****g.exe and put it in the machine but it doesnt run it gives a error on line 1 when i exec, I know this is a way because i got it running once with other .exe that was already on the machine, buti cant with mine.

    I would appreciate some help because i need to do this until friday, its for university :cold_sweat:

  • So I think the machine is broken :D I try ne*** with the s****e and i tryed all that are off and it doesn´t work and i know its throw there, i tryed with the two ways that I know.
    Any Help??

  • Type your comment> @sparkla said:

    Requesting assistance. Got the 3 of 4 passwords (and an idea how I'm supposed to get password nr. 4) but I'm stuck now. Tried every trick up my sleeve, unsure how to continue from here. Happy for a little nudge.

    The last user to get/use is j****n, did you getit? After this -> WinP*** and s******s man******t.

    Fr0Ggi3sOnTour

  • Type your comment> @sparkla said:

    Type your comment> @choupit0 said:

    Type your comment> @sparkla said:

    Requesting assistance. Got the 3 of 4 passwords (and an idea how I'm supposed to get password nr. 4) but I'm stuck now. Tried every trick up my sleeve, unsure how to continue from here. Happy for a little nudge.

    The last user to get/use is j****n, did you getit? After this -> WinP*** and s******s man******t.

    It seems I did not yet find this user, also I was sure I found all of them.

    Another guy already helped me in PM, but thanks again! If I can't find it, I'll call again ;)

    ;) You must find this third "roas*" user...

    Fr0Ggi3sOnTour

  • edited June 2020

    Can someone please help with user? I was able to create a user list based on the web app but i am not sure how to bypass the WAF, please give me pointers

    I know what i need to do but i dont know how to do it, please give me some help

  • Rooted ! Need help ? Msg me on twitter @NeerajK85400479
    or Msg me on Discord icoNic#0097

    Arrexel

  • After more days Rooted!!!
    I'm very happy and thank to my friends that gave me some input ;)

    Very interesting box

  • can someone explain what is going on with that waf, it returns results in one req and null on that same req after couple tries of other payloads, i thought there should be no lockouts on the boxes ?

  • edited June 2020
    Rooted. That was intense. The foothold was a killer. user2->user3 was annoying, as I had the correct files right in front of me, but missed it for a couple of days due to not using the right commands to view them. That was a 'duh' moment when I finally figured it out.

    Thank you @MinatoTW and @egre55 for an amazing machine. This one felt very "realistic" in terms of the steps it took to get to root. All along the way I never felt like "oh, this is just contrived for the challenge".

    Edit: I forgot to add, thanks to @MariaB for the link on bypassing the WAF. Much appreciated, it was exactly what I needed.

    pugpug

Sign In to comment.