Heist

decryption the secret 5. The characters are throwing everything off. am i missing something? I can’t get john to accept it. kinda at a loss.

Rooted. Great windows machine. Tnx @MinatoTW on this challenge. PM me if you need a hint.

Rooted. Wasted total about 6 hours to trying login using metasploit and some other tools. Mentioned earlier ruby script worked well in my case. So without this metasploit issue user should be pretty easy and straitforward. Didn’t get if this a bug or a feature of the machine.

Root was much more easier, literally got it in 5 minutes just by walking through directories on the disk.

GREAT BOX

USER: Find usernames and passwords(decrypt them), find more usernames, check if you can login somewhere using all combinations(user-pass) and login. There are hints here for programs that you could use for these steps.

ROOT: Search and search, and when you find it use that to access. No need to find process, there is a much easier way, just search for it.

Type your comment> @L1vra said:

GREAT BOX

USER: Find usernames and passwords(decrypt them), find more usernames, check if you can login somewhere using all combinations(user-pass) and login. There are hints here for programs that you could use for these steps.

ROOT: Search and search, and when you find it use that to access. No need to find process, there is a much easier way, just search for it.

pm me if you stuck for hours

Type your comment> @ParlaxDenigrte said:

This one turned out to be a bit of a pain for me. Per my last post I never got any connection to w***m to work from linux. HTTP on 80 worked fine, S*B worked fine, and the metasploit w***m_l***n module worked fine with “login success” on the proper creds.

None of the ruby tools posted here ever connecetd.

I had to switch to a windows 10 VM and then use En***-*******on with P****S**** to connect and get user and root.

I’ve seen this a few times here - interesting… FWIW - linux worked fine for me… using: kali with system python2.7.16 and ruby2.5.5

I spend the last 2 days getting a username for User with no luck. First I changed the LpS**.Py script from Impacket so I could feed it wordlists. I’ve exhausted all the standard wordlists and I even went looking for new ones. Ran that for a day. Figured I might have screwed up altering the script. (One of the passwords has an @ in it to mess with it) and also read people had problems with authenticating. Then I went to msf WM-l*** and used the same lists, but still nothing. Could someone give me a nudge please?

Type your comment> @UCLogical said:

I spend the last 2 days getting a username for User with no luck. First I changed the LpS**.Py script from Impacket so I could feed it wordlists. I’ve exhausted all the standard wordlists and I even went looking for new ones. Ran that for a day. Figured I might have screwed up altering the script. (One of the passwords has an @ in it to mess with it) and also read people had problems with authenticating. Then I went to msf WM-l*** and used the same lists, but still nothing. Could someone give me a nudge please?

You got the right scripts but I have no clue what you are trying to feed them… it’s pretty self-explanatory once you get your hands on the config file after the gu**t login.

Rooted.
I spent hours not knowing what to do, but after a while, when doing something else, I learned that there is a bug in my system in one of my tools, that was necessary to get root haha… Apparently the first thing I tried was actually the right thing, but it didn’t work because of that… oh well. Things like this happen. That’s why its important to keep notes - otherwise I would have forgotten why I thought that that wasn’t the case, and I wouldn’t have tried it again after I learned about the bug.
Anyway, feel free to PM me.

Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to wordlist the username. This is not needed!
TIL: don’t run hashcat with --force in a VM :smiley:

Type your comment> @UCLogical said:

Guys, I found my problem thanks to @lackofgravitas . I used hashcat with the --force option in my VM, this gave me the a wrong password. So me thinking I have the correct passwords I tried to enum the username. This is not needed!
TIL: don’t run hashcat with --force in a VM :smiley:

I’m having the same issue. hashcat with vmware --force is giving me a incorrect password. john did the same. using rockyou.txt

That’s interesting. My VM runs in Virtualbox and that’s fine using the --force option. I wonder if there’s some kind of bug?

Where’s a good list of these enumeration basics everyone keeps talking about? This is what I currently use as reference:
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf#h.9htblqaresn8
https://guif.re/windowseop

I see the process everyone is talking about for root, but do you normally just start messing with processes like this on normal pentests? How can I know what files that process uses, because it sounds like whatever root needs is in memory or on disk?

Quick question for anyone who has the time:

Am I meant to be able to successfully login/authenticate to the wm service using the hd account? Or, am I meant to do password guessing against the users obtained from l******d.py ? Any help is appreciated

@StevenKennyIT said:
Quick question for anyone who has the time:

Am I meant to be able to successfully login/authenticate to the wm service using the hd account? Or, am I meant to do password guessing against the users obtained from l******d.py ? Any help is appreciated

If you’re using metasploit, the winrm modules don’t work with the correct creds while the previously mentioned ruby scripts do work for it (like the shell version from alionder.net)

You’ll need to crack all three passwords and try the users from l*******d.py with those passwords

edit got it

Do you need to brute force the profile password after getting user?

Type your comment> @StevenKennyIT said:

Quick question for anyone who has the time:

Am I meant to be able to successfully login/authenticate to the wm service using the hd account? Or, am I meant to do password guessing against the users obtained from l******d.py ? Any help is appreciated

To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination

Complicating the root process myself. Just keep enumerate, there’s no need to do it in fancy way. Pm me for hints.

Finally rooted and user’d
Thanks, @MinatoTW for such an amazing experience, that’s my second box, and it was really fun and kinda hard for me.
Thanks to @jorgectf for his time and hints he provided