Arkham

Difficult machine.

edited; why so hard

i am totally missing something for the decryption
nvm, got it after failing hard

I’m stuck after user. I do have a password which doesn’t work on the system but allows me to get access to another service that contains something interesting, but I’m failing hard on reading it. Can someone PM me?

Rooted :smile: this is not a 30 points machine IMHO.

User was great, I have learned some tricks to play with J*** d**************.

After you get some pings, getting a shell is a bit hard because you cant see why some commands fails. Common shells does not work, try to get a more ofuscated one or bypass some Windows checks.

Root was easy once you see it, but took one day to realize that part.

PM if you are stuck.

Hi… I think I need help on how to intelligently make a subset of “rockyou” wordlist. I’ve tried to create shorter ones with no luck at all.

i got RCE and i know about that we can use S** put to G**** but still struggle to get a shell. Any one can help me on this :frowning:

Someone done it with java class, i need some help, it doesn’t work when i try to recon******.

Edit: nvm, recommended to use modified version of j*r file :slight_smile:

There is actually a method to get the output of commands back! I did detailed enum over RCE and got the user flag this way - before I got a shell.

Using the output you can find out why common shells fail, and then google for a bypass.

Type your comment> @Esplendini said:

Hi… I think I need help on how to intelligently make a subset of “rockyou” wordlist. I’ve tried to create shorter ones with no luck at all.

Remember the machine name

Ive had a fun run at this machine so far. I was pretty sure of the attack vector within a few mins of enumeration. Unfortunately its an attack Ive been pretty terrible at historically ,so I welcome the chance to further my skill set .

That being said I have had a weird experience thus far. I found the encrypted file pretty quickly. I ran strings and binwalk against it and found some info, before I ever cracked it! Even after cracking it…all I have is the same info?! Is this by design? DId the box creator throw this out as a red herring? Sorry if ive said too much. I dont want to spoil anything, but I am curious if anyone noticed the same. Feel free to pm me to discuss.

Type your comment> @johnnyz187 said:

This should of been a 40 maybe 50 point box!! Whoever decided Arkham is a 30 point box was either high on glue or is smoking some bad meth!

that’s funny why was bud left out too bad of a decision to be made on cannabis :wink:

Can anyone give me a hint on the path to root?
Managed to create my own reverse shell through the modified java.
Found user and the other credentials.
But I’m stuck because i cannot find any interesting stuff that i can influence.

Any idea why hashcat stays at 0.0% even with a short wordlist?

Type your comment> @halfluke said:

Any idea why hashcat stays at 0.0% even with a short wordlist?

It happened to me too, but it is trying words. I think it processes the wordlist in batches of hundreds of words and it takes a lot of time to process each one.

Type your comment> @Esplendini said:

Type your comment> @halfluke said:

Any idea why hashcat stays at 0.0% even with a short wordlist?

It happened to me too, but it is trying words. I think it processes the wordlist in batches of hundreds of words and it takes a lot of time to process each one.

Indeed, just cracked. Now I will stop here as I think next step is super hard, perhaps during the weekend someone who wants to work in team :slight_smile:

Made it finally to root, quite a journey, thanks to @tabacci for the support.

For the final stage I would appreciate if someone could sent me a pm that explains why it works doing it the “net” way but not the usual way. Would like to understand the scenes behind.

cheers

Anyone who can give me a hint on how to proceed with the decryption of the VS*?
Found the secret but not sure of anything else. Google is not very helpful.

Geez… what a box. And still I cannot figure out how to get a proper shell as Admin (got root.txt though). If anyone was able to get a shell as Admin/System, I’m glad to hear. Otherwise I’ll probably wait… :slight_smile: Thanks a bunch @sckull for this one. It’s a 30 box that should be 45!

Edit: fortunately I’ve recalled that when you have root.txt you can unlock some protected writeups that you can find with google, and compare other approaches (in this case I’m actually learning properly this way). Definitely too difficult for my current level.

I have Secret but dont know how to decrypt viewstate. Any nudge would be good