Resolute

after a about a year away, i realize i have forgot so much! could anyone give me nudge in the right direction. I have got user creds but am stumped now… thank you in advance …

Edit: Got user, I was transposing the password wrong…doh…

Now stuck, trying to upload a enum script but antivirus is catching it…grrrr

I think I already have all the things I can have except the root in this box.
I got two users, I find the two groups that my R user belongs too.
One group with many ppl, one group only have R.
After I read all the hints, I still have no idea about the next step.
Tried to google with the Win version, with the groups and the privilege of R, no luck.
At this moment, I see no hope to get it through.

whoami
nt authority\system

Very interesting challenge, but a good challenge. Learned a lot.

Could use a nudge can’t figure out how to get past me user. Have seen others saying to enumerate but ive tried a bunch of different things and still havent found anything useful. Trying to list running services as other seem to have offered that as advice. But it doesn’t appear me has the ability to do that. Would appreciate a nudge.

Edit: Found second user

Would someone be able to point me in the right direction for the manual way of exploiting? I using r*** to request a file from my SS*** but no matter what I try it does not want to take it. Any help would be greatly appreciated!

Root payload was being a pain but finally got the right one #triedharder!

I root the box but @BrokenGQ gave me a great help, thanks so much man.
Thanks also to @1urch for the initial hint. I have a gap on windows knowledge.

Rooted
Very cool box
Thanks

Stuck on priv esc. Respect up for grabs to help discuss and for some suggested reading material. :slight_smile:

Finally rooted! Patience is key for this one! Thank you @egre55 , this was a pretty cool box and not too hard (for those of us that suck at windows anyway)! Feel free to DM for help!

Type your comment> @ByteM3 said:

Stuck on priv esc. Respect up for grabs to help discuss and for some suggested reading material. :slight_smile:

Same here, Got user, stuck atm trying to escalate!

first time dealing with window box,
lots of fun and things to learn, thanks @egre55 for making the box

A great box, thanks @egre55
Happy to chat if anyone needs a hint.

getting this error while i try to add a dll. via dns cmd , can someone help here ?

DNS Server failed to reset registry property.
Status = 1722 (0x000006ba)
Command failed: RPC_S_SERVER_UNAVAILABLE 1722 0x6BA

Thanks for the tips here, everyone, like @kkaz and @WiseGuy

This was my 3d machine, first Windows.

For User, thanks to those who mentioned at E… W…M. Great tool, first time I’ve seen it.

For Root, lots of people trying different methods other than MSF modules. Curious how the other methods work, but I never ended up having to use anything else. Used Im…t, but did me no good. Tried so many modules w/ ‘2nd user’ creds, and after seeing so many posts that one would work…finally found it :slight_smile:

Good machine, thanks, @egre55

Ok, I have been trying very hard NOT to have to post. I thought with 17 pages worth of super helpful comments, I would be able to figure this out, but I am just stuck.

I am trying to get root.

-Have evil
-venomd a Dll
-can copy dll from smb (packet)

Not throwing the shell back to my NC

What am I doing wrong… I have been breaking my head over this.

I see a lot of people saying this is easier by using a module, but have no idea which one… I have tried a couple.

Please someone throw me a line and get me pointed back in the right direction.

DM me if easier.

Thanks!

@H31D1 said:

Ok, I have been trying very hard NOT to have to post. I thought with 17 pages worth of super helpful comments, I would be able to figure this out, but I am just stuck.

Its ok - we all get stuck, the better you can explain the question, the better chance of an answer :slight_smile:

@H31D1 said:

Not throwing the shell back to my NC

Troubleshoot the data you have. You should see your server send the malicious file and then a few seconds later your listener should get packets.

If this isn’t happening, try to work out where in that chain it fails.

Fire up tcpdump if you need to so you can watch the actual packets.

Chances are, your syntax for the attack command is broken or you’ve mapped the files and folders incorrectly.

@H31D1 said:

I see a lot of people saying this is easier by using a module, but have no idea which one… I have tried a couple.

IMHO this is not the case.

Your approach seems fine, it might just need some technical details ironing out.

@TazWake Thanks for taking the time to respond.

I apologize for not asking a more clear question haha

I guess I am trying to figure out now if the dll crafted from msfvenom is sufficient or if I need to look into creating my own…

I will try to run the packet capture to see what is going on

I thought because I could copy the dll from the Share to the user’s desktop, that everything was working, but when I run the dns tool, I am not seeing the connection in my smb server.

@H31D1 just running the d**c** command won’t do anything instantly. The DLL only gets loaded when the D** service restarts. Also be aware that if anyone else runs that command in between you doing it and restarting the service, it’ll overwrite your DLL path with theirs and so you won’t get any results. Quite an annoying “feature” on a box that has multiple people attacking it at once

@VbScrub I saw that happening a few times… at one point today it was a fight to keep my dll in there, so instead of holding up someone else’s progress I took a break haha.

@6a6d6c has given me some material to research that might be my solution need to rethink my dll …hopefully can root this soon.

Thanks for the feedback