Active any hints

can any of you tell me an idea on how to approach Active? i am in a learning process

Box has not been live for very long so just keep enumerating as much as you can.

If you need more of a push for user feel free to PM me.

Just as an update . Getting user is pretty straightforward. you just have to know where to look and how to look

root seems more tricky

Anybody can give me an idea on how to get root? i barely have any hints as to where to go to get access to administrator . do i have to check another port?

The Box, is a windows one compare the name out of it and focus what crucial ports you can use to get Data outside from it.

@Otichoo said:
Anybody can give me an idea on how to get root? i barely have any hints as to where to go to get access to administrator . do i have to check another port?

The name of the user pretty much gives out what you have to do for the privesc part.

Spoiler Removed - Arrexel

@Parttimesecguy said:
I’ve managed to grab a username and password from a certain XML file, but I’ve not been able to use it successfully, any nudges?

Do some research about the file / fields it has. Google is pretty straightforward at giving info for it.

@Enigma00 said:

@Parttimesecguy said:
I’ve managed to grab a username and password from a certain XML file, but I’ve not been able to use it successfully, any nudges?

Do some research about the file / fields it has. Google is pretty straightforward at giving info for it.

yeah, I was on the right track, with the right tool, using the wrong parameter. Todays lesson is try with all the things you know, one of them may work

hi i had found many services run on the box i focus on the S** service but i can M***t nothing must i have any creds for that

@raouf09 said:
hi i had found many services run on the box i focus on the S** service but i can M***t nothing must i have any creds for that

There may be one or two folders can go in anonymously and may be crucial in getting the user flag.

Hi Guys, I already got user.txt. But as of now struggling to get root.txt. Any kind soul willing to guide me if you know how, please DM me? or we can share notes and help each other. Thank you.

This was a fun box, and it is extremely relevant to real world pentesting. The attack to get system privs is well documented if you know what to look for.

edit:

Jesus so many PMs lol.Hint: Stop using MS 14-068. Its a waste of time and not needed. This attack is well documented. This type of Windows server is only running so many services that are attackable. Enumeration is the - to system privs. :wink:

I have been able to grab user flag by a certain mount but how do I use this to get a shell?

@wilsonnkwan said:
Hi Guys, I already got user.txt. But as of now struggling to get root.txt. Any kind soul willing to guide me if you know how, please DM me? or we can share notes and help each other. Thank you.

Frey gave a pretty good hint just a few post up as to privX

@mochan said:
I have been able to grab user flag by a certain mount but how do I use this to get a shell?

maybe you don’t have to?

@Rantrel, I know what is he talking about but I am not sure how to get a PS to do that attack.

I’m struggling with this one. I don’t know enough about s** etc. Been trying to m**** but not getting anywhere with that. Tried a few things from the PenTest cheat sheet and even bought a Red Team Field Manual book to further my knowledge but I think I’m missing something.

User is easy, but not trivial for someone who has no initial knowledge about the exposed services. Root however… probably relatively easy too, I’m convinced it has to do with k*****os but everything I’m finding regarding this service requires code execution on that machine. Derp.

i got user.txt but stuck on root.txt