Resolute

12022242526

Comments

  • And rooted. Nice box - really getting better at this attacking Windows bit
    Anyone needs a hand - drop me a PM

  • Type your comment> @BILAVBOLILOO said:

    my ubuntu still listening on 0.0.0.0 host, but i want to set it to any hosts. Any helps are appreciated !

    0.0.0.0 is synonymous for ANY (on IPv4) ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited February 19

    @OrangeHat said:
    Also, when using Get-ChildItem remember to use the -Force

    Random tip: you can just use ls in powershell instead of having to type out get-childitem every time. Ls is an alias for the get-childitem cmd. Also don't have to type the full -force. It can just be -fo (if there wasn't another parameter beginning with F then it could be just -f)

  • I took a break from this machine for a couple of days because I could not get the listener to connect.

    Was anyone able to use meteterpeter or nc the way to go?
  • edited February 19

    @menorevs said:
    I took a break from this machine for a couple of days because I could not get the listener to connect.

    Was anyone able to use meteterpeter or nc the way to go?

    Try the manual way. Nc should be straight forward. But also check the payload. If it isn't quite right, it won't reach your listener.

  • edited February 19

    Rooted.
    Really fun and chill box. It doesn't matter where you are on this machine, the path is always as clear as daylight.

    Foothold and User: Basic Windows and AD enumeration skills. Just read the outputs. Then go back to your enumeration once again and connect the dots.
    Root:
    1 The permissions are really tight, there's not much where to search, so it's just habit from looking things from a certain way.
    2 After you change users, there's a enumeration technique that will show you something odd. Research it!
    3 Try to do things manually. If you researched the right thing, there are a few excellent blog posts that explains everything you need to root it. I was stuck quite a bit on the last step thanks to my syntax. I went for a coffee, ate something and I realized what I was doing wrong then.

  • I don't want to sound cocky, but I literally got user in less than 10 minutes!! And this is a medium-rated box..

    My question is, why in god's name are all windows boxes using lp for initial enumeration?
    This is the 5th Windows box I do in this week, and literally all of them use l
    p!

    I know it is very important in 2020, and we need to focus on securing it, but not all Windows boxes have to use it!

    I feel sorry for @ippsec when the time comes and all of these boxes get retired and he'll have to make 5 videos that are 90% similar!

    I apologize for the fuss, but after 5 boxes I couldn't keep it to myself.

    In any case, thanks to the box creator for the great box. He probably didn't intend for it be a duplicate effort, but probably all of these boxes were released at the same period, which is the main issue here.

  • First box! I rooted when I read page 21 of 22. Thanks for all subtle hints in the comments.

    Feel free to pm

  • Is the box meant to be going completely unresponsive every 5mins?

  • Type your comment> @crash0 said:

    ...
    3 Try to do things manually. If you researched the right thing, there are a few excellent blog posts that explains everything you need to root it. I was stuck quite a bit on the last step thanks to my syntax. I went for a coffee, ate something and I realized what I was doing wrong then.

    Sounds a lot familiar. Haven't found my error yet, though :disappointed:
    Though I also might be half a step behind, since the "simple test" doesn't work on that machine, while it works perfectly fine on my own Windows PC :neutral:


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • @OrangeHat said:
    @ShellInt0x80 My hint would be not to restrict yourself to C:\Users, but try looking further afield, and in particular look for directories that you don't recognize, or look out of place/uncommon. Also, when using Get-ChildItem remember to use the -Force

    Thank you very much, for the information and the helpful video.

    Greetings

  • PM me if you need help for this machine. Rooted. very interesting box :)

  • edited February 20

    Gotcha. Great box @egre55!

    This was the first box that I rated as very high for the real life score. I've seen these kinds of mistakes (and worse) being made in production environments and so this box tickled me greatly.

    No need to go hunting for lengthy hacks, everything you need is likely on your system already and the info you need is all right there in the file system. As usual, enumeration is key.

    PM for Help!

    If I helped you, feel free to respect+. This is the way. I have spoken.

