Arkham

Type your comment> @watashiwaojsn said:

Gmmm, playing with this box for a day but can’t ping myself…
any gentle nudge appreciated!
edit: nvm finally able to ping myself. onto user. what a hard and nice box!

After getting the user shell, stuck at privesc for days. mmmm.
Anyone at the same point?

edit : Finally rooted with reverse shell ! Wow! Surprised old technique still woked even today. Live off the land!
edit 2: compared the solutions but seems my painless way was not mentioned anywhere

Any Hint about priv esc to root? I guess already have a B***** user and password after get an image…

Can someone help me with foothold-user? I found .img and dir with ***cat files in it, but i have no idea how they can be useful. Also found some methods, but cant properly interact with them yet.

a

Do we need Batman credentials to become Batman?

Need a nudge regarding faces. I understand it’s b64 but can’t seem to get anything good out of it to start with the secret

PM with any help on privesc. I have shell with admin user, but struggling to get to SYSTEM with de***er and uc blocking all attempting. No joy leveraging win system binaries with autoelevate since they all return access denied. thanks so much!

I am able to ping myself and trigger the download of a file that I’m hosting. But I cannot execute that file to get a reverse shell. Tried different payloads and obfuscations but cannot get user. Any pointers?

Can someone PM me ?
I’m able to exploit some flaw but i’m totally blocked right now.
I can only ping myself …

deleted

Currently having issues with the number 500. I believe I need to append something to the beginning of my payload, but am unsure of the format. Any assistance is greatly appreciated!

Rooted

Finally rooted, though the easy way, so need to revisit some other writeups to get the full shell method. I found this a super tough box, over 16 hours of work. I did rabbithole for quite a few hours of that trying to do some unneeded evasions, oh well! :slight_smile:

I was finally able to figure out how to “buttle” my way to a reliably get a reverse shell, and get user.txt. I have found his downloaded, archived local backup file that contains a picturesque reminder for Batman. I can now perform some minor things as Batman, but they mainly seem limited to aspects of various tools that can list or download files from the Users share. I do not seem able to execute anything as Batman. Or at least, I do not see how to do that.

I have also hit the limits of my msfvenom knowledge I have so far been unable to get anything to actually run on Arkham.

I agree with @BobHaddock that this is a “super tough box” and I have spent many hours over the last 4+ days figuring things out.

I could dearly use a nudge or hint in the right direction.

Edit: This box is going to have me committed to an asylum soon.

Wohoooo finally, at the fourth shell… SYSTEM!!!

Very very good & fun machine. But dude, the blind RCE and the privesc part to achieve the privileged shell were… haaard! Lots of new/refreshed knowledge with all the try & error.

PS C:\Users\Administrator\Desktop> Get-Acl root.txt
Directory: C:\Users\Administrator\Desktop

Path Owner Access
---- ----- ------
root.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...

PS C:\Users\Administrator\Desktop> whoami
nt authority\system

Finally! What an exhausting box, super happy with it and had a lot of fun (when I wasn’t pulling me hair out.) Giant thanks to @watashiwaojsn for all the help, if I could give more than one respect I would!

Hello,

I am able to encrypt and send a PING request and was able to see the request and the reply in wireshark. However, I has not been able to escalate this vulnerability to a rev shell.

Could someone please guide me on this part?

PP

Type your comment> @pp123 said:

Hello,

I am able to encrypt and send a PING request and was able to see the request and the reply in wireshark. However, I has not been able to escalate this vulnerability to a rev shell.

Could someone please guide me on this part?

PP

If you can ping, you can live off the land of the target to request additional tool/s onto it from you, by the same means you’re calling the pings (and hence the tool/s).

I’ll be damned if I can see any way to get from Batman to Administrator in any manner. Batman seems to be the least-capable localgroup Administrators member ever.

I don’t see any “easy” way either that has been mentioned.

Can any body help me with this box i got access to the files but don’t know how to decrypt it.
this is my frist box on hackthebox. please guide me