Access

Removed by request - Arrexel

■■■■! Thought I was DM’ing. Yup im an idiot, a tired idiot.

Got the root flag using r**** and >.

Do the math. Even though I don’t think that was the intended way as I did not get a root shell.

Out of ideas. I have limited user shell. I see that r**** is the likely command used to gain root. So far, I r**** its o***** to external sources. But I can’t find the correct syntax to run as admin. Could someone PM me?

@avoidy said:

@Sixpon said:
Can anyone help me with PM ? fcrp isn’t give me anything. i read the first file in Ba**** but i didn’t open .z which is in En** i think im wasting my time with wrong wordlist…

If I recall, I did not have to crack the password, it was obtained via another file.

Thanks for answer, i think i find the password before. i tried it for bruteforce in t***** but i’m not be able to open z** anyways. I’m using unz** and it doesn’t help me. I don’t know much tool. Any suggestion for tool or open .p** file?

7za x myfile.z**
If I remember correctly its due to the zip file being encrypted with aes so you get an invalid sequence with z**.

For the p** file, depends on your system, if on windows simply import or open in outlook. If on a linux OS then install and use “readpst”. - It worked for me.

Hopefully this ain’t no spoiler but some help.

@avoidy said:
7za x myfile.z**
If I remember correctly its due to the zip file being encrypted with aes so you get an invalid sequence with z**.

For the p** file, depends on your system, if on windows simply import or open in outlook. If on a linux OS then install and use “readpst”. - It worked for me.

Hopefully this ain’t no spoiler but some help.

Very thanks! i learned a lot thanks to you.

Hello guys,
I got local user access. It was not so difficult.
Now I am stuck on PE. I have discovered "Z*****s application, probably service too. Is it right path?
I would appreciate, If you give me a hint.

@c0uldb3 said:
Hello guys,
I got local user access. It was not so difficult.
Now I am stuck on PE. I have discovered "Z*****s application, probably service too. Is it right path?
I would appreciate, If you give me a hint.

There are plenty of tips on this topic about PE process so that you can get on the right path :slight_smile:

Hey, can anyone help me for this situation? I found a service named ZK**** . and i searched for it. i used this command ics Z*5 and it gave me some information. But i don’t know how to proceed my steps. I’m trying to rs but i didn’t manage to use it. I’m very sad with services and tools which i don’t know what is it. You can also pm me if your answer is including spoilers.

ok… got user flag… stuck on the runas command… any hint? i’ve already checked every single page of this box here… i’ve read runas docs… tried almost every combination but no results… what i can’t see?

@Sixpon said:
Hey, can anyone help me for this situation? I found a service named ZK**** . and i searched for it. i used this command ics Z*5 and it gave me some information. But i don’t know how to proceed my steps. I’m trying to rs but i didn’t manage to use it. I’m very sad with services and tools which i don’t know what is it. You can also pm me if your answer is including spoilers.

@cptUP said:
ok… got user flag… stuck on the runas command… any hint? i’ve already checked every single page of this box here… i’ve read runas docs… tried almost every combination but no results… what i can’t see?

The only hint I can give to both of you is: Users are lazy and apparently really hate retyping their passwords or in this case, the admin! :smile:

Finally rooted. This machine will force you to go back to the basics. Can’t believe how lazy I’ve been. Here are my spoiler-free hints:
Limited Shell

  1. Enumerate the available services using manual and automatic methods.
  2. Learn to open files from a “low level” point of view. If using Kali, you already have the tools to do this. Nothing needs to be downloaded nor will you need any commercial software.
    Root
  3. The privilege escalation was the best and most excruciating part. There are many considerations for enumerating the Windows OS. Collect EVERY fact of data. Enumeration is key to finding an essential fact regarding this machine.
  4. Using the discovered fact from above, you will use it in conjunction with a built-in Windows tool.
  5. The kicker: You must privy yourself on the expected output for each option/parameter this tool provides! Go to Microsoft’s page and review the examples and READ THE DESCRIPTION for each option/parameter available to the tool. Understanding this tool COMPLETELY is essential. Test the tool in your own environment, and note the general behavior. This will help you formulate a plan and see the whole picture (versus what you are observing on the target…).

Rooted. Getting user was fun, was able to use some things I learned from CTFs a while back. This box ended up being super simple for root, just have to do some typical Windows enumeration and pay attention to syntax once you find the interesting configuration (many hints in this thread already).

I was able to run various commands with what I thought was the right syntax, but any time I tried to t*** a specific file it ended up failing. After a simple syntax change, I was able to run the command with no issues.

Hello, I have both file, but I am not able to find password in DB for zip file.
(I found 3 credentials but not working neither for telnet…)

Any Hints?

EDIT: I had typo :tired_face:

@Smausko said:
Hello, I have both file, but I am not able to find password in DB for zip file.
(I found 3 credentials but not working neither for telnet…)

Any Hints?

One of the passwords should be valid. Hint: Take a look from which folder you pulled it.

Hey guys, I feel like I’m at the point where I could use some advice or a hint if possible!

I have the user flag, I’m working towards the root one right now and running into a wall re: the enumeration aspect. I’m following numerous guides out there about looking into identifying users, services running, scheduled tasks, etc. I’ve attempted a bunch of different privilege escalation techniques from a meterpreter session that haven’t gone anywhere either.

I keep seeing people referencing users’ laziness, the admin’s disdain for re-typing their credentials, alongside the r**** command and some sort of particularity that I should be seeing about something’s setup/configuration that comes up through my enumeration.

At this point I’m just not sure what it is I should be looking at. I probably have all of the data in front of me, but I’m not exactly sure what the anomaly is that I should be spotting.

Any help would be welcome, thanks!

“I keep seeing people referencing users’ laziness, the admin’s disdain for re-typing their credentials”
Check your enumerated data for references that relate to the sentence above.

Nice box, user was easy, root well obfuscated, overall fun challenge, where I had FULL root love it.

@kanecain said:
“I keep seeing people referencing users’ laziness, the admin’s disdain for re-typing their credentials”
Check your enumerated data for references that relate to the sentence above.

I guess I’m just still not sure where I should be looking. I just went down a big rabbit hole trying to use cm**** /list in conjunction with r**** and thought I was getting somewhere, but it appears not.