any nudges on empty debug file? poked a little at reporting but only was able to change dirs and list. everything else wanted me to contact administrator
Take a look at how the windows file system can save file content.
any nudges on empty debug file? poked a little at reporting but only was able to change dirs and list. everything else wanted me to contact administrator
Take a look at how the windows file system can save file content.
Hmm interesting, I never even knew that was a thing! Playing on high port now and showing files. Found an interesting ldap file. Took the value into what I ran before but I get a padding exception.
Anyone up for nudging me again with decrypting this value or at least where to look next?
any nudges on empty debug file? poked a little at reporting but only was able to change dirs and list. everything else wanted me to contact administrator
Take a look at how the windows file system can save file content.
Hmm interesting, I never even knew that was a thing! Playing on high port now and showing files. Found an interesting ldap file. Took the value into what I ran before but I get a padding exception.
Anyone up for nudging me again with decrypting this value or at least where to look next?
pretty lost right now and would like some help please. i am currently logged in both services. Found 2 important files. I has creds on it and the other has a long string as a password which looks like base64. tried to decode using base64 but nothing. also looked through the high port and went through directories but found nothing. Would like a nudge via pm if possible.
Run psexec.py (or metasploit psexec) specifying those basic user creds.
Get shell as local system instead of basic user
This was due to a wonky ACL on the service control manager that allowed all users to create new services… meaning everyone could just create a remote shell service running as local system. I changed the ACL back to the default and that fixed that.
I have to say though I’m kind of confused as to why people are even trying to run psexec as a regular user, because in 99.9% of cases that will fail (like it does now on this machine) because users don’t normally have permission to create services. I guess fair play to the people that tried it though because this was the 0.1% of the time it worked haha but yeah, fixed now.
Thank you @VbScrub for a nice box! You really taught me something new about the windows file system that I have never seen on a windows box before and I’ve been working in the IT industry for many years!
Thanks for letting me play
Glad you enjoyed it and yeah when I first found out about that “feature” after about 6 years of working in Windows admin jobs I was like wow how has no one ever mentioned this to me haha
Thank you for path and nice box.
enumerated brainstorm))
now i try search anything what can help me get pass for c.s**** user.
Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this
Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this
You can’t SSH into this machine. Its Windows and like most Windows machines it doesn’t have an SSH service running on it
It seemed very good to have to leave the drawer and use another OS to solve the challenge, I tried several times in my Kali but I could not compile, so the final steps had to be with the rival.
I must say that the final root cost me a lot for the code, but writing on the console was very natural to me.
Tracks.
Foothold-> Enumeration, always enumeration.
User-> It is clear that there is no shell, and everything remains very intriguing but you have to keep an eye on the evidence, I recommend you have recursive.
Root-> This was the best part, finding the objects and especially seeing the inside of them was the trick, remember to check the requirements before launching your last instruction, since you have each element only prints the screen what you need.
Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this
You can’t SSH into this machine. Its Windows and like most Windows machines it doesn’t have an SSH service running on it
sooo what sohuld i use instead of ssh to get inside the machine? because i tried to install from github psexec.py but it is giving me a fatal error: repository not found and im getting rly frustrated because this was going to be my first machine being solved, but it looks like is not going to happen. pls help me out
Hi all, i’m not sure if this problem should be posted here but, here it goes. I already found a user and a pass to use the ssh to enter the machine, but my ssh don’t let me put the password, just keep processing forever. Does anyone know what can i do to solve this
You can’t SSH into this machine. Its Windows and like most Windows machines it doesn’t have an SSH service running on it
sooo what sohuld i use instead of ssh to get inside the machine? because i tried to install from github psexec.py but it is giving me a fatal error: repository not found and im getting rly frustrated because this was going to be my first machine being solved, but it looks like is not going to happen. pls help me out
Do your best m8. Also it’s labeled easy but it’s not that easy if you don’t know what you have in hand. I kindly advice you to get a VIP and go trough old boxes and read the writeups. Trust me its the best way to go forward.
so this is my 2nd windows box, and at the 1st I have only user flag so far … yes I “love” windows boxes
I’ve found a list of user dirs on a share and found out that at least 2 of them can sucessfully log in to the higher port.
I also found to files on a share, but I can’t access them. is this a rabbithole?
I could use some help with last part for root. I have a vm and the exe and conf but don’t really know where to go from here. Anyone know of any material I can reference/defacto tools to use? Looked at similar boxes with r.e. but got no where.
Thanks