Heist

Rooted, great box.
Thanks @Akl for that:
“Get-ChildItem -Path (Your Path) -Recurse -File | Select-String (Keyword)”
Feel free to PM if stack.

I seem to have a ruby issue any one know how to fix

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated

cant seem to use either ruby script

have 3 cleartexts and 4 users but am stuck by this

I’ve had user for a week… not sure what I’m looking for… It might because of the shell i have, but my user doesnt have permissions to see running processes. looked in the both program file folders, nothing stands out. Can someone nudge me in the right direction.

Just rooted. Not sure what everyone meant by looking for a unique process… I found an encrypted password somewhere that just needed to be decrypted…

For user:
Does getting the right username requires guessing? I found 4 usernames and 3 passwords, tried all the combinations and none worked. (on the higher port)
I’m trying to do a username brute force for now.

Type your comment> @0x000c0ded said:

For user:
Does getting the right username requires guessing? I found 4 usernames and 3 passwords, tried all the combinations and none worked. (on the higher port)
I’m trying to do a username brute force for now.

Check out a particular script from impacket that could help enumerate usernames…
lo*****d.p

Thank you @Phase ! I’ll check that out, I’m pretty weak when it comes to windows enumeration, trying to learn :'P
Edit: that worked, thanks!

I have one account with wich I can login on the two services now. Do I need more credentials to continue?

Can someone give me hint about privilege escalation?
I found the browser process… (only thing that stands out tbh) looked inside place where it stores data. However didnt find anything useful here except of few empty databases.

Is that browser process used to gain root? Did i miss something inside the place where it stores data?

PS. Some people are trolling this machine, few hours ago the data storage directory had changed permissions, so noone else could access it with user privileges.

Ok, HUGE hint.

You don’t need to do anything with processes, do the same thing you did for user.

USER:
enumerate, can you use these anywhere? enumerate more, did you get anything? login.

ROOT:
remember it is easy, read. Find it? Sometimes the old Rocck music just doesn’t do it for yyou. When that happens I like to go online and try to see if I can find other groups, that will play for me. < I think this is unintended actually, let me know if you got it a different way!

Let me know if you need help.

Hi, help user. username = Haz***?

Hint for user: The metasploit module to speak to a high port service once you have the right credentials does NOT seem to work while the already mentioned ruby scripts do. Metasploit will tell you to check your credentials even though they are correct. The metasploit module to check the credentials does work though. So don’t get fooled by this.

On user:

I’ve confirmed that I have the right credentials for the 5*** port with other htb users on discord. With the metasploit module w****_****n I get “login successful.”

I’ve tried the ruby script already mentioned here as well as the ev**_****m tool. They all just time out. If I use the wrong credentials I get auth errors back from the ruby scripts, but with the right creds I get (HTTPClient::ReceiveTimeoutError).

I can reach and enumerate the SMB share and log in fine, the HTTP server on 80, etc. The only time I’m getting this is with the two tools already posted here that everyone else seems to be using fine. I have all the gems installed and workiing as well as the latest ruby -v.

I reset the box and tried right after, just in case this had something to do with:

@maxo13 said:
PS. Some people are trolling this machine, few hours ago the data
storage directory had changed permissions, so noone else could access it with user privileges.

But even after the reset I still get the timeout. Any help is apriciated, feel free to DM!

Any hint to crack secret 5 pass?

Type your comment> @ParlaxDenigrte said:

On user:

I’ve confirmed that I have the right credentials for the 5*** port with other htb users on discord. With the metasploit module w****_****n I get “login successful.”

I’ve tried the ruby script already mentioned here as well as the ev**_****m tool. They all just time out. If I use the wrong credentials I get auth errors back from the ruby scripts, but with the right creds I get (HTTPClient::ReceiveTimeoutError).

I can reach and enumerate the SMB share and log in fine, the HTTP server on 80, etc. The only time I’m getting this is with the two tools already posted here that everyone else seems to be using fine. I have all the gems installed and workiing as well as the latest ruby -v.

I reset the box and tried right after, just in case this had something to do with:

@maxo13 said:
PS. Some people are trolling this machine, few hours ago the data
storage directory had changed permissions, so noone else could access it with user privileges.

But even after the reset I still get the timeout. Any help is apriciated, feel free to DM!

I have encountered the same problem.
Finally I ran the ruby script in windows.

It appears that I might have some kind of ‘bug’ with my smbclient and I am not able to correctly list or get the files in the shared folder. Can someone PM me for assistance?

Type your comment> @zfyra said:

Any hint to crack secret 5 pass?

you best ask John, he would know

@hanter said:
Hi, help user. username = Haz***?

nope

Stuck on priv esc, first windows box. Have spent a lot of time looking thru the directories need a nudge pls PM me