Resolute

@VbScrub and @AzAxIaL , Thank you for your contributions to the thread. Helped me out.
Rooted.
I happened to go through the hard way of writing d** from msi* and using im******'s sbe****.py. If anyone used the easy tool me******t, please DM me
Initial: Find what services are running, figure out how to talk with them and see if they store any goodies
User1: I used CME for this but it doesn’t look like anyone else has, but draw basic lines between users and security
User2: Dig under ground, find some fat fingers
Root: understand your new role and all the power it provides. Then the ol google for how to advance that role.

DM me if nudges

Random Tips:

User 1: you got a lot from enum. Read slowly. If you got something, try to make it work with something else.

User 2: search for something that…hides. Under your nose.

Root: easier than you actually think. Don’t need to upload any files. Am**e is enough.

@scaffolds said:
Grabbed the user flag from User1. Is User2 required for getting root? Spent some time looking around, but haven’t found the interesting files yet to make the move. If anyone wants to give me nudge towards User2 creds I would appreciate it.

User 2 is the way for the top.

Start from the beginning: try to see further.

Thanks for the tips @Pierl666 , between those and the nudge form @alha1134 I was able to finally get into User2.

Was definitely overthinking the process and ultimately just didn’t enumerate well enough initially.

if anyone could give me some confirmation i am heading the right way for root here, please pm me! … thank you

Giz

I am really confused I got the creds, which work great, but I am unsuccessful in getting a shell. Any tips are greatly appreciated.

@linkerslv Did you try something evil with those creds??

anybody willing to dm me to look at my poc for root privesc on resolute? banging my head all day and i’m pretty certain i have the steps. i’ve tested my payload on a separate machine and it works, but i can’t get it to call back on the box

Hmm, failing at last hurdle, anyone about who could give me a PM to check a few things please? :slight_smile: thanks in advance

Thanks! nice machine! learned some new stuff!

Rooted !

Very cool box, PM if needed ! :slight_smile:

Anyone on willing to help with root? I have the second user. From the forum, it sounds like D** inj is the way forward. I have 0 exp with this. Studying now, but could use some guidance if you’re willing. thank you.

what the ■■■■■■ ■■■■ is going on with this root bit?.. I have tried all sorts of different ways to get the dll to restart but no call back, its driving me crazy!!!

EDIT - debugged and go it working…

C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

thank god for that ! i can sleep now!

■■■■, that was a great box. Felt very close to a real world scenario which was nice.

Any hints previously given are pretty on point so I’ve got nothing to add more there.

■■■■ yea!

 Directory of C:\Users\Administrator\Desktop

12/04/2019  05:18 AM    <DIR>          .
12/04/2019  05:18 AM    <DIR>          ..
12/03/2019  07:32 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  30,961,541,120 bytes free

thank you @disastrpc …that switch stopped me from jumping out a window. couldn’t get why it would not call back. also thank you @beorn and @menorevs . first time in this area, i appreciate the nudge.

Hey,

Is there someone who wants to take me along in the process of private esc for this box (and probably for another)

I have a low priv shell like m …

Now I have tried everything, read this thread twice already and I am getting more and more confused.

Suggestion 1: refers to a specific group of which we are a member. This could be exploited without file uploads.

  1. Suggestion 2 refers to a certain attack technique. Now I think I understand that technique in theory, but it is completely unclear to me how I choose the right + the corresponding process.

Many techniques are new to me, many have been reading, so meanwhile an overload of info. No longer actually see the trees through the forest.

I hope that someone can and will help me.

Rooted, pm for nudges

Can somebody pleaseee PM me to discuss root!?!? I’ll tell you what i’ve been trying but cannot get it to work.
RESPECT will be given.

Rooted!
No need to hide your venom, just host it from your own share.

C:\Users\Administrator\Desktop>whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18
...
C:\Users\Administrator>hostname
hostname
Resolute

C:\Users\Administrator>ipconfig /all
ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Resolute
   Primary Dns Suffix  . . . . . . . : megabank.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : megabank.local

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-50-56-BD-8A-FA
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.169(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{A20A4417-3DC7-47B7-8F00-87CC59D9F43F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
  • Edit : Got it now.

so is the password for user1 from running enum4 just not the correct password? Seemed so easy but doesnt seem to be working for that user.