Reel

So, i’ m t** now, when I import ‘The file’ it says bad JSON in BH and does nothing. What am I missing on that one? Feel free to DM

@Wubalubadubdub said:
So, i’ m t** now, when I import ‘The file’ it says bad JSON in BH and does nothing. What am I missing on that one? Feel free to DM
Happened to me too. Be sure the file is transferred correctly (I happened to miss a few bytes). Compute and compare checksums.

I’m stuck at priv esc, if anyone can DM me, please do. Thanks

I guess i’m the only idiot here because i can’t get initial foothold at all… I see smtp, i see the files, i have an idea of what to do but it doesn’t seem to be working so i guess it’s the wrong way?

@christo There is a an exploit … it’s hinted at in this discussion - to be exploited using a stand-alone script or an exploitation framework or a combination of those.

If you have problems to send to payload … use the ‘normal client’ a user would use. (Saying this as I did not get it to work typing SMTP commands … ).

What I found was that sometimes the payload indeed did not ‘explode’ though I always followed the same process… and sometimes the shell was very stable and came back to me for days. It helped to start over with the same method but using a different file name.

@chickenbit said:
So I’ve hit a bit of a wall on this one. I’ve managed to make it a ways in until I had control over the b***********s object, but it doesn’t seem that one actually controls anything/has any real permissions. At least not that I can see. Is that object useful, or did I go down the wrong path?

I was stuck at exactly this point for an embarrassingly long time though or because I found the escalation path through the objects rather straight-forward … and I did not even use ‘exploit tools’ for ‘doing the escalation’, but only built-in Microsoft command line tools. (The report provided is of course useful, and I ran the recon tools again not to miss something … but I nearly looked at every interesting object ‘manually’ anyway. )

But then I simply failed to see what I am able to do with the ‘privileges’ I got … due to some small error / oversight … and went down some hilarious rabbit holes related to even more super obscure objects in that ‘directory’. So I guess my hint is rather: Don’t overthink it - at every step of escalation, check what you can do in a rather down-to-earth way.

i think I know what service to exploit but I can’t get to the service… can’t someone help out?

Got root, lovely box.

Rooted! What a fantastic box!

@izzie said:

ITS FINE EVERYBODY YOU CAN ALL RELAX NOW AS YOU WERE @Relwarc17 FIXED IT PANIC OVER

Rooted

Phew! They said it could not be done but the old doggo got schooled some new tricks.

Shout outs to helpers and thanks so much to @egre55 for a peerless learning experience. Must be one of the toughest but no BS boxen on HTB. packed with tradecrafts. Awesome.

I would say PM for hints but I’m not quite sure I understand it all yet. (nvm always free for PMS)

As I see some questions about how exactly to get the ‘dog’ running and how to use various PS attack scripts: You can own this box without any ‘exploitation tools’, just using ‘boring sysadmin stuff’.

It’s a good learning exercise to re-create That Report We Are Given (to check it is legit and current) but you do not necessarily need the nice interface the dog tool provides you with to interpret the report.

It might depend of course on with which tools you are famiiliar with, but there are also nice Windows command line tools from the era before Powershell - with very concise syntax for enumerating Things In That Directory.

edit: onwards to root now.

Yay, finally got root on this one as well! It was a very good one, thanks to the creator.

And I’d like to share the hint that made it for me when I was stuck for so long: login-logout might help you

+1 for @rireoubli’s comment. After doing things, I tried to access a particular folder but got access denied. Logged out, logged back in, and then was able to access what I couldn’t before.

Getting to root on this box is surprisingly difficult

I have user access and and xml file which i can import but it does not seem to help. Ran the dog tool but got no answers. I tried to look at tom after import but got access denied. Any help with priv esc appreciated. Open to DM

I’m pretty sure I know what needs to be done to get a user shell but I need nudge. Can someone DM me?