Resolute

no, I’m an idiot, I expected to see a connection before restarting the service and as I didn’t see any connection, I never restarted the service…

Type your comment> @ExploitZone said:

i really need an hint to m**** account to r**** … can someone PM me?

got it

i managed to get a list of users and a password. I tried connecting with these creds but no luck… any advice?

Type your comment> @lowtoe said:

Type your comment> @ExploitZone said:

i really need an hint to m**** account to r**** … can someone PM me?

same!! can someone give me a hint? I’ve looked around the / directory but not getting the hint. thx!

Sometimes when you’re looking for something and can’t find it it’s hidden. When you want to hide a folder in an easy way. What would you do first…

Awesome box. Learned new technique. Thanks @egre55

User is pretty common actually. Admins do this here and there. Basic windows enumeration. Do not rush it.

Root is a new tactic focused on groups and what they can do. You’ll know once you do some googling. Don’t be afraid to build code on a windows box and move over those files ;).

DM me if you need any nudges. More than willing to help.

Got root after scrambling for a couple of days, Thanks to @Chobin73 and @Seth70 for the nudge. Here are the real hints.

User: After enumerating you will find the password that looks very common. However, you will have to mix and match very well with the usernames you got :slight_smile:

Root: I have used the difficult way. Once you know which group you belong to, do a little bit of googling. In order to not bang you head like me to bypass AV, try using impacket-s******* not s**s**** cuz they are different. Then you don’t have to custom tailor you r own scripts. Also, bear in mind the architecture that you are trying to exploit.

rooted the intended way after much stupidity but curious about the msf easy way…

It took some time to root this box. But in the end, I did it. If you’re still stuck, feel free to send me a PM.

Rooted intended way. PM if you are stuck.

Rooted! Fun box!! Thanks @egre55

wrote in wrong place sorry

Rooted! It was a bit frustrating at times, but I learned a lot from this one thanks @egre55. If you’re stuck PM me what you have tried and I will do my best to help.

rooted!

user1: A little bit of time to understand what to see, just open your eyes while enum. With enum4****x it’s more simple to see

user2: some admins make mistakes with password, some users change it and some others not. When you reach second user read carefully what you can see, and search something you cannot see without an eed dry l*t command

root: user dnmd+imt-sms***r+mv***m, the last for dll… spent too much time to remember that I have few time to operate before all turn again back

very beautiful machine, very very good work, realistic is the right word

some hint for d** restart ?

I’m spinning my wheels here. I have r***. I’m not exactly what M*******t module that could be used with the creds as mentioned in this thread. I guess I’m missing what’s right in front of my face. I feel like I’m missing crucial info in regards to enumeration. Could someone pm me with a nudge? First windows box. Thank you all.

Type your comment> @jgfreeski said:

I’m looking to get in to User right now, and I’m stuck trying to find a way in with pass and user credentials. I’m using e***-w**** and i keep getting authorization errors. any nudge in the right direction would be great!

maybe try a different user…

Type your comment> @qwas2zx9 said:

i have already made a d** injection using the user2 and i am trouble on restarting the d*s server. Can you give me a nudge?

net start and friends didn’t work for me, but sc.exe did. It’s also important to use sc.exe to disambiguate if you an a powershell environment (sc is an alias for Set-Content).

Finally rooted !!! Thanks @kkaz for the help.

Type your comment> @ctlfish said:

Type your comment> @qwas2zx9 said:

i have already made a d** injection using the user2 and i am trouble on restarting the d*s server. Can you give me a nudge?

net start and friends didn’t work for me, but sc.exe did. It’s also important to use sc.exe to disambiguate if you an a powershell environment (sc is an alias for Set-Content).

I rooted it using a different approach but I want to take the hard path which is injecting dll and restarting the service. I am struggling on using the hard method.

Spoiler Removed