Bankrobber

Type your comment> @maxmuxammil said:

Bankrobber - just starting the Discussion so that everybody can tell their story!

I am just starting bankrobber machine … is there any hint that i can get…

Type your comment> @ue4dai said:

Type your comment> @j3wker said:

Anyone has any hints for user ?
Enumerated a bit a found the user and password are getting base64 ecnoded while you have the ability to send money and you already know your ID - this way you could send money to users and confirm if they are existed but im not sure about that - an hint would be nice - So i thought of ID hopping and getting information this way

Not sure about anything yet

I am also still working on getting a foothold on user. I too have noted how id can be enumerated given how authentication is performed in user pages. After much busting’n’fuzzing I am not (yet?) seeing how admin pages can be accessed and given one of the js files would seem to be necessary for host user foothold. (Hope not too vague but not spoiler here.)

i am new in this machine… i am unable to find the way for the user… what should i do pls help me

Rooted! Thanks @Gioo and @Cneeliz.
Thanks for the help to @CHUCHO , @q1Z and @AzAxIaL .

Spoiler Removed

This is such a time-suck. The “user” simulation is flaky and scripts may or may not get executed - but either way, it takes too long. More value in watching Ippsec use the same techniques on previous boxes.

is anyone actively working on this box ?
I would like to discuss the approach for user-shell.

Hi, i am stuck with initial foothold. Need some guidance.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : BANKROBBER
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : nl_NL
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc :slight_smile:

@Albatar101 said:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : BANKROBBER
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : nl_NL
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc :slight_smile:

Did you do it on VIP or free server ?
I’m currently at the doors of userland, and I’m pretty sure I’m on the right path but it looks like commands keep being rejected.
Can you DM me for a sanity check ?

Edit: nevermind, box was buggy. Reboot did it

@> @Albatar101 said:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : BANKROBBER
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : nl_NL
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc :slight_smile:

how to download b***v2.exe ? But I don’t have read permission ~ DMP file directory can’t read. Can you be a little more specific?

Sometime when you just can’t get a file you have to deal with it in an other way :slight_smile:

Anyone willing to give me a nudge? I have creds and believe I know where to go next but struggling to get the initial shell to pop.

anyone out there? lol

Hi all, can anyone help me to exploit initial foothold? My exploit is not performed at all. PM me, please

Thanks for the box @Gioo !
Really liked user part and learned quite a lot. Root is good but not being able to restart the app is not so good. Anyways: Cool! Cool! Cool!

For root don’t put too many chars once you got the idea

I really enjoyed the ides of this box but the implementation seemed buggy. I learned a lot from user on this box, root not so much. I had to reset the box twice on that last step as I managed to get in to a state where it no longer responds. Waiting for that timer’s first tick after a reset is something i never want to have to do again.

Type your comment> @jimmypw said:

I really enjoyed the ides of this box but the implementation seemed buggy. I learned a lot from user on this box, root not so much. I had to reset the box twice on that last step as I managed to get in to a state where it no longer responds. Waiting for that timer’s first tick after a reset is something i never want to have to do again.

100% quoted

I don’t understand this machine. I have send the same payload like 20 times and got 4 responses 3 minutes later… This does not make any sense!
How should i be able to get RCE without knowing which payload succeeded, because of the delay?

Edit: It works now. Still sort of unrealiable, but some minor changes to the payload made it more stable.
Got user! Now onto root! :slight_smile:

Edit2: Got root. This was way too easy! Not a easy machine, but definitely not insane.

Just completed. I have this bad feeling that it took me way too much time than it should. I stuck a few times in places I should not. Mostly due to my stupid mistakes and sloppiness. This is another lesson that we should always stay humble and very watchful.
Overall the user part was IMHO basically great. Absolutely MUST DO for every pentester and red teamer. I really enjoyed this part. Kudos to the authors! I will rate the box as 5 just for this part.
Root not so much enjoyable, but well … let’s leave it.

There is enough hints in this thread so I will just give a general advice for this box. Do not hesitate using again what you already did use in the past. Keeping this in mind will help you a lot.

Many thanx to @Chr0x6eOs and @AzAxIaL for giving me a hand.

any hint for initial foothold?
already enumerated with dirb, registered as a normal user, but no way on what to do know…

pls help