Querier

I am able to connect to S******* with r******** but I am unable to find a way forward that would allow xp******. I have tried several escalations but none have worked. I am a bit lost. Please DM any suggestions.

picked up user and root flags, still looking to get root shell.

picked up user flag done ! getting shell :smiley: ! but still not get r00t glag ! :frowning:

r00t great box !! i liked !!!

Got User & Root, I like thix box ! more windows machine please :slight_smile:

PM if you need some help

I have found vba******.bin.

With a tool of the p*****-oletools package I have found a Uid=r*******g and a Pwd.
But I can not connect to mssql server…

The Uid & Pwd is it a rabbit hole?

What is the best tool to connect to the server? I use sqsh… ver basic.

Thanks in advance for any hint!

Type your comment> @hacklife said:

I have found vba******.bin.

With a tool of the p*****-oletools package I have found a Uid=r*******g and a Pwd.
But I can not connect to mssql server…

The Uid & Pwd is it a rabbit hole?

What is the best tool to connect to the server? I use sqsh… ver basic.

Thanks in advance for any hint!

You are on the good way search a good tools :wink:

Type your comment> @1c4re1337 said:

Type your comment> @hacklife said:

I have found vba******.bin.

With a tool of the p*****-oletools package I have found a Uid=r*******g and a Pwd.
But I can not connect to mssql server…

The Uid & Pwd is it a rabbit hole?

What is the best tool to connect to the server? I use sqsh… ver basic.

Thanks in advance for any hint!

You are on the good way search a good tools :wink:

Thanks… I just used impacket… and the same problem: Login failed…

I would appreciate any hint or PM :slight_smile:

Thank a lot

Thanks… I just used impacket… and the same problem: Login failed…

I would appreciate any hint or PM :slight_smile:

Thank a lot

Look the password :wink:

Finally rooted !

@dr0ctag0n many thanks for time spent to compare my Im…ket usage which was correct but didn’t work in my case. I found a workaround later on. Also thank you for confirmation that I am on right path for root.
If anybody needs help send a PM.

Struggling with the initial foothold. Both s** and m***l seem to be password protected. Am i going the right way?

Update: Found some cu****** re****.xl**, am i even on the correct smb? LOL…feels weird.

Type your comment> @jattion said:

Struggling with the initial foothold. Both s** and m***l seem to be password protected. Am i going the right way?

Update: Found some cu****** re****.xl**, am i even on the correct smb? LOL…feels weird.

You are and enumerate that file :slight_smile:

Type your comment> @innocent said:

Type your comment> @jattion said:

Struggling with the initial foothold. Both s** and m***l seem to be password protected. Am i going the right way?

Update: Found some cu****** re****.xl**, am i even on the correct smb? LOL…feels weird.

You are and enumerate that file :slight_smile:

Yup i found it…what a way to hide the creds. Almost thought i downloaded the wrong thing when i opened to a blank sp*sh. :slight_smile:

Any help on getting root? I have access to ms*** using im****** and using xp_cll to execute p****sll commands keeps resulting me getting block by an anti-virus. Uploading scripts to s service also results in access denied error message. Am i doing this wrong? Sorry this is my first windows machine so any help is appreciated. :slight_smile: Forgot to mention that i have already captured the hashes as shown in gi** and have access to ms***-**c

Update: Rooted the box. Pm meet if you all need any assistance! I wii try my best to help.

Type your comment> @ZeroPath said:

I need a nudge with priv esc. Im blank xd

This is a OSCP machine. Great for trainning. I Love that. Don’t do all with script. Try to understanding the core of concepts.

Type your comment> @techjohnny said:

This was a fun box.

Nice nostalgically themed box from a VERY famous 80s Nintendo game. The name of the box is a little curious.

User: A little tricky special character needs to escape. Captured a hash and cracked with Hashcat, which I found to by 10x faster than JTR.

Root: The methods mentioned are reliable for a reverse shell. The tricky part is the syntax of PS, was for me, but will have this method in my tool belt for future boxes.

Which wordlist did you use?

Type your comment> @siryarbles said:

I have a reverse shell using powershell but whenever I run any of my powershell enumeration scripts, Powershell-Mafia, Sherlock or JAWS I get no output. Could someone please PM me? I am not sure what I am doing wrong.

this is basically what i’m facing also =(

Rooted! Happy to help, don’t hesitate to PM!

Anyone around that can give me some advice on this box.

I’ve never been so angry and frustrated with a box. I’ve got reverse shell with the mc user, I used p**s to create a new admin account, and I can’t seem to sort out how to get to the flag.

If anyone has questions up to that point, I’ll do my best to answer despite my frustration.

*** Nevermind. I’m dumb. Big thanks to tehmoon for pointing out my stupid mistakes ***