  • stuck in getting the second user i tried going for the root folder and seeing hidden files for hours in vain can you pm me for help please

  • edited February 20

    Finally rooted this badboi, what a journey!

    User 1
    Think of a technique that involves trying one thing against many other things, like spraying if you will. Enumerate to find the thing.

    User 2
    Search for interesting text in files.

    Root/Admin
    More than half the battle with enumerating this box was knowing which path to follow, because nothing jumped out (maybe a sign of my inexperience). Annoyingly none of the enum tools like winPEAS, PowerUp, etc flag the key info as being something important. Bear this in mind! Luckily some of the hints on here helped nudge me towards the right path.

    With the exploit, don't attempt to copy the file to local unless evasion is your bag; Something will get in your way. Also, the executable needs moar bits!

    OrangeHat

  • Rooted, interesting way to get to the root.

    Greetings

  • Finally rooted.

    Shout out to @OrangeHat and @scythian for the hints.

    If I could give any advice, make sure you add file extensions to windows commands.
  • OK. I am stuck. I am at the point of performing the d** in****** to get root. All seems to work well except like some other people my listener never seems to catch anything. I have tried different architectures and different ports on the payload but they all give the same result. I have confirmed that the payload gets downloaded to the client. I am sure I am missing something obvious but I have no idea what at this point.

    If someone could PM me some hints on the payload syntax I would really appreciate it.

  • edited February 21

    Grabbed the user flag from User1. Is User2 required for getting root? Spent some time looking around, but haven't found the interesting files yet to make the move. If anyone wants to give me nudge towards User2 creds I would appreciate it.

  • Well, I finally figured out the problem. It was the equivalent of messing around with routing tables for hours and then deciding to see if the cables are plugged in. For those that may be having issues with the listener and you are using some blog posts to help with the payload, be careful with the share names. :)

    It may look like your payload has worked but it might be a blank payload. Feel free to PM me if I might be able to help

  • edited February 22

    @VbScrub and @AzAxIaL , Thank you for your contributions to the thread. Helped me out.
    Rooted.
    I happened to go through the hard way of writing d** from ms**i*** and using im******'s sbe****.py. If anyone used the easy tool me******t, please DM me
    Initial: Find what services are running, figure out how to talk with them and see if they store any goodies
    User1: I used CME for this but it doesn't look like anyone else has, but draw basic lines between users and security
    User2: Dig under ground, find some fat fingers
    Root: understand your new role and all the power it provides. Then the ol google for how to advance that role.

    DM me if nudges

    Asking for help? Please describe where and what you have tried thus far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/125272

  • Random Tips:

    User 1: you got a lot from enum. Read slowly. If you got something, try to make it work with something else.

    User 2: search for something that...hides. Under your nose.

    Root: easier than you actually think. Don't need to upload any files. A*m***e is enough.

  • @scaffolds said:
    Grabbed the user flag from User1. Is User2 required for getting root? Spent some time looking around, but haven't found the interesting files yet to make the move. If anyone wants to give me nudge towards User2 creds I would appreciate it.

    User 2 is the way for the top.

    Start from the beginning: try to see further.

  • Thanks for the tips @Pierl666 , between those and the nudge form @alha1134 I was able to finally get into User2.

    Was definitely overthinking the process and ultimately just didn't enumerate well enough initially.

  • if anyone could give me some confirmation i am heading the right way for root here, please pm me! .. thank you

    Giz

    Hack The Box

  • I am really confused I got the creds, which work great, but I am unsuccessful in getting a shell. Any tips are greatly appreciated.

  • @linkerslv Did you try something evil with those creds??

    Watskip

    < Soli Deo Gloria >

  • anybody willing to dm me to look at my poc for root privesc on resolute? banging my head all day and i'm pretty certain i have the steps. i've tested my payload on a separate machine and it works, but i can't get it to call back on the box

    th3jiv3r

  • Hmm, failing at last hurdle, anyone about who could give me a PM to check a few things please? :) thanks in advance

    Hack The Box

  • Thanks! nice machine! learned some new stuff!

Sign In to comment.