RE

@verdienansein said:
… just craft your own payload manually …

+1. If you don’t know how to make one manually it’s basically mandatory to build it from scratch. Never use a public exploit for something you haven’t already done yourself a hundred times. That is how you learn, and what separates the hackers from the skids :slight_smile:

Type your comment> @scud78 said:

@verdienansein said:
… just craft your own payload manually …

+1. If you don’t know how to make one manually it’s basically mandatory to build it from scratch. Never use a public exploit for something you haven’t already done yourself a hundred times. That is how you learn, and what separates the hackers from the skids :slight_smile:

Well said. This box is a monster if you aren’t able to rely on some of your own prior knowledge and capabilities. That being said, if you are a “newbie” and looking to give this box a try, I highly recommend looking into payload generation and python scripting. It will serve you wonders in the long run.

Type your comment> @farbs said:

Type your comment> @scud78 said:

@verdienansein said:
… just craft your own payload manually …

+1. If you don’t know how to make one manually it’s basically mandatory to build it from scratch. Never use a public exploit for something you haven’t already done yourself a hundred times. That is how you learn, and what separates the hackers from the skids :slight_smile:

Well said. This box is a monster if you aren’t able to rely on some of your own prior knowledge and capabilities. That being said, if you are a “newbie” and looking to give this box a try, I highly recommend looking into payload generation and python scripting. It will serve you wonders in the long run.

do you have any good resources for this?

@H4ck3d5p4c3 said:
Type your comment> @farbs said:

Type your comment> @scud78 said:

@verdienansein said:
… just craft your own payload manually …

+1. If you don’t know how to make one manually it’s basically mandatory to build it from scratch. Never use a public exploit for something you haven’t already done yourself a hundred times. That is how you learn, and what separates the hackers from the skids :slight_smile:

Well said. This box is a monster if you aren’t able to rely on some of your own prior knowledge and capabilities. That being said, if you are a “newbie” and looking to give this box a try, I highly recommend looking into payload generation and python scripting. It will serve you wonders in the long run.

do you have any good resources for this?

There are tons of blogs and git repos about using Python for hackery things, and also books like Black Hat Python etc. However, you should 100% stay away from those in the beginning :stuck_out_tongue: Go through the tutorial on python.org, learn the basics, play around with the socket and os modules, and build some small snippets that automates your basic hacktivities. The reason I’m saying this is because if you start out using pwntools and impacket etc you’ll be handicapping yourself severely letting them hide the internals :slight_smile:

And for payloads, if talking macros specifically, the necessary skill isn’t how to build a type of macro that runs code, but how to read developer documentation on company websites :wink:

Type your comment> @H4ck3d5p4c3 said:

Type your comment> @farbs said:

Type your comment> @scud78 said:

@verdienansein said:
… just craft your own payload manually …

+1. If you don’t know how to make one manually it’s basically mandatory to build it from scratch. Never use a public exploit for something you haven’t already done yourself a hundred times. That is how you learn, and what separates the hackers from the skids :slight_smile:

Well said. This box is a monster if you aren’t able to rely on some of your own prior knowledge and capabilities. That being said, if you are a “newbie” and looking to give this box a try, I highly recommend looking into payload generation and python scripting. It will serve you wonders in the long run.

do you have any good resources for this?

3.12.0 Documentation is the authoritative source.

I’m navigating to http://10.10.10.144 and it shows the html telling that the actual site is in reblog.htb and after 2 seconds it redirects to reblog.htb, which dont exist.

For anyone else with a similar problem, remember this will rely on your hosts file.

@verdienansein said:

User part was quite easy, just craft your own payload manually, it is easier and it will work fine.

I agree but you can use the tool to create the framework. You just need to go in and change the important bit.

If you dont, it probably wont work.

sorted

This was a really hard but useful and instructive journey. Thanks for @0xdf for the box and @Chr0x6eOs for the hints in the root access phase.

Spoiler Removed

Type your comment> @bumika said:

Spoiler Removed

Interesting.

i am new to window box, this weird thing happen, any help?
i got the nt authority\system shell by p***U.ps1 already, but still cant read the root.txt, still access denied…
tried takeown, acacls, also no hope

@kkbear said:

i am new to window box, this weird thing happen, any help?
i got the nt authority\system shell by p***U.ps1 already, but still cant read the root.txt, still access denied…
tried takeown, acacls, also no hope

Look at other ways you can make a file unreadable in Windows.

Type your comment> @TazWake said:

@kkbear said:

i am new to window box, this weird thing happen, any help?
i got the nt authority\system shell by p***U.ps1 already, but still cant read the root.txt, still access denied…
tried takeown, acacls, also no hope

Look at other ways you can make a file unreadable in Windows.

any hints on direction? does it related to domain?

@kkbear said:

any hints on direction? does it related to domain?

I am not sure I can hint this without it being a spoiler.

But take a step back and think of ways you can make a file so that others cant read or modify it. We often do this to portable media and there is a windows command for it.

Type your comment> @TazWake said:

@kkbear said:

any hints on direction? does it related to domain?

I am not sure I can hint this without it being a spoiler.

But take a step back and think of ways you can make a file so that others cant read or modify it. We often do this to portable media and there is a windows command for it.

i think i got it now, guess i will have to literally kill for the trophy
will try when i got access to my kali which got all the required files for previous steps
thanks very much

Finally rooted! Huge thanks to @scud78 @bumika and @TazWake for fielding my questions. It is a super tough box that eats noobs like me alive. I guess if you persist hard enough, you can get it though…

Done

can anybody pm me a hint on the user stage? I have been trying for 4 days , I have manually generate the marcro and obfuscate the payload, and tested it at the local vm, but it just doesn’t work at the re, please help me.

#Finally rooted. Cost me almost 8 days on this. Really learned a lot with windows exploit. Read many good articles ,especially like the original research report from the checkpoint, which taught me how the security researcher are paving their ways to find the vuln spot. Special thx to @v1p3r0u5 @scud78 @Chr0x6eOs @atr0pos, without your help I can’t get to the end.

User:

The free version box is not very stable, after I went vip and it worked just fine… Also pay attention to the file ext , only one type works.

Root:

  1. The first step still seems strange to me, cause what I tested in local win10 couldn’t work in RE, while the way I learned from others can work in RE, but can’t work in my local win10. I spent almost 2 days stucking here. I guess maybe we need the exact version of the os and application to test locally.
  2. Like other said, rotten food is not good for 2019. Try something else.

Hi, can anybody give me a nudge for the priv esc part. I got user shell and think to know what to do next but i dont know the ingredients.
I want to root this box before it gots retired.
THANKS!!