Heist

rooted was a fun box. pretty quick just gotta make sure you enum :slight_smile:

Rooted my first ‘Active’ Box! Spent the whole weekend on it… but learned a ton on the way. Props to the creator, and all the help from your comments!

User:

  1. You can easily get a few users and passwords, make sure you crack them all (one of them can be a little tricky, google helped me get there)

  2. checkout impacket and its user enumeration capabilites!

  3. gaining access required investigating my nmap output, and getting access through a service I hadn’t used before, which was cool!
    ** The Metasploit module for actually gaining access through this service did not work for me
    ** I had to search on Github for an alternative. Check out previous comments and you should figure it out.

Administrator:

  1. I had a tough time on this. A lot of the comments talked about an odd process running. I eventually figured it out, but I missed it because this process didn’t seem odd to me.

  2. Dumps + grep/strings got me what I needed.

*I recommend making a user.txt and pass.txt. Fill those in with the creds you find along the way! Throw them into Metasploit Auxiliary modules whenever you find a new user or password, see what you can login to!

Hi buddies,

This is my first box and I’m completely stuck. I get the passwords stored in files but don’t understand how can I perform this box

Someone could give me some advices ?

thx

Holy cow, I’m an idiot. Just got root. The process route is the “right” way to go and know your tools. Know your tools. Know your tools. Read the manuals. DM me for a nudge

hey! Need some help, iam unable to download the .dump file , tried some compression but it is always bigger than 100Mb. iMy dowload fails after downloading 4Mb with a dup ack .(and it takes like 10 min to dowload that 4Mb) iam using El_W*m to dowload and upload stuff.

is there any way to get root without downloading the file? already tried some ps like Select-String - -Pattern, but i’m not going anywhere…

thanks in advance

Rooted using PS internals :slight_smile:

Type your comment> @Nt3c said:

hey! Need some help, iam unable to download the .dump file , tried some compression but it is always bigger than 100Mb. iMy dowload fails after downloading 4Mb with a dup ack .(and it takes like 10 min to dowload that 4Mb) iam using El_W*m to dowload and upload stuff.

is there any way to get root without downloading the file? already tried some ps like Select-String - -Pattern, but i’m not going anywhere…

thanks in advance

I’m in the same position. Can anyone give us a nudge? I tried dumping the animal processes with a popular PS script and a popular application (pr****mp.exe) but I can’t find any interesting strings.

Type your comment> @MichiS97 said:

Type your comment> @Nt3c said:

hey! Need some help, iam unable to download the .dump file , tried some compression but it is always bigger than 100Mb. iMy dowload fails after downloading 4Mb with a dup ack .(and it takes like 10 min to dowload that 4Mb) iam using El_W*m to dowload and upload stuff.

is there any way to get root without downloading the file? already tried some ps like Select-String - -Pattern, but i’m not going anywhere…

thanks in advance

I’m in the same position. Can anyone give us a nudge? I tried dumping the animal processes with a popular PS script and a popular application (pr****mp.exe) but I can’t find any interesting strings.

There is a similar thing that you use in your kali box (to analyze)for pS. Use that it works perfectly, no need to download the file.

Finally rooted! It took a couple of days, but was well worth the research. Plenty of hints in this thread to help anyone along! Thanks for the box, @MinatoTW I really enjoyed this one!

Can somebody PM me a hint for the priv esc, trying to use pd.e** cant get any output though. Nvm, try to use more powerfull

Type your comment> @nwn00b said:

Type your comment> @MichiS97 said:

Type your comment> @Nt3c said:

hey! Need some help, iam unable to download the .dump file , tried some compression but it is always bigger than 100Mb. iMy dowload fails after downloading 4Mb with a dup ack .(and it takes like 10 min to dowload that 4Mb) iam using El_W*m to dowload and upload stuff.

is there any way to get root without downloading the file? already tried some ps like Select-String - -Pattern, but i’m not going anywhere…

thanks in advance

I’m in the same position. Can anyone give us a nudge? I tried dumping the animal processes with a popular PS script and a popular application (pr****mp.exe) but I can’t find any interesting strings.

There is a similar thing that you use in your kali box (to analyze)for pS. Use that it works perfectly, no need to download the file.

rooted, thanks for the hints

I am already stuck at enumerating those users :frowning:
Impacket doesnt bring me further with Acces Denied

Edit: owned user

Rooted. This was a pretty hard challange to do if you are not used to enum and to password match. Also the E***-W*** is a pice of… that made it way harder for me.

If you get stuck feel free to PM me

anyone got a hint for the dump? File is way to big to scroll through <---- git gut scrub, should read more

Command: smbclient -L //10.10.10.149 -U H*****

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 – no workgroup available

can any body help me??

Type your comment> @prutz said:

anyone got a hint for the dump? File is way to big to scroll through <---- git gut scrub, should read more

Be sure you have the right dump and look for grep alternatives

@pagal said:
Command: smbclient -L //10.10.10.149 -U H*****

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 – no workgroup available

can any body help me??

Check your parameters…

I have got all of the users and cracked all of the passwords, I can connect via smbclient in linux but not on w**** using PS. I think I should be able to connect in PS with E****-PS******* using user C**** and password Q**************, is this not correct?

Credentials are correct, attempt is good, the tool may not be proper. I tried two different ruby scripts and both of them did their job correctly.

Can someone please PM we with a some help on user? I believe I have done everything mentioned in the forum and still no luck:

  • I have the cracked all 3 passwords from ***.
  • I have the usernames from that same file, plus another 1 or 2 from the place that brought me to that file
  • None of those credentials work with the common port using the the common client and none work with l*******d.**
  • None of those credentials work with the higher port (using the snakey library)

I feel like something is wrong with the common port as I can’t even run e4*x on it.
What am I doing wrong???