Heist

edit got it

Do you need to brute force the profile password after getting user?

Type your comment> @StevenKennyIT said:

Quick question for anyone who has the time:

Am I meant to be able to successfully login/authenticate to the wm service using the hd account? Or, am I meant to do password guessing against the users obtained from l******d.py ? Any help is appreciated

To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination

Complicating the root process myself. Just keep enumerate, there’s no need to do it in fancy way. Pm me for hints.

Finally rooted and user’d
Thanks, @MinatoTW for such an amazing experience, that’s my second box, and it was really fun and kinda hard for me.
Thanks to @jorgectf for his time and hints he provided

Type your comment> @L1vra said:

Type your comment> @StevenKennyIT said:

Quick question for anyone who has the time:

Am I meant to be able to successfully login/authenticate to the wm service using the hd account? Or, am I meant to do password guessing against the users obtained from l******d.py ? Any help is appreciated

To help you, there is a module on metasploit, which let you test usernames-passwords on the remote system to see if you can login. It also gives you the option to make a file of user-pass combinations and use it to test all of these and see what and how many combinations are correct.
PS: That module do not let you login , but finds the right combination

Thanks mate, this was the best advice received from many, thanks a ton. #Happyhacking :wink:

Type your comment> @Phase said:

Type your comment> @0x000c0ded said:

For user:
Does getting the right username requires guessing? I found 4 usernames and 3 passwords, tried all the combinations and none worked. (on the higher port)
I’m trying to do a username brute force for now.

Check out a particular script from impacket that could help enumerate usernames…
lo*****d.p

Hi,

i want to use this script with a password i found in the attachement. There’s a “)” in the password and the script igive me errors. Any idea?

I’m stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?

I like this box; great job author.

I’d say there’s a number of misleading hints in this thread leading to a rabbithole(s). Don’t rely on tips in here and figure it out on your own.

Hi,

i want to use this script with a password i found in the attachement. There’s a “)” in the password and the script igive me errors. Any idea?

If you want to use a value with a “)” or similar in it enclose the value in quotation marks. E.g. “aaaa)aaaa”.

Thank you.

I’m honestly embarrassed about how long it took me to look in that directory to get root. Spent hours fumbling around nearby. But, I’m better with that interface and those search commands than I was.

Overall, it was a fun box. Now I’ve gotta go delete some things from my Windows box…

Type your comment> @bergi said:

I’m stuck at root, I tried to get the password from the k**4.d*. Can someone give me a nudge or dm me some hints?

Watch the processes, you will find something interesting.

Type your comment> @ivnnn1 said:

Stuck on cracking $1 pass, any hint?

use hashcat and choose the format of hash correctly

any one online? I have 3 passwords… I can authenticate on 445 with a username and password… but can’t seem to use the winrm shell etc to progress… even after using the ruby code. any help appreciated

@Seepckoa said:

Watch the processes, you will find something interesting.

I already tried but didn’t find anything, because I am not really sure what I am even looking for. :confused:

Rooted in a different way than the “process way”. Would be curious to hear how others did using the “process way”. Feel free to PM for discussion or nudges.

Banging my head against a wall the l*****.*y tool. Cannot get it to return anything…

Disregard! Onto user!

Nice machine!

Some hints:
User: after get the first user, use it to enumerate more users.
Root: where user apps information is stored in windows?

Just to clear the “process way” is the real way. The other way is due to some idiot doing stupid stuff online.