RE

24

Comments

  • I have the user, I work for the root.

  • Finally I root the box is an excellent box thank you to the creator.

  • It's a very good box, I can give you some advice to make this box a success.

    User:

    For the user I invite you to look on the blog, and enumerate, you can then perform manipulations to the server.

    Root:

    The root is more or less simple, you must look around you, and understand how the processing of files.

  • Finally I found the way to upload a malicious file but I cannot execute it. I need help or an indication

  • Watch on the blog what extension can be sent. ;) @n1b1ru

  • Type your comment> @Seepckoa said:

    Watch on the blog what extension can be sent. ;) @n1b1ru

    I found them. I can upload a file and it gets my kali... Anyway I cannot execute it

  • Type your comment> @n1b1ru said:

    Type your comment> @Seepckoa said:

    Watch on the blog what extension can be sent. ;) @n1b1ru

    I found them. I can upload a file and it gets my kali... Anyway I cannot execute it

    I used a Payloadless file and maybe the problem is in saving the file to the right folder and/or to execute it in order to download the malicious payload from my kali

  • Finally rooted. It was quite a long fight:) Thanks @Seepckoa for help!
    User part is straightforward if you read the web. For root - don't stuck on enumeration for too long, try to understand how ALL files are processed.

    dsavitski
    PM for hints, but try to describe exactly where u are on the box and what you've tried. Don't forget about +respect button:)

  • i have user
    tip: don't complicate things as this can be time consuming !!!; the process is fairly simple as any other windows box

  • Can anyone PM me please? I try uploading the file but can not get what I want.

  • Thx For this box very real!!!

    I would like to get this vm

    My hints

    user: the website is telling you all the hints to get user (is no ghidra) XD

    ROOT: Here you will need a similar attack but in other format. Read everything that you can in the machine and try to understand what is doing (like others are saying). The final part of this, get the system shell and read this

    https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files

    Awesome machine really enjoyed

  • So the user part was pretty straight-forward after reading the stuff on the standard port and related information about it. I found the special directory and obviously something is doing things with the stuff put into that directory. A comment in the thing exploited for user stage suggests something about upstream expecting things in a certain format. I've found an application in Program Files but that is not a vulnerable version. The "native" application for the "expected format" is not installed (but might have been prior). I see there are more instances of a certain "powerful thing" running but can't get a account it's running under... this turns into some sort of guessing game as I am unable to find out what processes are spawned by that thing. Only thing I have on my mind now is some kind of "overwrite something using something wet and slippery" but if that fails it might brick the box.

    image

  • Type your comment> @n1b1ru said:

    Type your comment> @n1b1ru said:

    Type your comment> @Seepckoa said:

    Watch on the blog what extension can be sent. ;) @n1b1ru

    I found them. I can upload a file and it gets my kali... Anyway I cannot execute it

    I used a Payloadless file and maybe the problem is in saving the file to the right folder and/or to execute it in order to download the malicious payload from my kali

    Did you get it ?
    I got NTLMv2 credentials ... can I do anything with this ? I don't think we can PTH or 'easily crack' NTLMv2 .
    I tried s..R...y without much success. Can anyone PM me ? Thanks

  • My .o** payloads are not working no matter how much I obf them. Is this not the way?

  • Type your comment> @krypt said:

    My .o** payloads are not working no matter how much I obf them. Is this not the way?

    No need for obfuscation.


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Type your comment> @marote said:

    Type your comment> @n1b1ru said:

    Type your comment> @n1b1ru said:

    Type your comment> @Seepckoa said:

    Watch on the blog what extension can be sent. ;) @n1b1ru

    I found them. I can upload a file and it gets my kali... Anyway I cannot execute it

    I used a Payloadless file and maybe the problem is in saving the file to the right folder and/or to execute it in order to download the malicious payload from my kali

    Did you get it ?
    I got NTLMv2 credentials ... can I do anything with this ? I don't think we can PTH or 'easily crack' NTLMv2 .
    I tried s..R...y without much success. Can anyone PM me ? Thanks

    Finally...

  • Type your comment> @farbs said:

    Type your comment> @krypt said:

    My .o** payloads are not working no matter how much I obf them. Is this not the way?

    No need for obfuscation.

    Yeah apparently the box is not very stable...

  • edited August 8

    Ufff, finally rooted. For me as a Linux guy this was a very tough box. But a very realistic one and I had a lot of fun...

    Special kudos to the following people who helped me a lot in understanding this box: @dsavitski @gokuKaioKen @CHUCHO and @m4xp0wer THX!!!!

    My hints:
    USER

    • read a lot and use some "basic" skills...
    • use a "simple" way to write a webservice

    ROOT

    • keep your webservice open... it could help you somehow
    • as mentioned before in the forum: understand the whole process even if it's not written down somewhere
    • maybe you have to manipulate your exploit a little bit...
    • don't be afraid of multiple reverse shells
    • use the power to abuse a (as I learned) common windows service
    • if you are not familiar with m******z, m*********r is your friend

    Big shoutout to @0xdf for creating this very realistic and fun box!

    Feel free to PM me, if need a hint or two :-)

    v1p3r0u5
    If you need some help => 1) Your findings so far? 2) Your conclusions? 3) Your further ideas?
    RESPECT++ if I was able to help you! => https://www.hackthebox.eu/home/users/profile/139772

  • "don't be afraid of multiple reverse shells" - I tried doing that but when I try to spawn a second c.e*e through nc.e*e the connection is terminated immediately. Doesn't matter if I try to upload a second file with changed parameters or by doing things like "start c*d.e*e /C nt.e ......." I get an incoming connection which instantly terminates. Same deal when trying to use m*t*rpr*ter.

    image

  • got root. thanks for help @v1p3r0u5 @Seepckoa . PM for hints:)

  • Type your comment

  • Nice Box! Message me for help with root

  • edited August 14

    .

  • Finally got root! Thanks @v1p3r0u5 fun box! PM me for help

  • Finally rooted this. Really fun box. This is a box I'll go back to and explore further.

    User and root both take a similar path (at least the way I did it), and almost everything one needs is on port 80. Feel free to PM for hints.

  • Hi,
    I'm trying to get initial access to this box.
    I've enumerated the box, identifyied the two ports, reading stuff and taking some notes on file extensions o**, obf and some invocation restrictions that may be in place according the ya r***s that may be in place.
    I can put things on the malware share and I see them disappear after a few seconds so this help me understand things seem to make sense according what's on the blog.
    I'm trying to embed different kind of commands, using obf and without using it, doing some pocs locally with a win10 instance and defender on. While these pocs are running locally I don't get any signal from RE.
    I've also changed some metadata from the o
    file gen by msf, so it makes it more save at the eyes from possible y*** rules scanning those xml.
    I'm pretty sure I'm on the right path but not sure how to proceed to get that rce.
    I've tried commands to directly power me with a rev shell, simple things such as trying to catch ntlm hashes with responder, or just trying to get hit by an http request using different available tools on windows.
    May I've been doing to much and miss or fail some power direct rev shells on the syntax?
    Any hint please?

  • edited August 20

    Got in. As someone already said, try the simplest, anyway, I have learned a lot of interacting programatically with o** files and y*** stuff, in different flavors, hehehe

  • Is the reblog.htb site supposed to come up with a page?

  • Hi guys,

    can someone pls pm me, need a hint for user.

  • rooted. A great opportunity for learning Windows priv esc. Thank you @naveen1729 for your advice.
    As for the last step, I took an impersonation way by using in******o.

Sign In to comment.