RE

I am completely stuck on initial foothold. I read the blogs, I tried all the obfuscations, (I think) I know what to do, but no payload is ever getting triggered. I could really use some help or a review of what I am doing. Thanks for your time!

Finally got root. Thanks also to @v1p3r0u5 and @arnotic for the hints I wouldn’t get root without you guys.
for USER: Read the blog that’s all what you want.
for ROOT: First step try to understand the process guess what’ll happen next. (After that it’s really difficult for me)

Got user! On to root. Thanks to anyone who patiently helped.

EASY USER FLAG!!!

I’m having a tough time with the foothold. Could I get a PM.

I’m aware of what I need to do, that much is clear, but I’m having issues with how to get a payload in. I don’t think it’s mail but I also can’t seem to connect the other way.

Any nudge would be appreciated

Edit: I’m stupid and got a start on what I needed. I guess I just need to try harder lol!

Could anyone who have done the initial user part take a look at my payload?
It triggers as intended and give a shell on an identical machine, nothing happens on this when I upload it to the correct place.

Finally rooted after almost a week. Thanks @0xdf

I found it an enjoyable machine and a learned lots from it, almost every step of the process was new to me as this is only my second Windows machine. Generally the whole process seemed quite realistic and at no point did I feel the machine was playing with me CTF style.

Also, thanks to @v1p3r0u5 for the nudge.

I just got user on this box, good experience working to create payloads manually and experimenting to see what works, on to privesc!

Finally rooted. Thanks to anyone who helped. Great box.

User is so frustrating lol!

Can anyone PM me and help make sure I’m sane? I know what to do - just not having a good time trying to find formatting that works - or a simple way to confirm what I’m doing gets to the other side as I want it to.

I’ve been trying to move from user to root for a while now but are still stuck in userland.
What I’ve read, the intended path seems to not work as intended, could anyone who did the intended path send me a DM with a nudge in the right direction?
I’ve tried some LPE’s for this OS but they seem to require access to the GUI to work as intended…

Spoiler Removed

I am stucked on User: all my tries to modify o**.**s file to trigger call back is failing, any hint please

Having a lot of trouble getting the door. I know what I should do for user, but payload is in no way triggering. Been trying this for like two days, could anyone pls PM me

Type your comment> @Davincible said:

Having a lot of trouble getting the door. I know what I should do for user, but payload is in no way triggering. Been trying this for like two days, could anyone pls PM me

no trigger for me, too. strange, others say here that we do not need obfuscation. maybe firewall is blocking connections to outside.

@an0n said:

no trigger for me, too. strange, others say here that we do not need obfuscation. maybe firewall is blocking connections to outside.

No FW is blocking, but perhaps something else?
Try your payload on a separate Windows-VM and when it is OK there think about KISS :slight_smile:

@Ljugtomten it is working on local windows-vm, but does not work on htb.

EDIT: tried different payloads locally (payloads are bypassing defender + keeping it simple), all of them are working on local vm, but none of them on htb. ;(

EDIT2: managed to leak something (so the basic concept should word), but it seems to be unuseful.

EDIT3: nvm, got it.

Can someone pls write me a pm got a hint about the initial foodhold. I am sure I know what to do but I did not get it to work on the maschine. In my lab everything works fine. Thank you in advance

Can someone help me with initial malware drop?
I think i obfuscated all scary words in script, then clippy-added script to doc, but something still blocking malicious stuff. I can send you vba and clippy command in PM
EDIT: so vda not needed, i thought it accept all types of docs, decided to practice with word… this blog post tell you what type of document you should try, this dropbox meant to be testing environment to improve security against this kind of malicious files.

hi. help root. do I need to use win***.exe this ?

and

is there a flaw in the file? pro****_sam****.p**