• @dodo said:
    I managed to privesc from tom to ****** using the *****view to enable some commands and modify a property for the ****** user as tom.

    But now I'm stuck...again :disappointed: :D

    I'm stuck at this same point. Anyone i can DM about it?

  • Never mind, i got it. Feel free to DM me.

  • Hi,

    I need a bit of help with this machine. I discovered the service which possibly could be running on the machine and I also know how to connect to it. But I am unable to figure out how to exploit this particular service.

    I googled a lot and found everywhere that it requires credentials to login to the machine. I checked the configuration file as well but it also does not contain that much of info to land somewhere.

    I have done a lot of linux machines previously but not windows so far. This is just the second windows machine I am doing. So, don't know much about powershell commands and other windows exploitation techniques. Any help will be appreciated.

  • edited August 2018

    Has anyone managed the first step without the m-tool? I've got user reliably but I'd like to be able to do it manually. It seems straightforward enough and I'm pretty close, just failing on the very last bit.


    my badge doesn't work, click on my profile if you want rank and stuff


  • So, i' m t** now, when I import 'The file' it says bad JSON in BH and does nothing. What am I missing on that one? Feel free to DM

  • @Wubalubadubdub said:
    So, i' m t** now, when I import 'The file' it says bad JSON in BH and does nothing. What am I missing on that one? Feel free to DM

    Happened to me too. Be sure the file is transferred correctly (I happened to miss a few bytes). Compute and compare checksums.

  • I'm stuck at priv esc, if anyone can DM me, please do. Thanks


  • I guess i'm the only idiot here because i can't get initial foothold at all.. I see smtp, i see the files, i have an idea of what to do but it doesn't seem to be working so i guess it's the wrong way?

  • @christo There is a an exploit ... it's hinted at in this discussion - to be exploited using a stand-alone script or an exploitation framework or a combination of those.

    If you have problems to send to payload ... use the 'normal client' a user would use. (Saying this as I did not get it to work typing SMTP commands ... ).

    What I found was that sometimes the payload indeed did not 'explode' though I always followed the same process... and sometimes the shell was very stable and came back to me for days. It helped to start over with the same method but using a different file name.

  • edited August 2018

    @chickenbit said:
    So I've hit a bit of a wall on this one. I've managed to make it a ways in until I had control over the b***********s object, but it doesn't seem that one actually controls anything/has any real permissions. At least not that I can see. Is that object useful, or did I go down the wrong path?

    I was stuck at exactly this point for an embarrassingly long time though or because I found the escalation path through the objects rather straight-forward ... and I did not even use 'exploit tools' for 'doing the escalation', but only built-in Microsoft command line tools. (The report provided is of course useful, and I ran the recon tools again not to miss something ... but I nearly looked at every interesting object 'manually' anyway. )

    But then I simply failed to see what I am able to do with the 'privileges' I got ... due to some small error / oversight ... and went down some hilarious rabbit holes related to even more super obscure objects in that 'directory'. So I guess my hint is rather: Don't overthink it - at every step of escalation, check what you can do in a rather down-to-earth way.

  • i think I know what service to exploit but I can't get to the service... can't someone help out?

  • Got root, lovely box.


  • Rooted! What a fantastic box!


    If you ask for help, plz include what you tried. Else no reply.

  • @izzie said:
    If someone could DM for confirmation of delivery method and payload for initial access I'd be very much obliged. Thanks.



  • Phew! They said it could not be done but the old doggo got schooled some new tricks.

    Shout outs to helpers and thanks so much to @egre55 for a peerless learning experience. Must be one of the toughest but no BS boxen on HTB. packed with tradecrafts. Awesome.

    I would say PM for hints but I'm not quite sure I understand it all yet. (nvm always free for PMS)


  • As I see some questions about how exactly to get the 'dog' running and how to use various PS attack scripts: You can own this box without any 'exploitation tools', just using 'boring sysadmin stuff'.

    It's a good learning exercise to re-create That Report We Are Given (to check it is legit and current) but you do not necessarily need the nice interface the dog tool provides you with to interpret the report.

    It might depend of course on with which tools you are famiiliar with, but there are also nice Windows command line tools from the era before Powershell - with very concise syntax for enumerating Things In That Directory.

  • edited August 2018

    edit: onwards to root now.

  • Yay, finally got root on this one as well! It was a very good one, thanks to the creator.

    And I'd like to share the hint that made it for me when I was stuck for so long: login-logout might help you

  • epiepi
    edited August 2018
    +1 for @rireoubli's comment. After doing things, I tried to access a particular folder but got access denied. Logged out, logged back in, and then was able to access what I couldn't before.
  • Getting to root on this box is surprisingly difficult

  • I have user access and and xml file which i can import but it does not seem to help. Ran the dog tool but got no answers. I tried to look at tom after import but got access denied. Any help with priv esc appreciated. Open to DM

  • I'm pretty sure I know what needs to be done to get a user shell but I need nudge. Can someone DM me?

  • No idea why I can't get a reverse shell on this. I am using the service to send a specific file format that I generated with a msf module but I can never get a reverse shell....

  • @meni0n Try using a different method to generate the payload.

  • Found that blood tool but have no idea what to do with it.


  • > @tigr8787 said:
    > @meni0n Try using a different method to generate the payload.

    Hmm I can't really find any other tools to generate a .r** I tried two different msf modules and a script off github but no shell 😞
  • In my humble opinion: amazing box! Must congratulate to the author and say a big thank you to TazWake!!

  • really this box is fun ... the initial step is simply magnificent!
    the priv esc for root was totally brainfuck for me ... but ... ROOTED!


Sign In to comment.