Resolute

1141517192027

Comments

  • I just got user and second user shortly after! No exploits or brute-forcing needed, just thorough enumeration!

    Not sure if this is a spoiler, but going through the PayloadAllThethings windows guide will give you useful ideas. It would be nice if there was a handy transcript like this for everything...

    Onto root! Feel free to PM for comments!

    SIG

  • edited January 15

    after a about a year away, i realize i have forgot so much! could anyone give me nudge in the right direction. I have got user creds but am stumped now.. thank you in advance ..

    Edit: Got user, I was transposing the password wrong..doh..

    Now stuck, trying to upload a enum script but antivirus is catching it..grrrr

    Hack The Box

  • I think I already have all the things I can have except the root in this box.
    I got two users, I find the two groups that my R user belongs too.
    One group with many ppl, one group only have R.
    After I read all the hints, I still have no idea about the next step.
    Tried to google with the Win version, with the groups and the privilege of R, no luck.
    At this moment, I see no hope to get it through.

  • edited January 15
    whoami
    nt authority\system
    

    Very interesting challenge, but a good challenge. Learned a lot.

  • edited January 16

    Could use a nudge can't figure out how to get past me user. Have seen others saying to enumerate but ive tried a bunch of different things and still havent found anything useful. Trying to list running services as other seem to have offered that as advice. But it doesn't appear me has the ability to do that. Would appreciate a nudge.

    Edit: Found second user

  • Would someone be able to point me in the right direction for the manual way of exploiting? I using r*** to request a file from my S**S***** but no matter what I try it does not want to take it. Any help would be greatly appreciated!

  • Root payload was being a pain but finally got the right one #triedharder!

    Hack The Box

  • I root the box but @BrokenGQ gave me a great help, thanks so much man.
    Thanks also to @1urch for the initial hint. I have a gap on windows knowledge.

  • Rooted
    Very cool box
    Thanks

  • Stuck on priv esc. Respect up for grabs to help discuss and for some suggested reading material. :)

  • Finally rooted! Patience is key for this one! Thank you @egre55 , this was a pretty cool box and not too hard (for those of us that suck at windows anyway)! Feel free to DM for help!

    SIG

  • Type your comment> @ByteM3 said:

    Stuck on priv esc. Respect up for grabs to help discuss and for some suggested reading material. :)

    Same here, Got user, stuck atm trying to escalate!

    Hack The Box

  • first time dealing with window box,
    lots of fun and things to learn, thanks @egre55 for making the box

  • edited January 17
    A great box, thanks @egre55
    Happy to chat if anyone needs a hint.
  • getting this error while i try to add a dll. via dns cmd , can someone help here ?

    DNS Server failed to reset registry property.
    Status = 1722 (0x000006ba)
    Command failed: RPC_S_SERVER_UNAVAILABLE 1722 0x6BA

  • Thanks for the tips here, everyone, like @kkaz and @WiseGuy

    This was my 3d machine, first Windows.

    For User, thanks to those who mentioned at E... W...M. Great tool, first time I've seen it.

    For Root, lots of people trying different methods other than MSF modules. Curious how the other methods work, but I never ended up having to use anything else. Used Im.....t, but did me no good. Tried so many modules w/ '2nd user' creds, and after seeing so many posts that one would work...finally found it :)

    Good machine, thanks, @egre55

  • Ok, I have been trying very hard NOT to have to post. I thought with 17 pages worth of super helpful comments, I would be able to figure this out, but I am just stuck.

    I am trying to get root.

    -Have evil
    -venomd a Dll
    -can copy dll from smb (packet)

    Not throwing the shell back to my NC

    What am I doing wrong... I have been breaking my head over this.

    I see a lot of people saying this is easier by using a module, but have no idea which one.. I have tried a couple.

    Please someone throw me a line and get me pointed back in the right direction.

    DM me if easier.

    Thanks!

  • @H31D1 said:

    Ok, I have been trying very hard NOT to have to post. I thought with 17 pages worth of super helpful comments, I would be able to figure this out, but I am just stuck.

    Its ok - we all get stuck, the better you can explain the question, the better chance of an answer :-)

    @H31D1 said:

    Not throwing the shell back to my NC

    Troubleshoot the data you have. You should see your server send the malicious file and then a few seconds later your listener should get packets.

