Newer to HTB and first attempt at a live Windows machine (albeit probably too soon)
Found some info via ld*ch after learning it via ippsec, determined when the found accounts were created and assume these are what the other comments refer to with admin bad practices…my issue is I have not found where to try auth…rcnt? Am I on the somewhat right path with this or completely wrong for this box?
User: lazy admin, check all possible paths for login
Root: ensure the script has no syntax errors, one little mistake will stop it. And the biggest one, check the CONNECTION STRING for the appropriate usage.
I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?
I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?
You are on the right track - once you collect a list of users and know the domain name, you should be able to continue. You can validate the accounts without getting a shell of any sort - look into password spraying on smb, there are various tools.
As others said, the password is something a lazy user/admin would set…
I’m stuck on this one. More down to lack of knowledge on tooling I suspect. I have found a list of users, groups and the domain etc, but not sure what tools I should be using now to get on the box. SMBmap doesn’t give info on shares, so smbclient doesn’t work, am I looking in the wrong place here?
You are on the right track - once you collect a list of users and know the domain name, you should be able to continue. You can validate the accounts without getting a shell of any sort - look into password spraying on smb, there are various tools.
As others said, the password is something a lazy user/admin would set…
Thanks mate, was just looking into another tool for exactly that purpose!
Interesting box, not very easy and not very difficult (given you have previous experience with windows boxes)
Hints:
User: lazy users and lazy admins, most basic password of a user thinks. Try and get your SHARE using the lazy user.
Root: Try enumerating about the part of groups the user is involved, then do some googling about how to pentest that particular service. You will get the appropriate script
As always, happy to lend the helping hand only to those who actually want to learn something and not just want straight answers
I can log in now as a**** a**** user, still over same protocol. Should I be finding user flag at this point? as can’t see anything anywhere. Or am I supposed to be connecting/exploiting something different now with new creds? Assuming then on to an a**** exploit for the root access but not even started looking at that yet.
Spent far too long on the initial guessing game. At the end of the day, I suppose it certainly is quite realistic, but I was majorly overcomplicating it. I would have rated this box closer to the “Easy” end of ratings as far as user goes, but I can understand why root might pose more of a challenge for those who are a bit unfamiliar with the service.
Hints per usual:
Foothold: Everyone is right about not needing a wordlist. Once you enumerate the users on the machine (basic scans can do this for you), you have everything you need. Try harder.
Once you have access, look around a bit. There’s something lying around for you which will help you escalate to a different user.
User: Utilize what you obtained. Be evil about it.
Root: Check your groups. Enumerate the service you find, and utilize the POC.
“Try harder” while you thank someone , guess you tried really hard, thank you for the try harder tip at user while directly hinting afterwards to the tool that needs to be used with the credentials.
I think i am in the same boat as @CuriousJ
I have been so focused in the a**** realm that i barely touched the db. Thought it was a rabit hole at first but not so sure now with this hint. Most of the higher end queries i attempted i got a may not have permission to do this so i gave up on the db.