Access

@rlfonseca said:

@TazWake said:
You got SMB to work?

You should read about certutil

Cool, I thought certutil was all about LDAP, Kerberos and HTTPS. I haven’t seen it used to mount SMB shares. I’ve never tried to use it with impacket.

@TazWake said:

@rlfonseca said:

@TazWake said:
You got SMB to work?

You should read about certutil

Cool, I thought certutil was all about LDAP, Kerberos and HTTPS. I haven’t seen it used to mount SMB shares. I’ve never tried to use it with impacket.

I’d love to know how certutil is used to mount smb shares :open_mouth:

Τime to leave my review i think, the box was overly good and awesome in the easy-going levels. The user process was done smoothly under some 10 - 15 mins or so. The root part was done with 2 seperate ways which one does not give you fully privileged access over the root.txt but a limited SYSTEM Shell, so i followed up the intended one tho. Now the part that iam pointing some hints. For the user part enumerate properly what you can do with the ports, make sure when you downloaded both of the files, the integrity of a specific file must not be corrupted in order to read it.Now for the root part, well after you get a shell or a payload make sure to view every user’s folder and Desktop, the root process is not trivial and it’s very common on the most CTF windows boxes.

Wut bruh? runas

@blobbo said:
@TazWake said:

       @rlfonseca said:

             @TazWake said:
    You got SMB to work?

 



      
   You should read about certutil





  Cool, I thought certutil was all about LDAP, Kerberos and HTTPS. I haven't seen it used to mount SMB shares. I've never tried to use it with impacket.

I’d love to know how certutil is used to mount smb shares :open_mouth:

I thought he was just trying to uploas stuff to the machine.

@rlfonseca said:

@blobbo said:
@TazWake said:

       @rlfonseca said:

             @TazWake said:
    You got SMB to work?

 



      
   You should read about certutil





  Cool, I thought certutil was all about LDAP, Kerberos and HTTPS. I haven't seen it used to mount SMB shares. I've never tried to use it with impacket.

I’d love to know how certutil is used to mount smb shares :open_mouth:

I thought he was just trying to uploas stuff to the machine.

That’s what I thought but I didn’t know certutil mounts SMB shares :open_mouth:

Can anyone give a direction for priv esc? Got user, not too sure how certutils i supposed to help me with priv esc

So before people get completely confused - certutil and trying to mount smb shares are not needed.

Now hopefully this isn’t seen as some sort of a spoiler but in general certutil can be used to download a file over http (without the s) and save it locally somewhere. It’s like a wget.

ignore this

Rooted with tons of help from my bros.

A few pointers…

  1. I didn’t bother to find the equivalent in linux. I ported the things i got from the initial foothold to windows to read.
    Read and you will get a key to come in.
  2. Privesc however need to know what is the sudo equivalent in windows and find the sudo -l equivalent as well.

Goodluck guys!!!

@wilsonnkwan said:
Rooted with tons of help from my bros.

A few pointers…

  1. I didn’t bother to find the equivalent in linux. I ported the things i got from the initial foothold to windows to read.
    Read and you will get a key to come in.
  2. Privesc however need to know what is the sudo equivalent in windows and find the sudo -l equivalent as well.

Goodluck guys!!!

great hints, it hasnt been tough sudo’in in windows, but im not sure how to open an elevated command prompt or indirectly obtain the flag, such as by copying it to temp… all i can seem to do is make the administrator ping myself… cant even echo a test word and save as text file in temp

rooted too finally, from what I am reading i think i went some other way. PM me if u want to discuss(not gonna give the solution) of your aproach. For those who rooted, please pm me just so I know what was your way, because i don’t think i managed to root it the way you did

Was able to obtain root.txt however I am not able to read the file yet, can anyone PM me a hint?

I am an administrator
I own the administrator folder and all subdirectories and files
I have full permissions to root.txt
i own root.txt
yet i can not read root.txt…
what do i not understand about windows permissions?

Update: rooted. This was not a permissions issue.

edit : got user since u get all the docs u know what to do ! :slight_smile:

I’m a bit lost at what to do after user. Would anyone be so kind to give a little nudge?

Me too. I’m not good with Windows boxes, any hints where I can continue would be great help. thx!

I own user…

I’m having the hardest time trying to root. Any tips? Tried everything on this board. Can’t figure out the hinted command here. Still needs PW :frowning:

@rlfonseca said:

@flexkid said:

@fasetto said:
You can read without evolution as well.

I tried to use str*** but It’s just junk data

either someone messed with it, something went wrong with the download or u need to read it closely again

facts

Any hits after user? Runas is asking for password. and password is not known for Administratotr. am i missing something?