Resolute

Nevermind.

Finally rooted this box, learned a lot from this one.
look at what group of friends the user hangs out with and what they can do.
Google is your best friend after that.

Type your comment> @kkaz said:

Hints:
Users

User1: Quite easy just do basic enumeration
User2: Again enumerate the hidden jewls from root directory
Root

Method1: I used DNSA**** way with D** injection this method is quite tricky and interesting
Method2: Once you get user2 creds give it to ms*t smb module and this is it. This method is piece of cake, learned from @grav3m1ndbyte thanks mate.

@kkaz I just tried method 2. Wow,just wow. How easy was that?? Thanks for the tip.

user1 & 2 owned. just need to figure out the root.

EDIT: root was easier than finding user2 creds, imo

Just trying to root the machine but need some help with it… Can anyone PM me what is the right M*ST module, please?

Edit: Solved! Thnks to @ZloyObezyan for the help!

Type your comment> @kkaz said:

root is giving me real pain. When i run d***md command it does not contact my smbserver do not know why but stuck here. help will be appreciated.

Edit: Never mind got root i was doing a critical mistake, thanks goes to @g3of0xx @inertia @rholas

same here, I can connect to the share with dir command but not with the command we need… wtf is my critical mistake?

May I ask how all of you got the passwords for the users so quickly?

Anyone can help me understand why my dns*** command from ev**** shell doesn’t connect at all to my imp*** smb** ? It’s driving me crazy

nvm: I’m an IDIOT

Type your comment> @halfluke said:

Anyone can help me understand why my dns*** command from ev**** shell doesn’t connect at all to my imp*** smb** ? It’s driving me crazy

It might be the payload you hosted on imp*** smb server. I seems to have the same issue which you encounter but it seems to be fixed when i change the payload. The AV seems to block certain payloads which make it like it is not downloading any files from smb

Type your comment> @halfluke said:

Type your comment> @kkaz said:

root is giving me real pain. When i run d***md command it does not contact my smbserver do not know why but stuck here. help will be appreciated.

Edit: Never mind got root i was doing a critical mistake, thanks goes to @g3of0xx @inertia @rholas

same here, I can connect to the share with dir command but not with the command we need… wtf is my critical mistake?

dm me if still stuck

no, I’m an idiot, I expected to see a connection before restarting the service and as I didn’t see any connection, I never restarted the service…

Type your comment> @ExploitZone said:

i really need an hint to m**** account to r**** … can someone PM me?

got it

i managed to get a list of users and a password. I tried connecting with these creds but no luck… any advice?

Type your comment> @lowtoe said:

Type your comment> @ExploitZone said:

i really need an hint to m**** account to r**** … can someone PM me?

same!! can someone give me a hint? I’ve looked around the / directory but not getting the hint. thx!

Sometimes when you’re looking for something and can’t find it it’s hidden. When you want to hide a folder in an easy way. What would you do first…

Awesome box. Learned new technique. Thanks @egre55

User is pretty common actually. Admins do this here and there. Basic windows enumeration. Do not rush it.

Root is a new tactic focused on groups and what they can do. You’ll know once you do some googling. Don’t be afraid to build code on a windows box and move over those files ;).

DM me if you need any nudges. More than willing to help.

Got root after scrambling for a couple of days, Thanks to @Chobin73 and @Seth70 for the nudge. Here are the real hints.

User: After enumerating you will find the password that looks very common. However, you will have to mix and match very well with the usernames you got :slight_smile:

Root: I have used the difficult way. Once you know which group you belong to, do a little bit of googling. In order to not bang you head like me to bypass AV, try using impacket-s******* not s**s**** cuz they are different. Then you don’t have to custom tailor you r own scripts. Also, bear in mind the architecture that you are trying to exploit.

rooted the intended way after much stupidity but curious about the msf easy way…

It took some time to root this box. But in the end, I did it. If you’re still stuck, feel free to send me a PM.

Rooted intended way. PM if you are stuck.

Rooted! Fun box!! Thanks @egre55