Bankrobber

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : BANKROBBER
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : nl_NL
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc :slight_smile:

@Albatar101 said:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : BANKROBBER
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : nl_NL
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc :slight_smile:

Did you do it on VIP or free server ?
I’m currently at the doors of userland, and I’m pretty sure I’m on the right path but it looks like commands keep being rejected.
Can you DM me for a sanity check ?

Edit: nevermind, box was buggy. Reboot did it

@> @Albatar101 said:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : BANKROBBER
OS              : Windows 10 (10.0 Build 14393).
Architecture    : x64
System Language : nl_NL
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Thanks to @giovannispd & @Cneeliz , I’ve enjoyed priv esc :slight_smile:

how to download b***v2.exe ? But I don’t have read permission ~ DMP file directory can’t read. Can you be a little more specific?

Sometime when you just can’t get a file you have to deal with it in an other way :slight_smile:

Anyone willing to give me a nudge? I have creds and believe I know where to go next but struggling to get the initial shell to pop.

anyone out there? lol

Hi all, can anyone help me to exploit initial foothold? My exploit is not performed at all. PM me, please

Thanks for the box @Gioo !
Really liked user part and learned quite a lot. Root is good but not being able to restart the app is not so good. Anyways: Cool! Cool! Cool!

For root don’t put too many chars once you got the idea

I really enjoyed the ides of this box but the implementation seemed buggy. I learned a lot from user on this box, root not so much. I had to reset the box twice on that last step as I managed to get in to a state where it no longer responds. Waiting for that timer’s first tick after a reset is something i never want to have to do again.

Type your comment> @jimmypw said:

I really enjoyed the ides of this box but the implementation seemed buggy. I learned a lot from user on this box, root not so much. I had to reset the box twice on that last step as I managed to get in to a state where it no longer responds. Waiting for that timer’s first tick after a reset is something i never want to have to do again.

100% quoted

I don’t understand this machine. I have send the same payload like 20 times and got 4 responses 3 minutes later… This does not make any sense!
How should i be able to get RCE without knowing which payload succeeded, because of the delay?

Edit: It works now. Still sort of unrealiable, but some minor changes to the payload made it more stable.
Got user! Now onto root! :slight_smile:

Edit2: Got root. This was way too easy! Not a easy machine, but definitely not insane.

Just completed. I have this bad feeling that it took me way too much time than it should. I stuck a few times in places I should not. Mostly due to my stupid mistakes and sloppiness. This is another lesson that we should always stay humble and very watchful.
Overall the user part was IMHO basically great. Absolutely MUST DO for every pentester and red teamer. I really enjoyed this part. Kudos to the authors! I will rate the box as 5 just for this part.
Root not so much enjoyable, but well … let’s leave it.

There is enough hints in this thread so I will just give a general advice for this box. Do not hesitate using again what you already did use in the past. Keeping this in mind will help you a lot.

Many thanx to @Chr0x6eOs and @AzAxIaL for giving me a hand.

any hint for initial foothold?
already enumerated with dirb, registered as a normal user, but no way on what to do know…

pls help

Type your comment> @sniperhack said:

any hint for initial foothold?
already enumerated with dirb, registered as a normal user, but no way on what to do know…

pls help

give Owasp a visit

I liked this machine because it presented basic web and application vulnerabilities in one and required some python scripting to gain root access. I think it is a good box for teaching basic techniques. Thanks @Gioo & Cneeliz.

Key factor: search typical vulnerabilities and do not complicate the exploits

First stage: User access

First exploit: After login you can test the application. Test it with simple values and notice the response. Based on the response it is clear which type of exploit you should use. This is the typical example in case of this type of vulnerability. You can easily evade the only protection.

Second exploit: Use the output of your previous action. Now you have two potential vulnerabilities to exploit. Both of them are obvious. You can test the first one manually or using a well-known program but no need to move too deep. Just understand the exploit and use it to understand difficulties of exploiting the third vulnerability.

Third exploit: There is a two-level protection to limit your access through the third vulnerability. You can easily evade the first level but the second one seems to be difficult to bypass. Enumerate again - if it is needed - and find a “wrapper”. Use it to create a reverse shell and get the user hash.

Second stage: Root access

If you find the destination of your attack - it is an easy task - and you know how to communicate with it, you need to cope with a two-level protection again. You need to create a script to pass the first level and execute additional manually tests to pass the second level and get root access.

Speaking of the initial foothold, I get that this type of vuln is difficult to simulate, but a key metric for this type of challenge should be the following: can you distinguish between the failure of your payload and the failure of the server? I have spent too much time guessing which is which. We need more of these scenarios, so thank you to @Gioo & @Cneeliz for the attempt. IMHO, in these mock scenarios there should be some regularity, otherwise I spend more time waiting and guessing than learning.

Finally got through some commands. I can see what I need to do I have a command working on a mock system, but the initial foothold is so spotty I can’t tell if the problem is my request or the one of many times the box drops a request. This would be such a good box if it was reliable. I wish I could have the time back that I used guessing whether a request was dropped or was wrong.

Highly recommend skipping this one. It is not difficult, just frustrating.

nvm.

Really enjoyed this box. I understand the frustration with the initial foothold but overall was a fun journey. Thanks!

For user:
Lots of helpful comments on this part. Focus on client side. When looking at b*********.**p remember what the system is when trying to attack and how to smuggle goods in.

For root:
Communication is key find where to communicate. Bruteforce is a good option here :).

Rooted!
The box itself is cool, but quite unstable and definitely not insane.