Heist

Finally rooted! It took a couple of days, but was well worth the research. Plenty of hints in this thread to help anyone along! Thanks for the box, @MinatoTW I really enjoyed this one!

Can somebody PM me a hint for the priv esc, trying to use pd.e** cant get any output though. Nvm, try to use more powerfull

Type your comment> @nwn00b said:

Type your comment> @MichiS97 said:

Type your comment> @Nt3c said:

hey! Need some help, iam unable to download the .dump file , tried some compression but it is always bigger than 100Mb. iMy dowload fails after downloading 4Mb with a dup ack .(and it takes like 10 min to dowload that 4Mb) iam using El_W*m to dowload and upload stuff.

is there any way to get root without downloading the file? already tried some ps like Select-String - -Pattern, but i’m not going anywhere…

thanks in advance

I’m in the same position. Can anyone give us a nudge? I tried dumping the animal processes with a popular PS script and a popular application (pr****mp.exe) but I can’t find any interesting strings.

There is a similar thing that you use in your kali box (to analyze)for pS. Use that it works perfectly, no need to download the file.

rooted, thanks for the hints

I am already stuck at enumerating those users :frowning:
Impacket doesnt bring me further with Acces Denied

Edit: owned user

Rooted. This was a pretty hard challange to do if you are not used to enum and to password match. Also the E***-W*** is a pice of… that made it way harder for me.

If you get stuck feel free to PM me

anyone got a hint for the dump? File is way to big to scroll through <---- git gut scrub, should read more

Command: smbclient -L //10.10.10.149 -U H*****

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 – no workgroup available

can any body help me??

Type your comment> @prutz said:

anyone got a hint for the dump? File is way to big to scroll through <---- git gut scrub, should read more

Be sure you have the right dump and look for grep alternatives

@pagal said:
Command: smbclient -L //10.10.10.149 -U H*****

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.149 failed (Error NT_STATUS_IO_TIMEOUT)
Failed to connect with SMB1 – no workgroup available

can any body help me??

Check your parameters…

I have got all of the users and cracked all of the passwords, I can connect via smbclient in linux but not on w**** using PS. I think I should be able to connect in PS with E****-PS******* using user C**** and password Q**************, is this not correct?

Credentials are correct, attempt is good, the tool may not be proper. I tried two different ruby scripts and both of them did their job correctly.

Can someone please PM we with a some help on user? I believe I have done everything mentioned in the forum and still no luck:

  • I have the cracked all 3 passwords from ***.
  • I have the usernames from that same file, plus another 1 or 2 from the place that brought me to that file
  • None of those credentials work with the common port using the the common client and none work with l*******d.**
  • None of those credentials work with the higher port (using the snakey library)

I feel like something is wrong with the common port as I can’t even run e4*x on it.
What am I doing wrong???

thanks @meangreen for your help on this! not sure why one method worked over the other…but it did!

Got Root!.. Thank you @bertalting … Check those processes…

Getting root turned out to be easier than getting user - the answer was right in front me, but I’ve thought it is wrong. Also got to experiment with some ruby scripts, thanks for the machine!

Can someone please PM we with a some help on user?? I have the 3 password and the 2 users. All the wordlist I use can’t decrypt the type 5 hash and I can’t authenticate myself on smb using this findings.

Type your comment> @MrB33n said:

Can someone please PM we with a some help on user?? I have the 3 password and the 2 users. All the wordlist I use can’t decrypt the type 5 hash and I can’t authenticate myself on smb using this findings.

The passes are right, Search for more users in Port 80

Can anyone help with Heist? From where to begin, any hints, walkthrough would be helpful.

Please contact me via telegram - @CarlosLiu

Type your comment> @bertalting said:

Type your comment> @MrB33n said:

Can someone please PM we with a some help on user?? I have the 3 password and the 2 users. All the wordlist I use can’t decrypt the type 5 hash and I can’t authenticate myself on smb using this findings.

The passes are right, Search for more users in Port 80

I tried H***** too sorry… I think I haven’t cracked the good type 5 hash… Thkz

I’m getting the following error when running the evil script, tried all combinations or user/pass… any help anyone?

"Error: Can’t establish connection. Check connection params

Error: Exiting with code 1"