Resolute

191012141530

Comments

  • Type your comment> @Xerock said:

    Can't seem to find the 2nd user creds. If anyone can give me a nudge in the right direction, would be great!

    Edit: OF course I find it right after posting this...

    Sometimes the solution is in the “root” of the problem ;)

  • I loved this box thanks to the author I learned a lot I am already root

  • edited December 2019

    Nevermind.

  • Finally rooted this box, learned a lot from this one.
    look at what group of friends the user hangs out with and what they can do.
    Google is your best friend after that.

  • Type your comment> @kkaz said:

    Hints:

    Users

    User1: Quite easy just do basic enumeration
    User2: Again enumerate the hidden jewls from root directory

    Root

    Method1: I used DNSA**** way with D** injection this method is quite tricky and interesting
    Method2: Once you get user2 creds give it to m***s****t smb module and this is it. This method is piece of cake, learned from @grav3m1ndbyte thanks mate.

    @kkaz I just tried method 2. Wow,just wow. How easy was that?? Thanks for the tip.

  • edited December 2019

    user1 & 2 owned. just need to figure out the root.

    EDIT: root was easier than finding user2 creds, imo

  • edited December 2019

    Just trying to root the machine but need some help with it... Can anyone PM me what is the right M****S***T module, please?

    Edit: Solved! Thnks to @ZloyObezyan for the help!

  • Type your comment> @kkaz said:

    root is giving me real pain. When i run d***md command it does not contact my smbserver do not know why but stuck here. help will be appreciated.

    Edit: Never mind got root i was doing a critical mistake, thanks goes to @g3of0xx @inertia @rholas

    same here, I can connect to the share with dir command but not with the command we need... wtf is my critical mistake?

    halfluke

  • May I ask how all of you got the passwords for the users so quickly?

  • edited December 2019

    Anyone can help me understand why my dns*** command from ev**** shell doesn't connect at all to my imp*** smb** ? It's driving me crazy

    nvm: I'm an IDIOT

    halfluke

  • Type your comment> @halfluke said:

    Anyone can help me understand why my dns*** command from ev**** shell doesn't connect at all to my imp*** smb** ? It's driving me crazy

    It might be the payload you hosted on imp*** smb server. I seems to have the same issue which you encounter but it seems to be fixed when i change the payload. The AV seems to block certain payloads which make it like it is not downloading any files from smb

  • Type your comment> @halfluke said:

    Type your comment> @kkaz said:

    root is giving me real pain. When i run d***md command it does not contact my smbserver do not know why but stuck here. help will be appreciated.

    Edit: Never mind got root i was doing a critical mistake, thanks goes to @g3of0xx @inertia @rholas

    same here, I can connect to the share with dir command but not with the command we need... wtf is my critical mistake?

    dm me if still stuck

  • no, I'm an idiot, I expected to see a connection before restarting the service and as I didn't see any connection, I never restarted the service...

    halfluke

  • edited December 2019

    Type your comment> @ExploitZone said:

    i really need an hint to m**** account to r**** ... can someone PM me?

    got it

  • i managed to get a list of users and a password. I tried connecting with these creds but no luck... any advice?

  • Type your comment> @lowtoe said:

    Type your comment> @ExploitZone said:

    i really need an hint to m**** account to r**** ... can someone PM me?

    same!! can someone give me a hint? I've looked around the / directory but not getting the hint. thx!

    Sometimes when you're looking for something and can't find it it's hidden. When you want to hide a folder in an easy way. What would you do first...

    t13nn3s
    You can find write-ups and walkthroughs on my personal blog: https://binsec.nl

  • Awesome box. Learned new technique. Thanks @egre55

    User is pretty common actually. Admins do this here and there. Basic windows enumeration. Do not rush it.

    Root is a new tactic focused on groups and what they can do. You'll know once you do some googling. Don't be afraid to build code on a windows box and move over those files ;).

    DM me if you need any nudges. More than willing to help.

    "ClickmedotEXE"
    CISSP | OSCP
    arodtube

  • Got root after scrambling for a couple of days, Thanks to @Chobin73 and @Seth70 for the nudge. Here are the real hints.

    User: After enumerating you will find the password that looks very common. However, you will have to mix and match very well with the usernames you got :)

    Root: I have used the difficult way. Once you know which group you belong to, do a little bit of googling. In order to not bang you head like me to bypass AV, try using impacket-s******* not s**s**** cuz they are different. Then you don't have to custom tailor you r own scripts. Also, bear in mind the architecture that you are trying to exploit.

  • rooted the intended way after much stupidity but curious about the msf easy way...

    halfluke

  • It took some time to root this box. But in the end, I did it. If you're still stuck, feel free to send me a PM.

    t13nn3s
    You can find write-ups and walkthroughs on my personal blog: https://binsec.nl

  • Rooted intended way. PM if you are stuck.

    --
    OSCP

  • Rooted! Fun box!! Thanks @egre55

  • edited December 2019

    wrote in wrong place sorry

  • Rooted! It was a bit frustrating at times, but I learned a lot from this one thanks @egre55. If you're stuck PM me what you have tried and I will do my best to help.

    k1llswitch
    "The master has failed more times then the beginner has even tried"

  • rooted!

    user1: A little bit of time to understand what to see, just open your eyes while enum. With enum4****x it's more simple to see

    user2: some admins make mistakes with password, some users change it and some others not. When you reach second user read carefully what you can see, and search something you cannot see without an e*****ed d******ry l**t command

    root: user dnmd+im*****t-sms****r+mv***m, the last for dll... spent too much time to remember that I have few time to operate before all turn again back

    very beautiful machine, very very good work, realistic is the right word

  • some hint for d** restart ?

  • I'm spinning my wheels here. I have r***. I'm not exactly what M*******t module that could be used with the creds as mentioned in this thread. I guess I'm missing what's right in front of my face. I feel like I'm missing crucial info in regards to enumeration. Could someone pm me with a nudge? First windows box. Thank you all.

  • Type your comment> @jgfreeski said:

    I'm looking to get in to User right now, and I'm stuck trying to find a way in with pass and user credentials. I'm using e***-w**** and i keep getting authorization errors. any nudge in the right direction would be great!

    maybe try a different user..

  • Type your comment> @qwas2zx9 said:

    i have already made a d** injection using the user2 and i am trouble on restarting the d*s server. Can you give me a nudge?

    net start and friends didn't work for me, but sc.exe did. It's also important to use sc.exe to disambiguate if you an a powershell environment (sc is an alias for Set-Content).

  • Finally rooted !!! Thanks @kkaz for the help.

Sign In to comment.