Heist

17810121324

Comments

  • This is the easiest root privesc I've made. But I've not followed the usual path as most people to get it.. So yeah there are 2 ways (at least) to get root.

  • Two unintended ways to root have been patched. Ones who did root just by cracking a hash or finding the password in a file, I urge you to try again!

    Hack The Box

    Don't let the box pwn you!!

  • I've user already since some days. Struggling with root. I guess i know which process here is talked about, but one of the files missing to get pwd out of it. But might be fully wrong. Hints appreciated :smile:

  • Type your comment> @ml19 said:

    I've user already since some days. Struggling with root. I guess i know which process here is talked about, but one of the files missing to get pwd out of it. But might be fully wrong. Hints appreciated :smile:

    Same here. Also found the hash. Wonder if there is some way to get into the context of the process. The good old m*********r doesn't seem to do the trick. Maybe some P********l magic?

    Hack The Box

    OSCP | CEH

  • I have the three passwords from the c*** file. when i try to enumerate the users with smbmap or over other tools i always receive access denied. i was trying every combination with ev-w and with metasploit without success but i was only guessing the usernames... please give me a nudge.

  • edited August 2019

    Tought me that I clearly have no clue about windows

    Hint for root: as said a lot, look at processes memory and don't waste time to look at files (all the things I saw in writeups are not there)

    florian1999

  • Type your comment> @ml19 said:

    I've user already since some days. Struggling with root. I guess i know which process here is talked about, but one of the files missing to get pwd out of it. But might be fully wrong. Hints appreciated :smile:

    Finally rooted. I assume there must be another way other than download something....

  • Very good and pretty easy machine
    Thank you

  • Really enjoyed this box. Privesc was very cool. Thank you!
    PM if you need a nudge.

  • edited August 2019

    Finally Rooted! (Thanks to @Angel235 )

    User: enumerate, enumerate, enumerate, Check all open ports.
    Root: Look on the running process and looking for process that must be running by user (maybe you are using it right now :) )

  • edited August 2019

    Just rooted! I think this box was great and quite refreshing after the last two I did. Thank you @MinatoTW!

    When I started the box I quickly found the hashes, and cracked them within 15-20 minutes. I like to check Windows creds using CrME***. After they didn't check out, I quickly realized there was another user I didn't check. I checked that user and bingo! At that point I assumed it was a matter of opening a shell and I would have user a minute later. Nope!

    I'm very much a *nix power user, and been one for 20+ years. My Windows skills are just so-so. The next steps to get user really taught me more about some Windows enumeration and a certain service. Very much appreciated!

    I also learned about a possible attack path in exploiting the "intended"* way to get root. Very cool!

    • I was late to the party so the "unintended" ways, one of which I had found, had already been shutdown by the time I arrived.

    Anyway, as always, feel free to DM me if you some assistance.

    zalpha
    OSCP | CISSP | CSSLP

    Respect always welcome if I can help you: https://www.hackthebox.eu/home/users/profile/140630

  • Glad you enjoyed!

    Hack The Box

    Don't let the box pwn you!!

  • Got User, enumerating is the key.

    Stuck on Root, can't wrap my head around it.

    Any help is appreciated.

  • edited August 2019

    For root, is k***.db the right path? It's locked with a password and i'm wondering if I should waste any more time on it...

  • Type your comment> @deltacmd said:

    Got User, enumerating is the key.

    Stuck on Root, can't wrap my head around it.

    Any help is appreciated.

    Me too :(

  • @rusty73 said:
    Type your comment> @deltacmd said:

    Got User, enumerating is the key.

    Stuck on Root, can't wrap my head around it.

    Any help is appreciated.

    Me too :(

    Forget it :D . Rooted

  • I found credentials which let me connect, but then I get disconnected with this message:

    Reconnecting with SMB1 for workgroup listing.
    do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
    Failed to connect with SMB1 -- no workgroup available

    Very frustrating, can anyone please help me? I can tell you everything I've done.

    Bowlslaw

  • edited August 2019

    Read the information on the scan you did for open ports again, very detailed. This will give you the answer

  • Spoiler Removed

  • Type your comment> @OscarAkaElvis said:

    I've read here sometimes that people is having problems to connect using Evil-WinRM. Believe me, Evil-WinRM is written in ruby and it works like a charm on this machine. It needs only the right user and password combination. If it is not working is because you are not using the right user and password combination, that's all. Beware of the symbol $ if you need to pass it as a parameter. Single quotes instead of double quotes is a good idea to avoid bash vars expansion.

    What's the path to the type 5 username? unable to find it!

  • Not sure what I did wrong for root but... when I grabbed the things, I either had nothing useful, or using the full option I got back far too much information (436 MB) that took a while to parse through.

    koredump
    If you PM, please include the steps you've already taken. Don't forget to hit the respect button!

  • I originally rooted the box by cracking the hash but are there any clues on the "correct" way to solve this box ?

  • I need help with this..... I've got 2 password, couldn't cracked the third one ......

  • Type your comment> @SaMuTa said:

    I need help with this..... I've got 2 password, couldn't cracked the third one ......

    use hash cat to decrypt

  • Type your comment> @AshenOne said:

    Type your comment> @SaMuTa said:

    I need help with this..... I've got 2 password, couldn't cracked the third one ......

    use hash cat to decrypt

    it's taking to long to decrypt

  • Type your comment> @SaMuTa said:

    it's taking to long to decrypt

    Maybe you're using the wrong wordlist. The one I used rocks pretty hard and cracked it immediately.

    marlasthemage

  • After taking a step back, finally rooted it the intended way! Great new technique for my Windows Fu! Need to dig deeper on that one, wonder where else it might be applied and its limitations.

    Need a nudge PM me.

    Thanks @MinatoTW for the killer box !

    Hack The Box

    OSCP | CEH

  • Type your comment> @D8ll0 said:
    > Rooted
    >
    > I NEED TO UNDERSTAND TWO THINGS:
    >
    >
    >
    > * From where the hell you got the username C**e? Has it been mentioned some whare in the website? if someone knows, please tell me.
    >
    > The root flag was much more easier than user flag.

    You got the username C***e by using a tool/script to enumerate "something" on the server.
  • Type your comment> @Seepckoa said:

    The user part is not very complicated, you just have to find a way to match the passwords to a specific user that you have to search for yourself. The root is also easy, the file to**.txt will be a clue for you, to go further. :D

    Still can't see why/how.....

  • quick (and probably stupid) question:

    I wasl playing around with the machine and was wondering if there's any point to have a reverse shell on it from the P****S**l session?

    i know user rights are the same but does it make thing easier, like running commands, etc..?

Sign In to comment.