Querier

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

Type your comment> @supercop89 said:

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

I dont get anything so… no hints there :smiley:

Got root shell after a LOT of trouble using my own created Admin user, which I didn’t even manage to use at the end. My final solution was easier.
Still don’t understand what people calls ‘uncles’, didn’t need them to elevate.

I have a stable root shell on the system. I’d be glad to share methods to get root with anyone. :smiley:

Super cool box, was looking for a windows box to lean stuff as I am super new to Windows boxes, learnt tons of stuff about PS, and about some of the ports that were open.

Rooted At last! Awesome box :smiley:

Type your comment> @supercop89 said:

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

ok i found it … thanks :slight_smile:

I have the valid user for the xp… but i’m on the right way with a reverse shell via xp…? :confused:

I managed to get root on the box (feel free to message for nudges!) but I found it weird that for the very first step when using s*****lient I was able to get the listed shares without creds, but when trying to do something similar for s****ap I dont. I tried replicating this situation on my own Windows machine but unable to.

Had an interesting group meeting with uncles “L” and “M”. :wink:

Really enjoyed completing this box, props to the creators @mrh4sh and @egre55.

Thanks to those that provided a nudge and discussing the root shell method. Happy to pay it forward to those that are stuck!

I could use a nudge to see if I’m on the right path. I’ve got xp_ enabled and user.txt is mine. I’m trying to get a shell by uploading a file, I can see via tcpdump that my upload command is working but I get an error no matter where I try to write the file to that permission is denied. Am I on the correct path, can anyone message me a hint on where to upload?

Type your comment> @tiltedtimmy said:

Got root.txt but not shell…

Whoever has got root.txt can you pm me if you got a shell and maybe give me some pointers how to get it. Thanks!

Use p***** .py from I*******

Type your comment> @GordonFreeman said:

Can anyone assist with connecting to the sql service? All of my normal options haven’t been able to connect :confused:

Try using domain name too

@alg42 said:
I could use a nudge to see if I’m on the right path. I’ve got xp_ enabled and user.txt is mine. I’m trying to get a shell by uploading a file, I can see via tcpdump that my upload command is working but I get an error no matter where I try to write the file to that permission is denied. Am I on the correct path, can anyone message me a hint on where to upload?

I believe ,You can execute file without writing anywhere … I am a NOOB …beware

Rooted
Really its a very nice box ,learned a lot from this Windows Box.
if anybody need hints ping me personally.

Well After Spending Much longer than I would like to admit on this box, I finally got root. I got hung up on many small things but learned a ton along the way. PM if anyone needs some hints

A good windows machine after a series of Linux ones under my belt. A good way to earn user though we have done it before. The reverse shell was nice in user. For root, I would suggest to give “Power” to yourself and then you will have what you want. Shoutout to @superfume for your brilliance in answering all the doubts I have.

P.S. execute what you have to get the Admin shell. :wink:

Enjoyed getting user, very realistic. root was a bit of a drag, all about the right script :wink:

Great box, learned a ton. Started pulling my hair about the root but in the end right (and primitive) tools did the job.

Finally rooted (shell). Big thanks to @Malone5923, @TheGrandPew, and @Baikuya for their much needed hints. Also a big thanks @mrh4sh and @egre55 for a good learning box. So much about windows I did not know.

As always, here are my pointers.

Pretraining: Yes, I have included something you should do before even looking into this box. I am a big fan of ippsec. Watch Gi***, Opt****, and Bas****.

Initial: Start with the known ports. For things that you find, one must look within to learn something worthwhile. Take some time to learn the different ways to authenticate a DB, specifically the two different ways related to OS. Impacket is your friend.

User: Gi*** is your guide. Impacket is your companion.

Root: Enumeration is key, especially if you have a ‘super mushroom’ lying around. For those wondering about the “uncles” reference that keeps cropping up, don’t think about it. When it is revealed to you, all will make sense. Impacket again can lead you over the finish line.

Again, if I have said too much, please let me know and I’ll edit this.

As always, PM me for more concrete hints. Don’t forget to tell me your progress so I don’t spoil it too much.

Finally rooted!! Thanks for @all partners that helped me with this challenge, as always, glad to help someone too vi PM.

Valuable learning!!

Finally! That was painful for me, I must have reread everyone’s post a dozen times. So many random things I kept messing up…hopefully I’ll remember. If anyone needs a hint, feel free to pm me.