Resolute

Type your comment> @t4l0 said:

Finally got it! Root was really hard for me (i’m not a windows guy ;)). But i have to admit that once you got all the pieces together, It’s pretty straigth forward.

Fun Box! Thanks.

For me, it wasn’t like easy or hard. I relied more on thinking how I found the user2 password and how that (avoiding spoilers hopefully) was generated. If he can do that, he might have high privileges on the system so I could try and access the system in a different way but relying on what the user last did; or so what my thought process.

How are you guys running bloodhound on this? It keeps kicking mine out saying malicious script.

I need a small nudge for user2. I have not managed to run any enum scripts as it gets picked up by the AV.

Got it. Big thanks to @jaccostraathof with getting root!
Machine got a medium rank probably because of privilage escalation.
Now for some hints:
User1: Run your scripts, really. Even those four enum on Linux and then you will see things, that you shouldn’t see (at least according to sysadmins),
User2: “If you want to keep a secret, you must also hide it from yourself.”
Root: See who you are, learn from it and google it.

I got root via both methods… but I am confused on how the ms** module worked.
Can somebody help me understand how that module works by just using user2’s creds?
Thanks

Type your comment> @up2nogood said:

How are you guys running bloodhound on this? It keeps kicking mine out saying malicious script.

There’s a remote python version you can use.

I also just rooted this box using the more difficult way people were talking about. If you’d like some hints, feel free to DM me!

hey guys i m facing issue stopping and starting the service .
used s* stop d** which show stop pending and when I view the state again it shows running without me starting the service.
I m not so good with windows and m stuck with getting the root only because of this.
Had success with transferring the d** file to windows but got stuck as stated above.
I’ve read the comments and nobody seems to have this issue, makes me wonder what m doing wrong here.
Can someone please help me out stuck for 2 days on this

Type your comment> @prahar said:

hey guys i m facing issue stopping and starting the service .
used s* stop d** which show stop pending and when I view the state again it shows running without me starting the service.
I m not so good with windows and m stuck with getting the root only because of this.
Had success with transferring the d** file to windows but got stuck as stated above.
I’ve read the comments and nobody seems to have this issue, makes me wonder what m doing wrong here.
Can someone please help me out stuck for 2 days on this

Remember that sc.exe and sc are two different things :wink:

However, rooted thanks to @scipher

@nardin thanks for the rply buddy
but niether of them worked for me
And when I used sc.exe it would show the state as follow -
STATE : 3 STOP_PENDING
and after a few seconds the state will revert to running
It is basically not allowing me to stop the service as r**n user

Type your comment> @prahar said:

@nardin thanks for the rply buddy
but niether of them worked for me
And when I used sc.exe it would show the state as follow -
STATE : 3 STOP_PENDING
and after a few seconds the state will revert to running
It is basically not allowing me to stop the service as r**n user

Full path to sc.exe is important too - but by the looks of it that is not your issue.
Could be others starting and stopping it at the same time as you (guessing)
There is also an query option you can run that shows you what state it is in.

Root - I can’t figure out why my lisr isn’t working after my D in**. I’ve done a start and stop and i can’t seem to obtain the escalation. Any nudge would be appreciated!
PM me and I can show you all the commands I’ve run.

Thanks!

Finally rooted! :smiley:

This is my first windows box, so lots to learn, however once the knowledge/tools were acquired, the box itself is not too complicated.

This is really all enumeration.

Root took me a while to get working correctly, mainly because I was doing i******t wrong.

I (think) I did it the manual way. I wasn’t able to find the correct MSt module. Would someone who used it mind letting me know which one it is?

Woohoo! rooted in 2 hrs 22 minutes! That is my fastest one yet! Great box

I’m stumped with root and could do with a nudge, I’m sure I need to somehow craft a dll that a service can read. I’ve found a walkthrough of the idea that modifies mb but I’m struggling to even get to a point where I can build it dll in Visual Studio. I’m struggling to workout where I can get some of the .h files that are required to build mb

Pm if you need a nudge

Finally rooted my first windows box! Really cool privesc to system.
Thanks to @toroflux for getting me on the right trail.

Finally got root on this and I’ve gotta say I really enjoyed the root priv esc. Props to the maker of the box (I’ve tried making my own boxes and its hard to find stuff as interesting as that without it being really obscure and impossible to find).

Big thank you to the people in this thread that gave just enough hints to get me on the right track. Someone asked for less esoteric hints, so for anyone else who’s stuck here’s some tips hopefully without spoiling:

USER
Scan ports and look at one that is a key part of Windows network user management. No credentials required to perform some queries against that. Search through the information there and you’ll find a password that won’t work for the user its associated with, but think about how lazy some admins can be with their default passwords. Once you have credentials that work, look at one of the higher ports for a place you can use them.

USER2
Keep looking around with your existing creds and as others have hinted, look for files/folders that are not immediately visible. Its not in some really obscure location or anything, so don’t worry about exploring every single directory tree.

ROOT
Once you’ve got user2’s creds, look at what this user can do (which I did by going back to enumerating group membership from the source of our original creds, although others have hinted at an easier way). Now just search online for a trick that can turn this group membership into something more. There’s a great blog post that explains it all and even gives code examples, although I had to tweak their example a bit to get my code to compile (I’m a complete noob with C++, so if I can do it anyone can). Don’t get caught up chasing some other exploit related to this D** service like I did at first. Focus on the group membership rather than the service in general when searching.

Also, if multiple people are attacking this part of the box at the same time you can kind of trip over each other because it looks like the D***** command you use to get your DLL in place seems to remove previous entries and replace them with the path to yours. So if someone else does that while you’re in the middle of restarting the service to get it to pick yours up, it won’t work. So if you’re sure you have everything correct, give it a minute and try again (and maybe keep checking the status of the service to see if other people are trying to restart it).

I think I got the creds for initial step but when I try to use it, I didnt get what I expect. Anyone’s willing to give a hand? Thanks

Edit 1: nvm, i think now i really get it xd

Please can someone DM me on how to get user 2 creds, I have looked everywhere in vain. Many times I face Unauthorized Access exception.