Multimaster

Spoiler Removed

Spoiler Removed

Spoiler Removed

finally rooted!!! All the initial foothold is in this forum… Thanks for the root nudges @PwnAddict

Type your comment> @dinkar said:

finally rooted!!! All the initial foothold is in this forum… Thanks for the root nudges @PwnAddict

Welcome bro!

From https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers:

The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.

Finally got root , a very long but very interesting way to root
I learned a bunch
Thanks for this box !
pm me for hints

Type your comment> @init5 said:

@clubby789 said:
@init5 said:

I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. ?

It’s crackable, just not the first thing you see

I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
I am guessing I’m moving in the wrong direction.

Same point, been stuck for hours. A nudge would be welcome :slight_smile:

Type your comment> @syn4ps said:

Type your comment> @init5 said:

@clubby789 said:
@init5 said:

I am bashing my head in the wall since last night even after bypassing WAF, nothing is crack-able from what I managed to dump. ?

It’s crackable, just not the first thing you see

I got 17 in total with only 4 being unique, tried rockyou.txt against everything but nothing worked.
I am guessing I’m moving in the wrong direction.

Same point, been stuck for hours. A nudge would be welcome :slight_smile:

Same here :neutral:

I feel stupid, but I just can’t get past the WAF. A nudge would be greatly appreciated

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

Type your comment> @moszkva said:

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :confused:

EDIT: Slow down the queries to get a full list of Domain users… I was greping my script and did not notice the 403s… User owned!

Type your comment> @syn4ps said:

Type your comment> @moszkva said:

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :confused:

Yes. This is where I am right now. I got new domain users but the cracked passwords are not valid to them.

I tried to login with them into other services and to mutate them based on frequently used rulesets. But nothing :frowning:

I thought these are just default passwords which have been changed by the users and this is the reasony why they are not valid.

I also thought that somehow I should reset the users as these are their default passwords but I could not find a way so far to perform this.

just got the user flag. the cred is still valid, so keep try harder
onto root now

Spoiler Removed

I’m stuck trying to crack the hashes, could anyone give me a hint ? :smile:

Type your comment> @MrBlu3 said:

I’m stuck trying to crack the hashes, could anyone give me a hint ? :smile:

With the good hash function and rocks, you can crack them under 5 seconds :slight_smile:

I just got user .

Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .

For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool …

Now onto root …Lets see if i will struggle again :smiley: most probably yes : )

BIG THANKS @egre55 and @MinatoTW for this amazing box .

If you have trouble smelling what the Rock is cooking, you can try to Google for “hash brown analysis online”. It’s not what you think it is.

To correct myself so that i dont sound so bad b**** :slight_smile:
For the next user i can also provide reading material

mariab