Heist

I have user. I may need a bit of a push on what I am supposed to do for root. I’m looking through services and I think I understand what other comments are saying. Just still not sure exactly what it is I need to do with that info.

Could I get someone to sanity check what I am doing? I am not sure whether or not I am suffering from tunnel vision.

Type your comment> @DameDrewby said:

Type your comment> @Dreadless said:

Stupid question but do i need to be cracking the $1$ I have decrypted the other 2 passwords but can’t seem to crack the other!

Yes

I am struggling to find a way to crack the $1$ password. Any hint on how to do it?

Spoiler Removed

Type your comment> @C3PJoe said:

I tried e***-w**** and the ruby script. E***-W**** doesn’t work per other comments and the ruby script throws a boatload of errors. Can someone help?

Acknowledge that Ruby clients not reliable here, for me never worked (either software I found online, evil-, w etc.).

Tried bunch manipulations, played with timeouts, transport specifications - service just returns 500 error (not the MSF case, communication is crypted) and that’s it…

In that case I suggest you to drawback to native client (which is intended to use by vendor). That worked for me.

P.S. im**** loo*****d as well doesn’t works for me - throws NetBIOS timeout error… Do not see any place in code to mitigate this, looks like dependency behavior.
Instead of that suggest you to use another fuzzer (pat****r) - works like a charm for all enumeration phases with this box.

Thanks @dee33 !

Type your comment> @geLecram said:

FOR USER: As of this date, a certain impacket tool is broken. Had to hunt down the correct script.

https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py

Always throws “timed out” for me

Type your comment> @Saranraja said:

Some ping me, i need help for root.
edited : No one ping me heist rooted on my own way.Ping me i am always ready to help you.
It is really really funny box xD

Congratulations Bro

Type your comment> @OscarAkaElvis said:

Hi, I saw some people asking for a tool to connect to W***m. Ok I can recommend this tool on which I’m collaborating.

Easy to install via git clone or via gem install (this is even easier). All needed is in the documenation at readme file: GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentesting

Hope it helps!

Thank you for your tool ! This is great stuff !

Type your comment> @Noxious said:

Type your comment> @geLecram said:

FOR USER: As of this date, a certain impacket tool is broken. Had to hunt down the correct script.

https://github.com/SecureAuthCorp/impacket/blob/master/examples/lookupsid.py

Always throws “timed out” for me

You may have to install the entire repository to ensure that all the requirements are available for that tool. Make sure you follow the README install instructions

Spoiler Removed

Finally rooted!

Thanks for those who helped.

Hint for root : process is the key!

Managed to get system, finally!
For system you’ll need to examine a certain process.

Can someone help me for root. I am so close but this machine is killing me.

Edit: Rooted. Pr****mp.**e was right but that’s all you needed. Man, I love string cheese.

Stuck on root, trying to manage the k**y4.*b, but I think it’s a rabbit hole. Any hint?

Type your comment> @ivnnn1 said:

Stuck on root, trying to manage the k**y4.*b, but I think it’s a rabbit hole. Any hint?

Ditto stuck on Root can’t seem to see the process?

Hello UCLogical,

What password Dcitonary are you using for those three passwords ? and i have decrypted two but other i could not.

@athick31
@marlasthemage left a really solid hint for this a few pages back in this thread…

@ori0nx3 … thank you got it

Could someone DM me with a nudge towards root? connected as the user looking at f****** processes