• Type your comment> @Davincible said:

    Having a lot of trouble getting the door. I know what I should do for user, but payload is in no way triggering. Been trying this for like two days, could anyone pls PM me

    no trigger for me, too. strange, others say here that we do not need obfuscation. maybe firewall is blocking connections to outside.

  • @an0n said:

    no trigger for me, too. strange, others say here that we do not need obfuscation. maybe firewall is blocking connections to outside.

    No FW is blocking, but perhaps something else?
    Try your payload on a separate Windows-VM and when it is OK there think about KISS :-)

  • edited October 2019

    @Ljugtomten it is working on local windows-vm, but does not work on htb.

    EDIT: tried different payloads locally (payloads are bypassing defender + keeping it simple), all of them are working on local vm, but none of them on htb. ;(

    EDIT2: managed to leak something (so the basic concept should word), but it seems to be unuseful.

    EDIT3: nvm, got it.

  • Can someone pls write me a pm got a hint about the initial foodhold. I am sure I know what to do but I did not get it to work on the maschine. In my lab everything works fine. Thank you in advance

  • edited October 2019

    Can someone help me with initial malware drop?
    I think i obfuscated all scary words in script, then clippy-added script to doc, but something still blocking malicious stuff. I can send you vba and clippy command in PM
    EDIT: so vda not needed, i thought it accept all types of docs, decided to practice with word... this blog post tell you what type of document you should try, this dropbox meant to be testing environment to improve security against this kind of malicious files.

  • hi. help root. do I need to use win***.exe this ?


    is there a flaw in the file? pro****_sam****.p**

  • Type your comment> @hanter said:

    hi. help root. do I need to use win***.exe this ?


    is there a flaw in the file? pro****_sam****.p**

    I'm also having troubles escalating privileges. I've received some help through PM, but I'm still a bit lost on what to do.

    Win*** doesn't even look like it's installed on the machine if you browse to the application directory.

    The line in the script appears to be commented out, like it wouldn't run anyways. It seems to call another P******** cmdlet to ZIP files.

  • hi, how to read root.txt. I am WORKGROUP\SYSTEM (nt authority\system).

    cat root.txt
    PS C:\Users\Administrator\Desktop > cat root.txt
    cat : Access to the path 'C:\Users\Administrator\Desktop\root.txt' is denied.
    At line:1 char:1

    • cat root.txt
    • ~~~~
      • CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], Unauth
      • FullyQualifiedErrorId : GetContentReaderUnauthorizedAccesserror, Microsoft.PowerShell.Commands.GetContentCommand
  • Was this machine patched? Is there any way to see if it was or not?

    I'm trying to privesc and someone told me theres a vuln service to escalate to system, and there is not (or I can't see it )

    Is that the unintented? I was trying to privesc exploiting P****p but a guy hinted me the other way and I'm lost.

  • edited November 2019

    pretty wild privesc...real PITA

  • i have the hash for user c**. is it possible to crack it? (tried, but no success).

  • edited November 2019

    This box is super unstable or something.

    I've had User for a week or two, so I can reproduce the user shell in 2 minutes quite easily. But I've just now tried it several times, and can't get my shell. I've reset the box twice.

    Finally got Root. Couldn't have done it without help from @dontknow

    Don't worry too much about "obfuscation". Think about what Windows services you can use to get your shell.
    I don't even know how to give hints for it. It was really rough for me. Keep your web server open, don't be afraid of multiple shells. Look at what's on the system and potential vulnerabilities. PrivEsc is "multiple stages" on this one.

  • Finally did the privesc, disregard my comment before if the machine was patched or not, that was a confusion I've got stuck in a part and it was a guessing thing.

    Privesc was really a PITA, and there is a rabbit hole at the end...let's say there are a lot of hashes in this box, and only one is useful, well, it was a very fun machine, congrats to the creator.

  • Is there a teacher? Can you help me? In the initial shell, I use guest to access the malware? Dropbox directory, which disappears a few seconds after uploading the file. And I can't verify code execution by uploading ODS and ODT files. Use sub main
    Shell("start http://")
    End Sub
    Is there a problem? Asking for hints

  • Spoiler Removed

  • Finally !! that was tough...


  • Type your comment> @Ch0p1n said:

    Finally !! that was tough...

    The initial user needs help, and the uploaded SMB file disappears instantly. No response to uploading OT and OS files

  • Anybody here? Please help me.

  • Nice box overall,

    The user part was unstable for me and sometime frustrating, about the root I couldn't make it works following @CHUCHO hint, I used another way from me* to finally pwn the box, I was stuck between user and root so I have to thank @davidlightman for addressing me to the right direction.

  • edited November 2019

    Did anyone experienced issues with payload exec in user part? Local tests are good, but when I go live I can't get any response from the service. I asked someone who rooted the box to review my steps and it seems that everything is correct..... It just doesn't work :/

    EDIT: it seems that version of software used makes difference, works well with Kali

  • just 1 question: do i get instant hit if my payload has the right syntax or it has some scheduler every 10-20 mins? i am trying to get shell.

  • edited November 2019

    this one is driving me crazy. I have RCE, I can get it to communicate with me, but all reverse shell payloads or steps towards a reverse shell just fail...

    EDIT: Nevermind - don't assume there's only one way to accomplish a particular task!

    EDIT: Ha! And now that I'm in there and I can look around, it really makes sense why what i was doing originally wouldn't work...all I had to change was...

  • Type your comment> @baubau said:

    just 1 question: do i get instant hit if my payload has the right syntax or it has some scheduler every 10-20 mins? i am trying to get shell.

    No need to wait so long, it's almost instant

  • is there anyone to speak about the upstream processing to do privesc?


  • this box seems to crash or freeze up pretty easily...

  • Hi all,

    I am totally new to this site and to Pen Testing in general. I am trying to learn and have exhausted all the initial steps like nmap, dirbuster, smb enumeration, etc. Really struggling to move forward and find my way in to user. Can someone point me in the right direction? I am willing to do the hard work so I can increase my knowledge in the process.

    Thank you,

  • edited December 2019

    Just got user thanks to @tmogg, now to root.
    Edit: Rooted thanks to @v1p3r0u5
    User: Look around, you should spot your path pretty quick. Some reading and a touch of OSINT will help you bend the rules.
    Root: A real journey. Just enumerate at every step of the way. Once you've got to the top, try coming back down a different way.


    • GCIH | GCIA
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • edited December 2019

    Rooted! That was a wild ride. Learned a lot. Nice box @0xdf ! I'm probably going to have to go back through it again just to solidify everything in my mind. So many steps! :-D

    Special thanks to @v1p3r0u5 for always being open to helping... even if it's just to confirm what I'm doing so I know I'm on track.


  • Can whoever it is stop bringing the server to its knees? I'm sure zip-bombs are fun and all, if that's what you're doing, but we're at least three people on there right now and two of us are getting pissed off...
Sign In to comment.