Resolute

And rooted. Nice box - really getting better at this attacking Windows bit
Anyone needs a hand - drop me a PM

Type your comment> @BILAVBOLILOO said:

my ubuntu still listening on 0.0.0.0 host, but i want to set it to any hosts. Any helps are appreciated !

0.0.0.0 is synonymous for ANY (on IPv4) :wink:

@OrangeHat said:
Also, when using Get-ChildItem remember to use the -Force

Random tip: you can just use ls in powershell instead of having to type out get-childitem every time. Ls is an alias for the get-childitem cmd. Also don’t have to type the full -force. It can just be -fo (if there wasn’t another parameter beginning with F then it could be just -f)

I took a break from this machine for a couple of days because I could not get the listener to connect.

Was anyone able to use meteterpeter or nc the way to go?

@menorevs said:
I took a break from this machine for a couple of days because I could not get the listener to connect.

Was anyone able to use meteterpeter or nc the way to go?

Try the manual way. Nc should be straight forward. But also check the payload. If it isn’t quite right, it won’t reach your listener.

Rooted.
Really fun and chill box. It doesn’t matter where you are on this machine, the path is always as clear as daylight.

Foothold and User: Basic Windows and AD enumeration skills. Just read the outputs. Then go back to your enumeration once again and connect the dots.
Root:
1 The permissions are really tight, there’s not much where to search, so it’s just habit from looking things from a certain way.
2 After you change users, there’s a enumeration technique that will show you something odd. Research it!
3 Try to do things manually. If you researched the right thing, there are a few excellent blog posts that explains everything you need to root it. I was stuck quite a bit on the last step thanks to my syntax. I went for a coffee, ate something and I realized what I was doing wrong then.

I don’t want to sound cocky, but I literally got user in less than 10 minutes!! And this is a medium-rated box…

My question is, why in god’s name are all windows boxes using lp for initial enumeration?
This is the 5th Windows box I do in this week, and literally all of them use l
p!

I know it is very important in 2020, and we need to focus on securing it, but not all Windows boxes have to use it!

I feel sorry for @ippsec when the time comes and all of these boxes get retired and he’ll have to make 5 videos that are 90% similar!

I apologize for the fuss, but after 5 boxes I couldn’t keep it to myself.

In any case, thanks to the box creator for the great box. He probably didn’t intend for it be a duplicate effort, but probably all of these boxes were released at the same period, which is the main issue here.

First box! I rooted when I read page 21 of 22. Thanks for all subtle hints in the comments.

Feel free to pm

Is the box meant to be going completely unresponsive every 5mins?

Type your comment> @crash0 said:


3 Try to do things manually. If you researched the right thing, there are a few excellent blog posts that explains everything you need to root it. I was stuck quite a bit on the last step thanks to my syntax. I went for a coffee, ate something and I realized what I was doing wrong then.

Sounds a lot familiar. Haven’t found my error yet, though :disappointed:
Though I also might be half a step behind, since the “simple test” doesn’t work on that machine, while it works perfectly fine on my own Windows PC :neutral:

@OrangeHat said:
@ShellInt0x80 My hint would be not to restrict yourself to C:\Users, but try looking further afield, and in particular look for directories that you don’t recognize, or look out of place/uncommon. Also, when using Get-ChildItem remember to use the -Force

Thank you very much, for the information and the helpful video.

Greetings

PM me if you need help for this machine. Rooted. very interesting box :slight_smile:

Gotcha. Great box @egre55!

This was the first box that I rated as very high for the real life score. I’ve seen these kinds of mistakes (and worse) being made in production environments and so this box tickled me greatly.

No need to go hunting for lengthy hacks, everything you need is likely on your system already and the info you need is all right there in the file system. As usual, enumeration is key.

PM for Help!

stuck in getting the second user i tried going for the root folder and seeing hidden files for hours in vain can you pm me for help please

Finally rooted this badboi, what a journey!

User 1
Think of a technique that involves trying one thing against many other things, like spraying if you will. Enumerate to find the thing.

User 2
Search for interesting text in files.

Root/Admin
More than half the battle with enumerating this box was knowing which path to follow, because nothing jumped out (maybe a sign of my inexperience). Annoyingly none of the enum tools like winPEAS, PowerUp, etc flag the key info as being something important. Bear this in mind! Luckily some of the hints on here helped nudge me towards the right path.

With the exploit, don’t attempt to copy the file to local unless evasion is your bag; Something will get in your way. Also, the executable needs moar bits!

Rooted, interesting way to get to the root.

Greetings

Finally rooted.

Shout out to @OrangeHat and @scythian for the hints.

If I could give any advice, make sure you add file extensions to windows commands.

OK. I am stuck. I am at the point of performing the d** in****** to get root. All seems to work well except like some other people my listener never seems to catch anything. I have tried different architectures and different ports on the payload but they all give the same result. I have confirmed that the payload gets downloaded to the client. I am sure I am missing something obvious but I have no idea what at this point.

If someone could PM me some hints on the payload syntax I would really appreciate it.

Grabbed the user flag from User1. Is User2 required for getting root? Spent some time looking around, but haven’t found the interesting files yet to make the move. If anyone wants to give me nudge towards User2 creds I would appreciate it.

Well, I finally figured out the problem. It was the equivalent of messing around with routing tables for hours and then deciding to see if the cables are plugged in. For those that may be having issues with the listener and you are using some blog posts to help with the payload, be careful with the share names. :slight_smile:

It may look like your payload has worked but it might be a blank payload. Feel free to PM me if I might be able to help