    If this isn't happening, try to work out where in that chain it fails.

    Fire up tcpdump if you need to so you can watch the actual packets.

    Chances are, your syntax for the attack command is broken or you've mapped the files and folders incorrectly.

    @H31D1 said:

    I see a lot of people saying this is easier by using a module, but have no idea which one.. I have tried a couple.

    IMHO this is not the case.

    Your approach seems fine, it might just need some technical details ironing out.

  • @TazWake Thanks for taking the time to respond.

    I apologize for not asking a more clear question haha

    I guess I am trying to figure out now if the dll crafted from msfvenom is sufficient or if I need to look into creating my own...

    I will try to run the packet capture to see what is going on

    I thought because I could copy the dll from the Share to the user's desktop, that everything was working, but when I run the dns tool, I am not seeing the connection in my smb server.

  • @H31D1 just running the d**c** command won't do anything instantly. The DLL only gets loaded when the D** service restarts. Also be aware that if anyone else runs that command in between you doing it and restarting the service, it'll overwrite your DLL path with theirs and so you won't get any results. Quite an annoying "feature" on a box that has multiple people attacking it at once

  • @VbScrub I saw that happening a few times... at one point today it was a fight to keep my dll in there, so instead of holding up someone else's progress I took a break haha.

    @6a6d6c has given me some material to research that might be my solution need to rethink my dll ...hopefully can root this soon.

    Thanks for the feedback

  • @H31D1 said:

    I thought because I could copy the dll from the Share to the user's desktop, that everything was working, but when I run the dns tool, I am not seeing the connection in my server.

    In addition to what @VbScrub has said, if you arent seeing the initial request on your server, the chances are you arent sending the payload.

    Key things are how you call it and how you map the path to your payload via server and in the command.

    Once you see the payload sent, you need to be pretty quick with the stop/start. I found it frustrating because it can take a while for the stop to work, so you never know if your start will be a start on your attack or someone else's :smile:

  • I haven't got root yet, but I'm close. I tried running my msvenom dll as the user and i an see why it's failing...so I created simple dll and managed to get it to ping me...yay, but then my reverse shell code gets stopped for the same reason as the msvenom dll... just a heads up :)

  • Tried to get some source from git for the d** (x64)
    Uploaded to Resolute, and linked the d** to the service.
    Restart, nothing happen.
    Are there any trick to compile the file?

  • Finally!!

    C:\Windows\system32>whoami & hostname
    whoami & hostname
    nt authority\system
    Resolute
    

    Did with d*l method, will try to find easy way now...

    Kirzaks

  • Just finished this one today with the d** method. Wondering what the "easy" way was? Also plenty of hints in here, i am TRASH at windows boxes and this thread saved me. PM if your totally stuck and i'll see what i can do.

  • edited January 20

    I was in the same boat as @H31D1. I got as far as testing a x64/s/rev payload with rundll and got a shell, but when I assign that same dll url to that service, I would see the payload get delivered when the service starts, but with no resultant session creation.

    Stopping both resolute and msf and starting both fresh got me root when I tried again. :/

    What makes these more difficult than they should be is not being able to trust the foundational stuff -- broken tools, and shared servers in unknown states.

    Speaking of broken tools, win*m through msf would not work, at least for this version of windows. I compared how evil was doing it, and ms is using XML payloads while evil isn't. the XML payloads would get back 500 errors from the server. the ms winrm code in github shows 3 years old, so buyer beware.

  • Type your comment

    Feel free to PM me for help on boxes, but if my help was useful, do consider tossing me +1 respect!

  • Alright Ladies and Gents! I have been working on ROOT for quite a while now.! Im certain that I know the avenue of approach, it is just not working for me LOL. Regardless, I am USER number 2 as expected, I am using ev**-wirm and I have utilized msve*om to create my payload. I HAVE NO CLUE HOW TO CONTINUE!

    Any help would be frikken fabulous! Im not familiar with D Inetion!

  • 100% Nevermind!

    USER: Enumerate according to all available cheat sheets and you WILL find what you need

    ROOT: DO NOT and I repeat DO NOT overthink this! There is a tool that will quite literally walk you right into success without all the wild and unnecessary jazz!

    HINT Thanks a bunch Rapid7, as always you have proven that trusting my "Equipment" is the true way to success!

Sign In to comment.