Control

Rooted this morning - root was very informative and i actually learned a new thing, new way to look for an exploit in windows systems, thanks @TRX

User was pretty easy - knew everything when i saw it, was nice though learned something on M–iaD-

Has anyone used P*****.v*** file while doing root? Any use of this file?

Yea user wasnt too bad, totally stuck after that though. Ran all most of the popular enum scripts not finding much. Not sure if its process, network or some files i need to find for next step.

Rooted! gotta say, learned a bunch from this one.
PM for hints
Thx @xsmile @MrR3boot

ALK

Type your comment

unstable for now… cant even scan. i ll look at it at midnight. :confused:

I too am compelled to say how fun getting user was. Now onto root

Rooted !!
Learned a lot in the root part
PM me if you need hint…
YaSsInE

Rooted, very interesting box. Thanks to @YaSsInE and @ALK for helping me work through the root.
Foothold: Look around the site carefully and poke at every hole. Seems to be a bit inconsistent, so try a few methods.
User: Try invoking something you likely found earlier to upgrade to user.
Root: Have a look at what H***** has been doing in PS before you arrived

current Control set

I’ve been unable to find any PS logs…
Maybe they were user-generated and gone after a reset?

Type your comment> @rholas said:

Type your comment> @clubby789 said:

Rooted, very interesting box. Thanks to @YaSsInE and @ALK for helping me work through the root.
Foothold: Look around the site carefully and poke at every hole. Seems to be a bit inconsistent, so try a few methods.
User: Try invoking something you likely found earlier to upgrade to user.
Root: Have a look at what H***** has been doing in PS before you arrived

Most useless root hint ever

Why do you say that? This hint helped me find what I was looking for!

I am trying to figure out this root. upgraded my shell and have dont alot of enumeration. Cant figure out a good bypass or ser**** to exploit. Please send a PM if you can get me on the right track :slight_smile:

what a nice box! thanks to @rholas and @YaSsInE and @TRX

TIL about all the possibilities and services that windows actually deliver…

Rooted, PM for help
Hack The Box

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Type your comment> @tang0 said:

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Thanks guys for the help. Got user. I was trying the wrong password. Now onto root.

Type your comment> @tang0 said:

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Same here, PM for help pls

finally got user, thanks to @rholas and @tang0

well root was a long painstaking journey for me but well worth it. the exploit technique in the end is very standard but requires a different way to enumerate than one may be accustomed too. thanks @TRX !