@Ljugtomten it is working on local windows-vm, but does not work on htb.
EDIT: tried different payloads locally (payloads are bypassing defender + keeping it simple), all of them are working on local vm, but none of them on htb. ;(
EDIT2: managed to leak something (so the basic concept should word), but it seems to be unuseful.
Can someone pls write me a pm got a hint about the initial foodhold. I am sure I know what to do but I did not get it to work on the maschine. In my lab everything works fine. Thank you in advance
Can someone help me with initial malware drop?
I think i obfuscated all scary words in script, then clippy-added script to doc, but something still blocking malicious stuff. I can send you vba and clippy command in PM
EDIT: so vda not needed, i thought it accept all types of docs, decided to practice with word… this blog post tell you what type of document you should try, this dropbox meant to be testing environment to improve security against this kind of malicious files.
hi, how to read root.txt. I am WORKGROUP\SYSTEM (nt authority\system).
cat root.txt
PS C:\Users\Administrator\Desktop > cat root.txt
cat : Access to the path ‘C:\Users\Administrator\Desktop\root.txt’ is denied.
At line:1 char:1
I’ve had User for a week or two, so I can reproduce the user shell in 2 minutes quite easily. But I’ve just now tried it several times, and can’t get my shell. I’ve reset the box twice.
Edit:
Finally got Root. Couldn’t have done it without help from @dontknow
Hints:
User:
Don’t worry too much about “obfuscation”. Think about what Windows services you can use to get your shell.
Root:
I don’t even know how to give hints for it. It was really rough for me. Keep your web server open, don’t be afraid of multiple shells. Look at what’s on the system and potential vulnerabilities. PrivEsc is “multiple stages” on this one.
Finally did the privesc, disregard my comment before if the machine was patched or not, that was a confusion I’ve got stuck in a part and it was a guessing thing.
Privesc was really a PITA, and there is a rabbit hole at the end…let’s say there are a lot of hashes in this box, and only one is useful, well, it was a very fun machine, congrats to the creator.
Is there a teacher? Can you help me? In the initial shell, I use guest to access the malware? Dropbox directory, which disappears a few seconds after uploading the file. And I can’t verify code execution by uploading ODS and ODT files. Use sub main
Shell(“start http://。。。”)
End Sub
Is there a problem? Asking for hints
The user part was unstable for me and sometime frustrating, about the root I couldn’t make it works following @CHUCHO hint, I used another way from me* to finally pwn the box, I was stuck between user and root so I have to thank @davidlightman for addressing me to the right direction.
Did anyone experienced issues with payload exec in user part? Local tests are good, but when I go live I can’t get any response from the service. I asked someone who rooted the box to review my steps and it seems that everything is correct… It just doesn’t work
EDIT: it seems that version of software used makes difference, works well with Kali