Resolute

This is the kind of machine I like to find on HTB. The root part taught me some useful things usable on real life.
kudos to the creator!

finished the box. Happy to help anyone stuck on it.

IDK if anyone know but can anyone DM me why user m******* couldn’t do certain S** functions that user r**** could? was it a specific permission? if so, which one? thanks

Ah, wow, root was under my nose this whole time. Don’t overthink this one, legitimate credentials are the best exploit of all.

got the user flag using m’s account. What am i supposed to do from here to obtain root?

Got root after 5 mins thank all for the hints !

Rooted! Took me a long long time, but all the hints you need are on this forum.
I was stuck way too long with trying to create a file with Visual Studio, but a file from msfvenom worked aswell.
I loved this box, learned a lot.

Enjoyed the root! Simple yet interesting.
Enumerating the whole directory was not so fun though but a necessary learning point.

Happy to help anyone if I can.

Got root. PM if you need help.

Do you guys have an enumeration script you like to run on windows… like LinEnum.sh??

Resolute

Somewhat real-life and an interesting privesc. Overall it was pretty fun box :]

User-1

  • Enumeration skills needed. Think about what protocol may give you more juicy information.
  • Then, look for a port that you can get a shell from. Try to look for every port.

User-2

  • You need to spot a juicier user among many. (I used BH to quickly review them)
  • Enum deeper to look for sensitive data (The idea is a bit similar to User-1 path)
  • Then, get a shell under the context of this user.

Root

  • You will enjoy the ride for this privesc.
  • Again, if you ran the BH, you should already know why the User-2 is juicy.
  • Just Google about who he is and the related exploit.
  • Exploitation is not that hard. Couldn’t find the blog post that has the exact steps, but there is a really good one that would be enough for you to follow along to escalate your privilege. (I can def point you to this if needed)

Happy to assist any mates. PM me :]

Got root.
That was fun :D!

Big thank you to @egre55 for making this box :slight_smile:

I completed root the easy way but thought that was cheating so I went back and did it the proper way which was a good learning curve. :smiley:

Happy Hacking everyone and also a big thank you to everyone that gave me nudges for the Proper way (I’m a noob learning the ropes) :smiley:

Type your comment> @t4l0 said:

Finally got it! Root was really hard for me (i’m not a windows guy ;)). But i have to admit that once you got all the pieces together, It’s pretty straigth forward.

Fun Box! Thanks.

For me, it wasn’t like easy or hard. I relied more on thinking how I found the user2 password and how that (avoiding spoilers hopefully) was generated. If he can do that, he might have high privileges on the system so I could try and access the system in a different way but relying on what the user last did; or so what my thought process.

How are you guys running bloodhound on this? It keeps kicking mine out saying malicious script.

I need a small nudge for user2. I have not managed to run any enum scripts as it gets picked up by the AV.

Got it. Big thanks to @jaccostraathof with getting root!
Machine got a medium rank probably because of privilage escalation.
Now for some hints:
User1: Run your scripts, really. Even those four enum on Linux and then you will see things, that you shouldn’t see (at least according to sysadmins),
User2: “If you want to keep a secret, you must also hide it from yourself.”
Root: See who you are, learn from it and google it.

I got root via both methods… but I am confused on how the ms** module worked.
Can somebody help me understand how that module works by just using user2’s creds?
Thanks

Type your comment> @up2nogood said:

How are you guys running bloodhound on this? It keeps kicking mine out saying malicious script.

There’s a remote python version you can use.

I also just rooted this box using the more difficult way people were talking about. If you’d like some hints, feel free to DM me!

hey guys i m facing issue stopping and starting the service .
used s* stop d** which show stop pending and when I view the state again it shows running without me starting the service.
I m not so good with windows and m stuck with getting the root only because of this.
Had success with transferring the d** file to windows but got stuck as stated above.
I’ve read the comments and nobody seems to have this issue, makes me wonder what m doing wrong here.
Can someone please help me out stuck for 2 days on this

Type your comment> @prahar said:

hey guys i m facing issue stopping and starting the service .
used s* stop d** which show stop pending and when I view the state again it shows running without me starting the service.
I m not so good with windows and m stuck with getting the root only because of this.
Had success with transferring the d** file to windows but got stuck as stated above.
I’ve read the comments and nobody seems to have this issue, makes me wonder what m doing wrong here.
Can someone please help me out stuck for 2 days on this

Remember that sc.exe and sc are two different things :wink:

However, rooted thanks to @scipher

@nardin thanks for the rply buddy
but niether of them worked for me
And when I used sc.exe it would show the state as follow -
STATE : 3 STOP_PENDING
and after a few seconds the state will revert to running
It is basically not allowing me to stop the service as r**n user