Multimaster

Hi, found 17 but not sure if need to find anything else from there, took 17 and push to packet but nothing, any advice?

Rooted.

One of the best machine i ever did from now. Thanks to @MinatoTW & @egre55, i learned a bunch of new things.

User hint: Take a look on the principal running services we always use to perform a certains kind of attacks and try a way to breach.

Root hint: Lateral and enum, lateral and enum, lateral and…

Rooted! This was a tough box, but a great learning experience for abusing Windows/Active Directory. Finding the right username for the user part was where I got stuck, but thanks to @idomino for the nudge in the right direction. I learned a new technique. :smiley:

After that, as has been mentioned, it’s just lots of enum and lateral movement. I liked that each lateral movement could serve as a “checkpoint” you could return to pretty easily (in case of resets, fatigue).

I learned a lot and got to put into practice a lot of techniques I’ve mostly read about. Thanks for the great box @MinatoTW and @egre55.

Type your comment> @init5 said:

cracked hashes… aaaand they aren’t leading anywhere?
can you hint how you cracked them I tried everything with the unique ones

EDIT: got user
Edit: Finally got root very thanks to my friend @rootSySdk for his nudges and patience
learned a lot of things thanks to @MinatoTW and @egre55 for this great box

Anyone wanna throw a nudge towards bypassing that WAF? I feel like i’ve tried to tamper with everything.

Rooted! Khm at least got the root flag :slight_smile: Will come back at some point to get a full shell. Insanely fun machine, more of a marathon than a sprint. Thank you @seekorswim and Shusaku for those 2 nudges in the right direction. Great box @MinatoTW and @egre55!

Type your comment> @farbs said:

Validated users and dumped a hash. Onward! :slight_smile:

Edit: Passwords obtained!

Any hint about how to find the hash? Impacket or Web? Or any reading material?

Thanks!

Spoiler Removed

Spoiler Removed

Spoiler Removed

finally rooted!!! All the initial foothold is in this forum… Thanks for the root nudges @PwnAddict

Type your comment> @dinkar said:

finally rooted!!! All the initial foothold is in this forum… Thanks for the root nudges @PwnAddict

Welcome bro!

From https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers:

The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.

Finally got root , a very long but very interesting way to root
I learned a bunch
Thanks for this box !
pm me for hints

Type your comment> @init5 said:

@clubby789 said:
@init5 said:

I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. ?

It’s crackable, just not the first thing you see

I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
I am guessing I’m moving in the wrong direction.

Same point, been stuck for hours. A nudge would be welcome :slight_smile:

Type your comment> @syn4ps said:

Type your comment> @init5 said:

@clubby789 said:
@init5 said:

I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. ?

It’s crackable, just not the first thing you see

I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
I am guessing I’m moving in the wrong direction.

Same point, been stuck for hours. A nudge would be welcome :slight_smile:

Same here :neutral:

I feel stupid, but I just can’t get past the WAF. A nudge would be greatly appreciated

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

Type your comment> @moszkva said:

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :confused:

EDIT: Slow down the queries to get a full list of Domain users… I was greping my script and did not notice the 403s… User owned!

Type your comment> @syn4ps said:

Type your comment> @moszkva said:

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :confused:

Yes. This is where I am right now. I got new domain users but the cracked passwords are not valid to them.

I tried to login with them into other services and to mutate them based on frequently used rulesets. But nothing :frowning:

I thought these are just default passwords which have been changed by the users and this is the reasony why they are not valid.

I also thought that somehow I should reset the users as these are their default passwords but I could not find a way so far to perform this.