HelpLine

This box is kicking my ■■■ so much at the same time I think it might be the best box to date :slight_smile:

@veterano - PMed you. Maybe we can team up!

@sajkox – Totally agree with you, this is an awesome box. I’ve been enumerating for 2 days and it keeps on coming!

Hi guys!

thats my #2 Box to try on.
Maybe some of you got some hints for me? (without spoiler)

I started enum with a names Script but…i guess thats the wrong way but didnt find another exploit as the published one.

Where should i start?

Really dislike this box, even following the required steps to decrypt files, it fails, following fresh resets, the file information cannot be retrieved, the file directory where certificates should be located don’t exist. for example , directory system*********\My is not there, I’ve failed decryption 8 days in a row, even with verified commands that should work. Broken box in my opinion.

@RyanCollins sorry to hear that, i agree the unintended method although possible can be a pain. feel free to DM to discuss. ofc i don’t promise that the intended way is any less painful, but hopefully there’s plenty to learn from the box, whichever route you decide to take

I’m able to run commands as Al**e, but it’s currently in Consed Lange Mode. I’ve been trying to bypass this but with no success. I’ve also tried the shad adm**s, but can’t seem to connect or run commands with either of those.

Type your comment> @egre55 said:

@RyanCollins sorry to hear that, i agree the unintended method although possible can be a pain. feel free to DM to discuss. ofc i don’t promise that the intended way is any less painful, but hopefully there’s plenty to learn from the box, whichever route you decide to take

For sure, going to take a break, after 8 days and 500+ fails, I am at my wits end. Just re-verified my files, commands methods again, this time other steps that succeeded before now fail, even after manually verifying file location, etc. At this point I have given up, will wait for direction and further verification of my method, commands, I have yet have anyone who has rooted the box replicate my steps with the same commands, something isn’t right. xD

I will definitely message you tomorrow, that will be day 9, can honestly say I have never invested this much time in a Box. I finished Sizzle in a few hours… Cheers.

Which wordlist for initial foothold?

I have an exploit for this but haven’t really tried to exploit it as I was working on another one if you google enough you will find it

It is not related to this challenge so I will not state what software its for read between the lines those interested would take care in looking for a medium post as well as a github link.

I am pretty sure though we are operating blind as my script is only allowing for a callback

Forget it.

Ok, rooted, I was making a small error and now I have rooted the box! yay

Can anyone give me a hint after the creds?

Someone can give me a hint on how to read the flags after getting into a shell with nt authority\system.

awesome machine by the way. Congrats @egre55

fucking awesome machine. I learned a lot!!! This was painful, but it was cuz I’m windows noob

My hints:

  • for user try to play with cookies, I think some has released an exploit (is new)
    Them play with the wonderful fruit

  • Root: this was my fucking pain. Whatever you are doing, don’t use you the shell that you got (I know is strange)

Thanks for this. I have to many question about the creation process for this box. I would like to know how did you do everything, if anyone can tell me, It would be appreciated

I found some usernames. I am trying to crack their passwords. The server is painfully slow. Is brute forcing the intended way or might the API help?

can anyone pm me with what to do with the very long string in creds?

What a nice machine! Congrats @egre55 :slight_smile:

Thanks to @CHUCHO @FlameOfIgnis and @jkr for all your help.

PM for hints if you need some.

Apparently I’ve gone a couple miles down the unintended path. I don’t see any way forward that doesn’t involve targeted hash cracking. There are enough hints for that to be viable, I’d think, but it hasn’t gotten me anywhere. Maybe I overlooked something in the mountains of mimikatz documentation. I dropped a forensics lib to read the raw flags. I was hoping to get the metadata, but it only returned the contents. I think that should count, since I technically have the flags.

I saw where @egre55 was doing some things with calc.exe, so I’m wondering if a custom exploit is intended, though I don’t see how it could help me now. I guess I’ll go back to the users, since they each seem to have a purpose. I would like to know if the remoteaccess site is involved. A couple open ports make me think it might be, but I haven’t seen anything else to support it. Alright this stream of consciousness has gone on long enough. good talk

Totally stuck as NT auth shell. tried all kinds of mimikatz trick, not getting anything. Have some idea as to whats going on , E*S .Always lacking one/two component to decrypt something crucial to decrypting the next step/cred/cert…, any hints?? Its fun running all kinds of tools on this machine though