• Got root. Finally not so hard

    User: enumerate with usual tools. After you got some users, don't bruteforce but test some lazy password that an admin can set on account.

    Root: enumerate in order to find the weakness of this box. After, google and you should find all u need ! make some minor changes and all will be fine

    Feel free to PM if needed

    Have fun !

  • Had so much fun.
    Wanted new windows box for improving AD pentesting skills and it just appeared ;d
    root part was easier than user.

    Great box!

    Feel free to PM. I won't respond messages like those - ["hi, help me", "what can i do", "it does not work"] ... be more specific!
  • edited January 14

    Good box although I don't like these guess-the-thing stages. But suppose that's also part of a penetration testing specially in the bad password practices (not comparable at all to "guessing the technology" like in Mango machine). Liked so much to exploit that service on root since I didn't do that before.

  • edited January 14

    So I've found a list of users, and tried every combination I can think of for passwords and users. Can I get a hint in PMs?? I'm sure I'm doing something stupid


    Got it now

  • rooted! thx @TheRamen for the help!

    If you need help with something, PM me how far you've got already, what you've tried etc.
    Discord: MadHack#6530

  • rooted. Learned something about a---e cloud and S-- server.

    root: If you are a linux guy like me, you need to understand meaning of the connection string in the POC, especially another way of authentication.

  • I think I'm being really stupid - I have an MB domain, but not sure of what to do so i can use it in im* - can someone just dm me with the right syntax

  • What a great machine,

    A good example that sometimes we don't focus on the simple.

    Start, as the whole key is the enumeration, but here the rule is not to complicate and think like every administrator a bit lazy, remember that you have no restriction on passwords, but you also do not have to brute force.

    User, the list will open the doors to locate what you need from the user, you already have everything only E****W**** and your creds.

    Root, a good example of taking advantage of technology, was a very good method, getting used to throwing commands is important, but I think a good connection will help you climb, I know it sounds very weird, but believe me it should be.

    I thank @oztechmuse and @TheRamen for confirming the correct path and especially to the creator of the machine for this very good challenge.

    If any of this is spoiler please delete.



    +respect me if I helped you :}

  • Rooted. Pretty easy box, I just got hung up slightly on root exploit. Thanks to @madhack and @flipflop139874 for the guidance.

  • edited January 14
    Hi all, I'm currently stuck on connecting to a storage service. Can't figure out the authentication method. May I ask for some guidance? I will show my attempts. Thanks!

    EDIT: and, as always happens, five minutes after posting I found the culprit and solved my problem.
  • edited January 14

    Got user
    After you get first creds (all that previous hints about typical lazy admin) you need to find second creds (check folders of users in s** shares, you'll get the name of user)
    It's somewhere in the machine, no more than cat is needed
    Next that dEVIL will work fine)
    Free to pm me, glad to help

    Good game. well played!

  • edited January 14

    Spoiler Removed


  • I tried "guessing", then I got really really (really) dumb about password management. Got access to one "user" and found a neat file in another users directory with a very common tool (that isnt evil). Then I found a crumb that worked for another user inside of the neat file after I exfiltrated. I was able to use a more evil tool with the 2nd set of creds from the neat file. Absolutely zero brute forcing is required, but a little mist or spray might make your privilege garden grow ( :p ). If youre throwing word/dict lists at this box, youre doing it wrong (like I was when I first started, lol).

    Im saving root for another day, but I have a feeling it has something to do with the steaming pile of microsoft called A***E and how it (poorly) "handles" creds.

    Thanks to the creator, I like these winblows boxes! Its a nice change of pace.

  • Root Tip: Don't just google and scan. Google and read the articles that show up so you learn. There is one link that contains many. If you're there you're heading in the right direction. Also keep your head out of the clouds. When you find what you are looking for review it with a text editor that shows color. Fix the issues and add your code. I had help with the adding code so I can't really explain a bit of it. Thanks to @NoWay191 and @babywyrm

  • edited January 15

    Edit: I got it, I rabbit holed into one user...gotta try them all! One trick is to look at logon numbers, many users haven’t logged in which narrows it down!

    Hack The Box

  • Rooted!
    User : basic enumeration but tricky.
    Root : pretty straightforward. Got to know about A****
    DM for hints!

  • Stuck.
    I've got a creds and i connected S*B into folder u*****, but i don't know where to go, i think i need a second creds but i don't know where to look for it.
    Can someone give me a hint?

  • edited January 15

    @Ninjacoder said:

    Can anyone send me some nudges on user? I found the user to use (I think) and have tried two different s*b tools with as many default pws as I can think of...I’m sure it’s something stupid simple.


    It's hard to give a nudge without totally giving it away but honestly really take heed of how dumb a 'password' could be if you could set it to whatever you like.

    You don't need a dictionary attack or brute force or anything. It's all right there. I had to really wrack my brain before I got the 'aha!' moment and laughed at how stupid and overlooked it was.

  • @Meise said:
    I've got a creds and i connected S*B into folder u*****, but i don't know where to go, i think i need a second creds but i don't know where to look for it.
    Can someone give me a hint?

    If you can connect via S*B then you're about 2 steps away from user. You've overlooked something. It's right there.

  • So there are definitely enough hints here to get a foothold on the box and from there it is just more and more enumeration to get credentials to access the box as the user account which gives you user.txt

    The biggest hurdle is that what is obvious to some people is not to others. The user/password is, in hindsight, obvious but it did take me a while.

    My main suggestion is to enumerate the box (domains, groups, users, etc) and use everything you find to create a list of usernames and passwords. Then try it.

    Getting root/admin is surprisingly easy after you've done some enumeration. You should find something interesting and quick googling will point to an attack.

    The attack works perfectly.


    Happy to help people but PLEASE explain your problem in as much detail as possible!


  • running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

  • Type your comment> @bobbuilder said:

    running the a**** m*** exploit makes my e***-****m session crash, anyone having the same problem?

    That happens when there's a fatal error from the exploit.

  • edited January 16

    Root was super fun and I learned a bunch! My hunch was right in regards to A***E. The POC code from a certain three letter handle on github is a steaming pile trashbutt. I had to rewrite most of the POC script, but it worked in the end. Getting root on this box is another shining example of why not to give your keys to the castle to M$ and their "cloud offering".

    Thanks so much for @secucyber for keeping me on the right track and to the creator for a super fun box.

    Hit me up if you need help.

  • Who broke the box
  • edited January 16

    Nice box . whenever working with windows , i am get to know the different tools and gaining good knowledge . Thank you for help me to get root on this box @GhostSquad , @rholas and @madhack

  • Rooted
    Thanks for the help with root @oztechmuse
    Nice and interesting box.

  • rooted... contact me if you need some nudge

  • Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the "Easy" end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.

    Hints per usual:

    Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.

    Once you have access, look around a bit. There's something lying around for you which will help you escalate to a different user.

    User: Utilize what you obtained. Be evil about it.

    Root: Check your groups. Enumerate the service you find, and utilize the POC.

    Thanks @egre55

    Hack The Box | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Stuck with the POC

  • edited January 16

    Type your comment> @m1rz said:

    Stuck with the POC

    You're on the right track but might be looking at the wrong item to run. You don't need to use the POC people are talking about, there is another set of tools out there as well.

    Anyone can feel free to PM me for user or root help.

    Hack The Box

Sign In to comment.