User: enumerate application and fuzze the forms. You will find some useful things. Capture creds and then try to modify the attack and get more softistcations to get a shell
Root: Enumerate as usual and try to exploit the bank.
My first insane box, and it did drive me a little crazy at times, but I am glad to finally have this rooted. Massive thanks to @HAL9000B for helping me get user, and @Moindjaro for giving me the hint needed for root. Also, thanks to @Gioo and @Cneeliz for a good learning experience.
Now for my hints. INITIAL FOOTHOLD
Focus on Sesame Street’s compulsive eater to get started.
Being a little “excessive” will give you more privileges.
USER
Use what the higher privilege has available, but remember to be a bit more excessive and place what you need to give you more direct access.
Sometimes those one-liners come in handy.
ROOT
Open your ears to “marathon participants”.
It’s best to move “forward” and work from “home”.
■■■■, my keys are sticking. Keeps printing out long lines of text…
Use your initial way in to open another door.
If there are any spoilers here, please let me know, and I’ll revise my hints.
As always, PM here on the forum or on Discord for help (Not the HTB site!!). Tell me your progress so I can avoid spoilers (“Can I get a hint/nudge on Bankrobber” is not progress and is too vague!).
Anyone has any hints for user ?
Enumerated a bit a found the user and password are getting base64 ecnoded while you have the ability to send money and you already know your ID - this way you could send money to users and confirm if they are existed but im not sure about that - an hint would be nice - So i thought of ID hopping and getting information this way
Not sure about anything yet
I am also still working on getting a foothold on user. I too have noted how id can be enumerated given how authentication is performed in user pages. After much busting’n’fuzzing I am not (yet?) seeing how admin pages can be accessed and given one of the js files would seem to be necessary for host user foothold. (Hope not too vague but not spoiler here.)
i am new in this machine… i am unable to find the way for the user… what should i do pls help me
This is such a time-suck. The “user” simulation is flaky and scripts may or may not get executed - but either way, it takes too long. More value in watching Ippsec use the same techniques on previous boxes.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : BANKROBBER
OS : Windows 10 (10.0 Build 14393).
Architecture : x64
System Language : nl_NL
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc
Did you do it on VIP or free server ?
I’m currently at the doors of userland, and I’m pretty sure I’m on the right path but it looks like commands keep being rejected.
Can you DM me for a sanity check ?
Thanks for the box @Gioo !
Really liked user part and learned quite a lot. Root is good but not being able to restart the app is not so good. Anyways: Cool! Cool! Cool!
For root don’t put too many chars once you got the idea