Can anyone send me some nudges on user? I found the user to use (I think) and have tried two different s*b tools with as many default pws as I can think of…I’m sure it’s something stupid simple.
Thanks!
It’s hard to give a nudge without totally giving it away but honestly really take heed of how dumb a ‘password’ could be if you could set it to whatever you like.
You don’t need a dictionary attack or brute force or anything. It’s all right there. I had to really wrack my brain before I got the ‘aha!’ moment and laughed at how stupid and overlooked it was.
@Meise said:
Stuck.
I’ve got a creds and i connected S*B into folder u*****, but i don’t know where to go, i think i need a second creds but i don’t know where to look for it.
Can someone give me a hint?
If you can connect via S*B then you’re about 2 steps away from user. You’ve overlooked something. It’s right there.
So there are definitely enough hints here to get a foothold on the box and from there it is just more and more enumeration to get credentials to access the box as the user account which gives you user.txt
The biggest hurdle is that what is obvious to some people is not to others. The user/password is, in hindsight, obvious but it did take me a while.
My main suggestion is to enumerate the box (domains, groups, users, etc) and use everything you find to create a list of usernames and passwords. Then try it.
Getting root/admin is surprisingly easy after you’ve done some enumeration. You should find something interesting and quick googling will point to an attack.
Root was super fun and I learned a bunch! My hunch was right in regards to A***E. The POC code from a certain three letter handle on github is a steaming pile trashbutt. I had to rewrite most of the POC script, but it worked in the end. Getting root on this box is another shining example of why not to give your keys to the castle to M$ and their “cloud offering”.
Thanks so much for @secucyber for keeping me on the right track and to the creator for a super fun box.
Nice box . whenever working with windows , i am get to know the different tools and gaining good knowledge . Thank you for help me to get root on this box @GhostSquad , @rholas and @madhack
Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.
Hints per usual:
Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.
Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.
User: Utilize what you obtained. Be evil about it.
Root: Check your groups. Enumerate the service you find, and utilize the POC.
You’re on the right track but might be looking at the wrong item to run. You don’t need to use the POC people are talking about, there is another set of tools out there as well.
Anyone can feel free to PM me for user or root help.
Newer to HTB and first attempt at a live Windows machine (albeit probably too soon)
Found some info via ld*ch after learning it via ippsec, determined when the found accounts were created and assume these are what the other comments refer to with admin bad practices…my issue is I have not found where to try auth…rcnt? Am I on the somewhat right path with this or completely wrong for this box?
User: lazy admin, check all possible paths for login
Root: ensure the script has no syntax errors, one little mistake will stop it. And the biggest one, check the CONNECTION STRING for the appropriate usage.