Rooted! And had a great time with it, too. Pretty cool concept for a box
Here are some hints for user/root:
User
Make sure you pay attention to the service that is running on the higher port. There’s one in particular that you can abuse specifically. As was mentioned above, it is rather realistic and closely related to phishing tactics.
Root
Extract. Pay attention to what is relative. Afterwards, you can abuse a service to act as who you want to be.
I did the machine and got root … but I don’t really understand your hints!!
This box is lovely because there are several paths to root and there are many paths to discover that paths. We also have several possible directions that will not lead to result but still is interesting for learning.
I just started this box and I THINK I am on the right path to user. Does this have to do “making something unclear” and putting it on a higher port to run? Or is this a rabbit hole
Watch on the blog what extension can be sent. @n1b1ru
I found them. I can upload a file and it gets my kali… Anyway I cannot execute it
I used a Payloadless file and maybe the problem is in saving the file to the right folder and/or to execute it in order to download the malicious payload from my kali
Finally rooted. It was quite a long fight:) Thanks @Seepckoa for help!
User part is straightforward if you read the web. For root - don’t stuck on enumeration for too long, try to understand how ALL files are processed.
user: the website is telling you all the hints to get user (is no ghidra) XD
ROOT: Here you will need a similar attack but in other format. Read everything that you can in the machine and try to understand what is doing (like others are saying). The final part of this, get the system shell and read this
So the user part was pretty straight-forward after reading the stuff on the standard port and related information about it. I found the special directory and obviously something is doing things with the stuff put into that directory. A comment in the thing exploited for user stage suggests something about upstream expecting things in a certain format. I’ve found an application in Program Files but that is not a vulnerable version. The “native” application for the “expected format” is not installed (but might have been prior). I see there are more instances of a certain “powerful thing” running but can’t get a account it’s running under… this turns into some sort of guessing game as I am unable to find out what processes are spawned by that thing. Only thing I have on my mind now is some kind of “overwrite something using something wet and slippery” but if that fails it might brick the box.
Watch on the blog what extension can be sent. @n1b1ru
I found them. I can upload a file and it gets my kali… Anyway I cannot execute it
I used a Payloadless file and maybe the problem is in saving the file to the right folder and/or to execute it in order to download the malicious payload from my kali
Did you get it ?
I got NTLMv2 credentials … can I do anything with this ? I don’t think we can PTH or ‘easily crack’ NTLMv2 .
I tried s…R…y without much success. Can anyone PM me ? Thanks