Rooted, initial foothold took longer than user and root combined! Thanks to @TazWake for the pointer.
Foothold: not much more to be said on this… don’t overthink it, make sure you are using the correct tool for the job…
User: Simple enumeration, keep looking
Root: Nothing else to add to what has already been said. Google for the exploit, make sure you understand what it is doing, and make alterations where necessary
Ok, got the file on there with what i’m 99% sure is the correct connection string after i did some numeration on the database side, but it’s erroring out
Ok, got the file on there with what i’m 99% sure is the correct connection string after i did some numeration on the database side, but it’s erroring out
Nevermind.
Got root, i just needed to check the impostor formatting that got into a few characters of the script when copy-pasting it.
one on the hint about using Google (literally, use Google. startpage was sabotaging me with its lack of relevant results)
The connection string part is pretty easy once you do some basic enumeration on the database side (edition, version, instance name, hosted databases, etc)
For future connection string references SQL Server connection strings - ConnectionStrings.com
I am unable to get RM or its evil brother to work with user SA*J. I did find the xml file in the smb share. The contents of the file lead me to believe i have a nuggent I am just not sure if its real or fools gold. Am I missing something?
I am unable to get RM or its evil brother to work with user SA*J.
I found the more traditional client application for this protocol was the only way I could get it to work with that account.
I did find the xml file in the smb share. The contents of the file lead me to believe i have a nuggent I am just not sure if its real or fools gold. Am I missing something?
The XML file is legitimate. You should now have enough information to get evil working.
I am unable to get RM or its evil brother to work with user SA*J.
I found the more traditional client application for this protocol was the only way I could get it to work with that account.
I did find the xml file in the smb share. The contents of the file lead me to believe i have a nuggent I am just not sure if its real or fools gold. Am I missing something?
The XML file is legitimate. You should now have enough information to get evil working.
Hi guys!
I’ve enumerate some user, groups and domain but i can’t find out the password that need to be guessed. Have you got some hints?
Yes. You have all the information you need. Make a list of all the usernames you have and a list of all the information you’ve enumerated then try each username with each bit of information.
Oh my… Very hard root. Found blind area what to learn for me. Thanks all who gave hints. Root took for me more than week and on this box I first time asked for hints.
Been guessing passwords by hand for 2h now and 1h yesterday. This isn’t fun at all. Any scripts fail, now thinking about creating my own which would at least be productive to some extend. Every single time I try to get into Windows AD world it’s like that, stuck at foothold, very frustrating, zero learning.
That’s got nothing to do with Windows or AD though? Credentials could easily be set up in this exact same way with a Linux box, so I’m not sure I get your point.
As for guessing - there’s been plenty of hints in this thread. The main one being that it is an obvious/lazy password but it would not be on any common passwords list. There’s only one scenario that fits that criteria. I do agree in general though - having anything that needs to be “guessed” often leads to frustration and is not a fun experience.
Been guessing passwords by hand for 2h now and 1h yesterday. This isn’t fun at all. Any scripts fail, now thinking about creating my own which would at least be productive to some extend. Every single time I try to get into Windows AD world it’s like that, stuck at foothold, very frustrating, zero learning.
“It’s not difficult to guess” doesn’t necessarily mean you will get it right the 3rd or 5th time…
Been guessing passwords by hand for 2h now and 1h yesterday. This isn’t fun at all. Any scripts fail, now thinking about creating my own which would at least be productive to some extend. Every single time I try to get into Windows AD world it’s like that, stuck at foothold, very frustrating, zero learning.
“It’s not difficult to guess” doesn’t necessarily mean you will get it right the 3rd or 5th time…
I agree with what @VbScrub has said here - guessing is really annoying, simply because what is obvious to you, isnt obvious to me.
However, on this box, you can make it a bit easier and its been said several times on this thread.
List EVERY bit of information you have: domains, usernames, network shares, page content etc. Everything. Then try all of them as a password.
The “real-life” analogy I think applies is using OSINT tools to create wordlists by scraping data. Think CUPP or CeWL. While you 100% do not need to do that for this box, the principle is the same.
What I found frustrating was when I realised I had the password so early on…