Resolute

the AV is very irritating. I tried many B****s tecnique, with no luck

Cannot get dll to work. I can see that windows is reaching for it but nothing happens next. I used binary from venom. Is there a simple way to get correct dll without crafting it? help please!

upd. got root. the issue was not the dll but the impacket. somehow got it work

Type your comment> @rheaalleen said:

Rooted

User: You have one password, try to get it working. Something evil happens when SysAdmins are lazy. Then go to the roots and force your way in

Root: You will find what you will abuse. After that I´ll say following: The file you will use can be remotely or on the machine. For the second way it doesn’t matter where it is but you have to make it by yourself or the AV will nuke it, poison doesn’t work.
If you go by the remote path trust in impacket and his servers before you use a native tool. As bonus you will see with impacket if it really gets contacted and you will know that the file is on his way to the machine

any further explanation for root part ?

Finally got Root!
But ■■■■ that Anti-Virus is a pain.
Thanks to @rholas @mimorikay

Hack The Box

Managed to get in with the user creds but as a linux guy (the reason I have been trying to focus on windows boxes) I am having a lot of trouble moving over to R*** I see he is in the C********** group and I assume that gives me more privs. So any PM’s welcome for any good tools or scripts that might help me enum and figure out the next steps. Or even a nudge in the right direction. All the scripts I have tried seem to get permission denied everywhere…

How did you guys bypass the defender ? I’m on the r… account to elevate the access but for some reason couldn’t find a way to even execute sharphound as it gets deleted automatically by the defender (AMSI).

Any help would be greatly appreciated, thanks.

PS: Finally got the root, I was focusing too much on bypassing the defender where it wasn’t even needed. Hope this hint helps to others.

I need a nudge to get going. I think I found the first password (I have an incredibly hard time believing anyone would actually put a password there) but I have no idea how to use it. I’ve tried using evi*-w**** but it requires a username that I have no idea how to find. Anyone wants to message me and help me out?

Type your comment> @m4rc1n said:

Type your comment> @marcandrer said:

@mike008 said:

Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

Yes, I’ve been able to stop/start the D** service with user R***.

Is it so? I was under impression that the service was restarted in a given intervals.

Thx @sassuwunnu, for the correct commands. It was restarted. Now to figure out why it is not pulling the dll from my sb server using i*****t.

Also thx @FatPotato.

Rooted. Had to try harder I guess.

Need some help!
Started doing this box, nmap`d every port but havent found anything useful.
Tried various impacket scripts and still nothing.

Am i missing something
A hint would be appreciated!

UPD: got many users, but no passwords were found.

Can someone give me a nudge, I got the user flag, but now I’m stuck and I can’t find anything useful on the file system.

Did anyone else get errors using E***-W****? using M**** and his PWD.

the AV bypass is a pain in the ■■■■, any hints on how to do it would be great! :slight_smile:

Hi, new user here, trying to learn, I found a user name and a password, but having difficulty from here, does anyone have a walkthrough they could PM?
Many thanks/

I’m stuck on the e***-W**** syntax I think. i have the r*** and i have the W***** but no matter how I format the command, it doesn’t show me any love. tried on standard and non-standard ports with -i 10.10.10.169 -u \r*** -p ‘W*******’ -P (for any non-standard port). Being a windows guy, I’m trying to do this all from my Linux box so I can force myself to learn, but I never quite know what is case sensitive and what requires the ’

@LaughingGhoul you need the password to be inside single quotes 'password' when it contains characters that the linux shell bash interprets as commands. Like that last char on that.

your problem is not the pw though!

TBH honnest i’m surprised that the AV actually does NOT catch it, i would have expected it to analyze any file the second the OS is opening it, whatever it’s location or incoming channel… if someone has some details on that i’d be interested to know.

YES!! Finally rooted this guy. Interesting path of attack.

Some hints:

For user, enumerate users and their details, than think outside of the box…

Fro root, find the other user credentials, see what this guy can so and google what you really want to accomplish with the discovered info.

0xdaff, thanks. I’ve actually been using DOMAIN\user after the -u and thought I had tried them all. I"m thinking I’ll go pop it with my Windows box and then come back once I know the correct u/p and work on the syntax.

appreciate the tip

Still looking for the second password… any tips?
edit - Got it! thanks @ssklash

I am new to windows machines, I got password for m**** and know where to use the creds but it doesn’t work. Can soneone give me a hint pls :slight_smile: