Multimaster

So if you have the passwords maybe you miss the other part…

I’m trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can’t access D**********, found new information in ****** that I’m not sure yet how useful it is. Is that the way?

Edit: sorry was an idiot, got the user flag :slight_smile:

Edit2: aaaaand it was decided that the ‘patch’ will reset all progress… not cool.

Spoiler Removed

Ok. I guess i miss something…
I have no pb to get a list of users (with 2 methods: kte and web front end) and i don’t see any waf blocking me. by the way actually i can’t enumerate web front end (the waf thing must be here :)) and… i’m lost.
Can’t get any hash from users i found (even changing domain etc…) so can’t get any real entrypoint. (nor dictionnary, nor dog, nor evil etc…)
So my only question is: should i work harder to scan web front end or should i work harder with tools like im
t or is there another way i totally missed :slight_smile: ?

Is rockyou supposed to be used for the hash? Tried that with about 10 other dicts and nothing so far

Type your comment> @idomino said:

I’m trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can’t access D**********, found new information in ****** that I’m not sure yet how useful it is. Is that the way?

Edit: sorry was an idiot, got the user flag :slight_smile:

Edit2: aaaaand it was decided that the ‘patch’ will reset all progress… not cool.

I didn’t find the user reset to be that bad actually… It was almost the exact same thing, you just couldn’t abuse the original tool and wordlist.

Edit: Rooted. Pretty tough box, especially after those user runs. Happily learned quite a bit from this one.

Foothold: Refer to @clubby789 as his comment is spot on here. The bypass isn’t as difficult as you think. Once you know how to bypass the WAF, enumerate away!

User: Your username wordlist may be a bit too short right now… Try harder :smile:

Root: AD is a monster. Send the hounds. Common enumeration/privesc techniques should be enough to get you through this one.

I might be a little bit out of my league here, but found the users along with the homage users , currently trying to exhaust all possibilities for where the hashes are, so far feeling pretty good not feeling beat down by the box yet… I’ll check in tomorrow to see if i have more gray hairs

Trying to get the needed username. I think I know what to do, but because of the WAF I cannot reuse any code, but instead need to write my own.

This part is really frustrating… If anyone has gotten the needed user to login the intended way, could you PM me, so I can check if my script is correct?

Nice learning experience so far though. :slight_smile:

Edit: Finally got user!
This was really tough. I liked the part to get user though. Really made me look deep into a lot of things a never really even thought about.

Thanks to @MinatoTW and @egre55 for the painful, but awesome experience so far.

Root must wait till tomorrow… This was really exhausting.

Edit 2: Got root!
Really interesting walk through AD.
However, the box has a bit of a design-flaw so that it can easily spoil other users…

Ok got the user the intended way now as well :slight_smile: I’m worried what root will be like, because so far this wasn’t really Insane. Medium/Hard at best depending on your comfort level with certain things.

Are the 403s expected? really annoying

@gu4r15m0 said:
Are the 403s expected? really annoying

Yes, it’s part of the game :wink:

Finally got root, really nice machine!

Anyone that owned the machine willing to discuss different approaches to own the entire domain? Please PM me.

Hi, found 17 but not sure if need to find anything else from there, took 17 and push to packet but nothing, any advice?

Rooted.

One of the best machine i ever did from now. Thanks to @MinatoTW & @egre55, i learned a bunch of new things.

User hint: Take a look on the principal running services we always use to perform a certains kind of attacks and try a way to breach.

Root hint: Lateral and enum, lateral and enum, lateral and…

Rooted! This was a tough box, but a great learning experience for abusing Windows/Active Directory. Finding the right username for the user part was where I got stuck, but thanks to @idomino for the nudge in the right direction. I learned a new technique. :smiley:

After that, as has been mentioned, it’s just lots of enum and lateral movement. I liked that each lateral movement could serve as a “checkpoint” you could return to pretty easily (in case of resets, fatigue).

I learned a lot and got to put into practice a lot of techniques I’ve mostly read about. Thanks for the great box @MinatoTW and @egre55.

Type your comment> @init5 said:

cracked hashes… aaaand they aren’t leading anywhere?
can you hint how you cracked them I tried everything with the unique ones

EDIT: got user
Edit: Finally got root very thanks to my friend @rootSySdk for his nudges and patience
learned a lot of things thanks to @MinatoTW and @egre55 for this great box

Anyone wanna throw a nudge towards bypassing that WAF? I feel like i’ve tried to tamper with everything.

Rooted! Khm at least got the root flag :slight_smile: Will come back at some point to get a full shell. Insanely fun machine, more of a marathon than a sprint. Thank you @seekorswim and Shusaku for those 2 nudges in the right direction. Great box @MinatoTW and @egre55!

Type your comment> @farbs said:

Validated users and dumped a hash. Onward! :slight_smile:

Edit: Passwords obtained!

Any hint about how to find the hash? Impacket or Web? Or any reading material?

Thanks!

Spoiler Removed