Reel

Already got user.
I was just wondering if someone was able to get user without using ms?

Was busy with OSCP, but had a moment to do this and it was elaborate!

failed many times to get proper payload and finally got user!
and now stuck with priv sec user t**
i’m new with windows, but this is an interesting box, any help with priv esc appreciated :slight_smile:

Got ROOT! yeah!
One of the best machines. Learned a lot about windows way of “rule them all”. Breaking head through the wall, trying to use powershell, because forget about initial nmap results. I’ll get it another one time a week later after reading some articles from blackhat 17, to remember everything better. Thank you @egre55

Hi all… I have user, and I know where to go next, but am having some trouble getting there… I don’t know if it’s meterpreter or what, but my PS commands seem to run without response. Would appreciate a nudge in the right direction.

init foothold: im trying to send a file based on the tips on the machine to an user but i dont get anything back is this the intended way?

I am soooooo close on this. I can see the file I want, but I can’t open it, copy it, move it or change it’s properties… What am I missing?

Edit: Nevermind! I’m a fool. I need to slow down and read a little more carefully.

Got root! Great box!

powershell issue is solved by issuing “powershell -c -” in meterpreter > shell

Awesome machine.
Incredibly realistic too.

Where to start? Downloaded some files and whats the next step? PM plz
Hack The Box

Got root! If you want to learn a lot about windows AD PrivEsc this is your machine!

Very sad to see that this box is retiring this weekend.

This system is an crazy walk down AD road. Learned loads.

<<< redacted - rooted!!! >>>

@rireoubli said:
Yay, finally got root on this one as well! It was a very good one, thanks to the creator.

And I’d like to share the hint that made it for me when I was stuck for so long: login-logout might help you

Thank you, thank you, thank you.

<<< redacted - rooted!!! >>>

@evandrix said:
stuck on reel @ user c****e, what next?

  1. need to re-run “dog” tool, or output already there is sufficient to PE?
  2. PE to local admin sufficient, or must be da?
  3. maybe my ps1 syntax is wrong, if someone can help (in a pm probably), that would be great

You dont need to re-run anything. The document you have is enough.

This is a useful read: https://wald0.com/?p=112

<<< redacted - rooted!!! >>>

@evandrix said:
yep, i’ve read through that.
it seems like the “document you have” != the output of my live ps1 queries via p****v**w

Possibly, but if you’ve logged in as the user C*, did you enumerate the user T* account first?

Rooted thanks to a hint to stop being a dummy . I’m sad to see this one go into retirement.

This was a great box and representative of cracking the perimeter into a real world environment. I definitely added some cool techniques and tools into my arsenal thanks to this challenge.