Active any hints

Fun box, I wonder how many people rooted it prior to the patch applied… Got to use some more new tools and learned a little more about active…

And this box is meant to be easy… :astonished:

@nullsession0x said:
Spoiler Removed - Arrexel

right place, look harder :slight_smile:

I’ve found creds and decrypted password, what tool would I need to use to get a shell on the box? I’ve tried smbclient and pth-winexe to no avail

@nullsession0x said:
I’ve found creds and decrypted password, what tool would I need to use to get a shell on the box? I’ve tried smbclient and pth-winexe to no avail

Maybe you don’t need a shell. Look at the info you have and google it a bit.
This box was patched for ms14-068 meaning that the intended path may not need an ‘exploit’ persay. Its a legit pentesting method, Just think about the principal of the matter. :wink:

Finally got root thanks to JunGLeJuiCe’s tip. If anyone needs hints PM me. It was a fun box indeed learned alot. Windows machines are always tricky and fascinating.

I get what I need to look at for getting root thanks to the hinted here, but I’m struggling to find decent reading material to learn how to perform the steps. Could someone PM me some articles or something to help me better understand?

I spent hours and my brain is washed. I was just trying my first box. Is it related to SMB? Thanks.

Got root… would say that very good hints are already provided here for both user and priv esc .

@Moliata said:
I spent hours and my brain is washed. I was just trying my first box. Is it related to SMB? Thanks.

This is not a good first box unless you already know AD, and have experience in mixed AD-Linux environments.

Got root) if someone needs a hint pm me

Got root, very interesting machine, as people has said is very real and the fact that is on Windows makes it better, thanks to @n01n02H for all the help. Pm if you need any hint!

I confirm @Blastware comment, got Domain Admin by this way during a pentest on my office.

I don’t understand why my enum is not working. I talked to another person and their s**client was working fine but I keep getting connection reset all the time…

Try using GitHub - m8sec/nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. instead of enum4linux :slight_smile:

In reply to @mercwri:
Which box do you recommend to start with?

Any one able to give me any hints on getting root flag.

Also I don’t know why people remove my comments as spoilers! It’s about helping people

can’t manage how to use john to do the job

@Moliata said:
In reply to @mercwri:
Which box do you recommend to start with?

Perhaps for a start you should have a glance at Jerry’s. It’s also recommended to work with the retired machines as good write-up’s and videos are out directly on the machines’s profile site or may ask aunt Google. You can learn a lot from these.