Nest

Type your comment> @zweeden said:

any nudges on empty debug file? poked a little at reporting but only was able to change dirs and list. everything else wanted me to contact administrator

Take a look at how the windows file system can save file content.

Type your comment> @norsec said:

Type your comment> @zweeden said:

any nudges on empty debug file? poked a little at reporting but only was able to change dirs and list. everything else wanted me to contact administrator

Take a look at how the windows file system can save file content.

Hmm interesting, I never even knew that was a thing! Playing on high port now and showing files. Found an interesting ldap file. Took the value into what I ran before but I get a padding exception. :confused:

Anyone up for nudging me again with decrypting this value or at least where to look next?

Thanks all !

Type your comment> @zweeden said:

Type your comment> @norsec said:

Type your comment> @zweeden said:

any nudges on empty debug file? poked a little at reporting but only was able to change dirs and list. everything else wanted me to contact administrator

Take a look at how the windows file system can save file content.

Hmm interesting, I never even knew that was a thing! Playing on high port now and showing files. Found an interesting ldap file. Took the value into what I ran before but I get a padding exception. :confused:

Anyone up for nudging me again with decrypting this value or at least where to look next?

Thanks all !

DM me if you want

could someone help me because i never explored a windows machine

■■■■ - got through pretty quickly until i hit the DEBUG password… took me a couple of hours of head bashing…
Once you get that far, pretty easy

Overall a good box, lots of enumeration needed.
Great job @VbScrub

On the last step for root, Almost 2 hours on it, but unable to find the cause for that error.
Until now great box, and I learned a lot.

Type your comment> @FuxSocy said:

On the last step for root, Almost 2 hours on it, but unable to find the cause for that error.
Until now great box, and I learned a lot.

I’ve been stuck at the same step. I feel like I’m missing something, because I doubt this is a guessing challenge.

Advise to all… If you copy code from your linux to your windows box please set a paste expiration time

if you are receiving padding issues - most common issue is related to encryption/decryption differences - check how you are doing this.

@FuxSocy @Cerbersec said:

Type your comment> @FuxSocy said:

On the last step for root, Almost 2 hours on it, but unable to find the cause for that error.
Until now great box, and I learned a lot.

I’ve been stuck at the same step. I feel like I’m missing something, because I doubt this is a guessing challenge.

No guessing or brute forcing required on any part of this box. You can ignore the database connection error - just focus on the service itself

Type your comment> @VbScrub said:

@FuxSocy @Cerbersec said:

Type your comment> @FuxSocy said:

On the last step for root, Almost 2 hours on it, but unable to find the cause for that error.
Until now great box, and I learned a lot.

I’ve been stuck at the same step. I feel like I’m missing something, because I doubt this is a guessing challenge.

No guessing or brute forcing required on any part of this box. You can ignore the database connection error - just focus on the service itself

I am at the other step which needs to decrypt something.

pretty lost right now and would like some help please. i am currently logged in both services. Found 2 important files. I has creds on it and the other has a long string as a password which looks like base64. tried to decode using base64 but nothing. also looked through the high port and went through directories but found nothing. Would like a nudge via pm if possible.

Type your comment> @VbScrub said:

@salt said:

Late to the party!

Just curious, was the unintentional way MS17-010?

the unintended way was literally just:

  1. Find basic user creds.
  2. Run psexec.py (or metasploit psexec) specifying those basic user creds.
  3. Get shell as local system instead of basic user :slight_smile:

This was due to a wonky ACL on the service control manager that allowed all users to create new services… meaning everyone could just create a remote shell service running as local system. I changed the ACL back to the default and that fixed that.

I have to say though I’m kind of confused as to why people are even trying to run psexec as a regular user, because in 99.9% of cases that will fail (like it does now on this machine) because users don’t normally have permission to create services. I guess fair play to the people that tried it though because this was the 0.1% of the time it worked haha but yeah, fixed now.

@ekenas said:

Thank you @VbScrub for a nice box! You really taught me something new about the windows file system that I have never seen on a windows box before and I’ve been working in the IT industry for many years!

Thanks for letting me play :wink:

Glad you enjoyed it :slight_smile: and yeah when I first found out about that “feature” after about 6 years of working in Windows admin jobs I was like wow how has no one ever mentioned this to me haha

Thank you for path and nice box.
enumerated brainstorm))
now i try search anything what can help me get pass for c.s**** user.

Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this

@Mouuzartt said:

Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this

You can’t SSH into this machine. Its Windows and like most Windows machines it doesn’t have an SSH service running on it

I must say that I had to try the correct path.

It seemed very good to have to leave the drawer and use another OS to solve the challenge, I tried several times in my Kali but I could not compile, so the final steps had to be with the rival.

I must say that the final root cost me a lot for the code, but writing on the console was very natural to me.

Tracks.

Foothold-> Enumeration, always enumeration.
User-> It is clear that there is no shell, and everything remains very intriguing but you have to keep an eye on the evidence, I recommend you have recursive.
Root-> This was the best part, finding the objects and especially seeing the inside of them was the trick, remember to check the requirements before launching your last instruction, since you have each element only prints the screen what you need.

Great challenge …

P.S. If this is spoiler please delete.

Type your comment> @VbScrub said:

@Mouuzartt said:

Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this

You can’t SSH into this machine. Its Windows and like most Windows machines it doesn’t have an SSH service running on it

sooo what sohuld i use instead of ssh to get inside the machine? because i tried to install from github psexec.py but it is giving me a fatal error: repository not found and im getting rly frustrated because this was going to be my first machine being solved, but it looks like is not going to happen. pls help me out

Type your comment> @Mouuzartt said:

Type your comment> @VbScrub said:

@Mouuzartt said:

Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this

You can’t SSH into this machine. Its Windows and like most Windows machines it doesn’t have an SSH service running on it

sooo what sohuld i use instead of ssh to get inside the machine? because i tried to install from github psexec.py but it is giving me a fatal error: repository not found and im getting rly frustrated because this was going to be my first machine being solved, but it looks like is not going to happen. pls help me out

Do your best m8. Also it’s labeled easy but it’s not that easy if you don’t know what you have in hand. I kindly advice you to get a VIP and go trough old boxes and read the writeups. Trust me its the best way to go forward.

so this is my 2nd windows box, and at the 1st I have only user flag so far … yes I “love” windows boxes :wink:
I’ve found a list of user dirs on a share and found out that at least 2 of them can sucessfully log in to the higher port.
I also found to files on a share, but I can’t access them. is this a rabbithole?

is enumerating the higher port the way to go?

I could use some help with last part for root. I have a vm and the exe and conf but don’t really know where to go from here. Anyone know of any material I can reference/defacto tools to use? Looked at similar boxes with r.e. but got no where.
Thanks :slight_smile: