Heist

very new to windows, got user but completly lost on root, would love a pm from someone

removed

thanks for the machine. It was nice. :slight_smile:

I have gotten a list of the usernames from the SD workgroup, I have the h** and c**** passwords verified using a connection to the shares. I know this forum said use a ruby script to connect to the rpc. I think I am using the wrong one because I absolutely cant get it to work. Could someone tell me the author of the script as a hint?

Hang on… got one hit off of C username with metasploit module w****_****n

Stuck on root…I’d really apprecihate it if someone PM me and give some hints how to get root…I read all the previous comments, but they mean nothing to me. I am absolutley n00b in windows env. Thanks!

edit: Rooted. I have no idea how I did it :smiley:

Windows boxes are still a weakness of mine, but I did learn a few new tricks on this, so thanks to @MinatoTW for a good box to learn from.

So, my hints.

USER

  • Passwords aplenty! There is a nice python script available specifically for decoding one type of password, while JTR or hashcat can be used for the other.
  • An impacket script can be used to find more people.
  • The suggest “evil” script can be used, but there are other options (MSF) to give you access.

ROOT
As I was late to the game, I will be focusing on the supposed intended path.

  • Monitor the processes. One of them implies that the owner left his b****er window open
  • “Stig of the ****” that process. Make sure to use the right settings.
  • Get a good “grep” to find your access.

PM me here or on Discord (not the HTB site) for further hints. Don’t forget to tell me your progress to avoid sploilers! (“Can I get a hint on user/root” is not progress!!)

Im pretty much stuck :/, I’ve gotten 3 creds but I can’t find anywhere to use them, I’ve tried using evil-w**** and smbclient but I havent gotten anywhere. Could someone pm me and give me a nudge please?

Type your comment> @Expanding said:

Im pretty much stuck :/, I’ve gotten 3 creds but I can’t find anywhere to use them, I’ve tried using evil-w**** and smbclient but I havent gotten anywhere. Could someone pm me and give me a nudge please?

The 3 passwords and creds you have should be enough to get more usernames. Remember users like to reuse passwords alot… so if you can find a 4th username try all the passwords you have, then begin the enumeration phase again. Remember all your enum tools for linux, and you should be able to find more… :wink:

■■■ Im a total NOOB… so used to linux had no clue what I was doing after I ran E***_****M. Didn’t even notice it opened me into a PS c>… User done. Now for root!

Spoiler Removed

Rooted, thx @crankyyash ! follow his comment, it’s the most detailed hint to do this box

Ok, someone has closed Fx services and the machine cannot be reset.
I’m stuck with the root.
I’m using internal p
*p to dump service. How to read inside the file?

Ok, finally rooted.
User it’s very simple if you guess the user.
Root it’s hard without forum hints.

Rooted (finally) Interesting box, user has harder than root as my enumeration skills aren`t grand. My priv escalation skill also need a little work, but this was a nice introduction

Enjoyed this box a lot and learnt a few things. Thanks.

Hello All, looking for a nudge. Got 3 creds, and crack that. But not how to enum for users. Used IMpacket, metasploit, and enum4linux. no luck, maybe box needs to be reset?

Nevermind, found the missing creds. LOL

I fight with users password, s****,C****,J*****
Found valid

I was finally able to root this machine. Big thanks to @jorgectf for his help! If anyone needs a nudge PM.

Found something else on this box. Not related to user and root btw. Was it intended to be there? Im not yet able to get user but hmmmm :-/ @MinatoTW bro can you check DM?