Heist

Really enjoyed this box. Privesc was very cool. Thank you!
PM if you need a nudge.

Finally Rooted! (Thanks to @Angel235 )

User: enumerate, enumerate, enumerate, Check all open ports.
Root: Look on the running process and looking for process that must be running by user (maybe you are using it right now :slight_smile: )

Just rooted! I think this box was great and quite refreshing after the last two I did. Thank you @MinatoTW!

When I started the box I quickly found the hashes, and cracked them within 15-20 minutes. I like to check Windows creds using CrME***. After they didn’t check out, I quickly realized there was another user I didn’t check. I checked that user and bingo! At that point I assumed it was a matter of opening a shell and I would have user a minute later. Nope!

I’m very much a *nix power user, and been one for 20+ years. My Windows skills are just so-so. The next steps to get user really taught me more about some Windows enumeration and a certain service. Very much appreciated!

I also learned about a possible attack path in exploiting the “intended”* way to get root. Very cool!

  • I was late to the party so the “unintended” ways, one of which I had found, had already been shutdown by the time I arrived.

Anyway, as always, feel free to DM me if you some assistance.

Glad you enjoyed!

Got User, enumerating is the key.

Stuck on Root, can’t wrap my head around it.

Any help is appreciated.

For root, is k***.db the right path? It’s locked with a password and i’m wondering if I should waste any more time on it…

Type your comment> @deltacmd said:

Got User, enumerating is the key.

Stuck on Root, can’t wrap my head around it.

Any help is appreciated.

Me too :frowning:

@rusty73 said:
Type your comment> @deltacmd said:

Got User, enumerating is the key.

Stuck on Root, can’t wrap my head around it.

Any help is appreciated.

Me too :frowning:

Forget it :smiley: . Rooted

I found credentials which let me connect, but then I get disconnected with this message:

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 – no workgroup available

Very frustrating, can anyone please help me? I can tell you everything I’ve done.

Read the information on the scan you did for open ports again, very detailed. This will give you the answer

Spoiler Removed

Type your comment> @OscarAkaElvis said:

I’ve read here sometimes that people is having problems to connect using Evil-WinRM. Believe me, Evil-WinRM is written in ruby and it works like a charm on this machine. It needs only the right user and password combination. If it is not working is because you are not using the right user and password combination, that’s all. Beware of the symbol $ if you need to pass it as a parameter. Single quotes instead of double quotes is a good idea to avoid bash vars expansion.

What’s the path to the type 5 username? unable to find it!

Not sure what I did wrong for root but… when I grabbed the things, I either had nothing useful, or using the full option I got back far too much information (436 MB) that took a while to parse through.

I originally rooted the box by cracking the hash but are there any clues on the “correct” way to solve this box ?

I need help with this… I’ve got 2 password, couldn’t cracked the third one …

Type your comment> @SaMuTa said:

I need help with this… I’ve got 2 password, couldn’t cracked the third one …

use hash cat to decrypt

Type your comment> @AshenOne said:

Type your comment> @SaMuTa said:

I need help with this… I’ve got 2 password, couldn’t cracked the third one …

use hash cat to decrypt

it’s taking to long to decrypt

Type your comment> @SaMuTa said:

it’s taking to long to decrypt

Maybe you’re using the wrong wordlist. The one I used rocks pretty hard and cracked it immediately.

After taking a step back, finally rooted it the intended way! Great new technique for my Windows Fu! Need to dig deeper on that one, wonder where else it might be applied and its limitations.

Need a nudge PM me.

Thanks @MinatoTW for the killer box !

Type your comment> @D8ll0 said:

Rooted

I NEED TO UNDERSTAND TWO THINGS:

  • From where the ■■■■ you got the username C**e? Has it been mentioned some whare in the website? if someone knows, please tell me.

The root flag was much more easier than user flag.

You got the username C***e by using a tool/script to enumerate “something” on the server.