Resolute

hi guys!
This is my 1st week on htb and the 2nd windows machine I work with, and I’m completely stuck at the very beginning…
By means of e4*x I enumerated a bunch of users, whose credentials I tried to break using password=name or surname in
kerberos
smb
winrm
but I got no luck.

Any hint by PM on how to get credentials, please?
Thank u SO much!

EDIT: I completely misread some juicy information #facepalm

finally got this box,
Easy and nice

Type your comment> @glezo1 said:

hi guys!
This is my 1st week on htb and the 2nd windows machine I work with, and I’m completely stuck at the very beginning…
By means of e4*x I enumerated a bunch of users, whose credentials I tried to break using password=name or surname in
kerberos
smb
winrm
but I got no luck.

Any hint by PM on how to get credentials, please?
Thank u SO much!

EDIT: I completely misread some juicy information #facepalm

What does not work for a user it might work for the others

Just rooted. This is my first root on an active machine with zero help. Super fun and I learned a lot. Thank you @egre55 for the box.

What an intense box. Learned a ton!

C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>

Finally done. Thank to b0ssk for some interesting hint! Great machine, learned so much

Finally rooted! Learnt a lot of things on this box.
I used msm to create the d , I*******-S***** and dn****. Can anyone PM me on how you solved this the easy way with m*******t? I tried a few things initially but wasn’t successful with this. Thanks in advance!

Hello,

I am now connected to WinRM and able to run the dog tool but I have not been able to copy the generated zip file back to my Kali. I got errors trying to use “Copy-Item”. Could someone please give me a hand on that? I have tried other options as New-SMBShare but I don’t have permissions.

Not sure how to retrieve that file to run the l*** analysis.

pp123

Edit: NVM, I got it after checking some ippsec’s videos.

Hummm I’m completely stucked here…
I think I shall upload a payloaded d-- and compromise the d–c-d program, but, no matter how I generate the payloaded d-- with m–v—m, the AV keeps detecting it.
Any word of advice by PM, pleeease?

This is second attempt at hacking a box and im still learning all the tool sets and how to use them. I have found what I believe to be the correct command for a payload, but would like someone to help me better understand how it works. I have not been able to get it to work yet, but im pretty sure it is correct.

Full disclosure…I feel I got most of this box on my own, but being so new to this…I did have to find a tutorial on this last part…and now just want help understanding it.

Please PM me if your willing to hear my thoughts on this code and then telling me where my logic if flawed.
Thnx

Type your comment> @glezo1 said:

Hummm I’m completely stucked here…
I think I shall upload a payloaded d-- and compromise the d–c-d program, but, no matter how I generate the payloaded d-- with m–v—m, the AV keeps detecting it.
Any word of advice by PM, pleeease?

I think im in the same boat as you. Cant seem to get my privilege escalation to work. How do you know its the AV that keeps detecting you? Is there something you are checking or see that states the AV picked it up?

I can no longer connect to winrm. Took a couple weeks off the box so perhaps something was changed, or maybe something wrong on my end? I have the valid user/pw combo for the two users and previously had been using the evil tool to connect to the box successfully (with both the aforementioned users). Just trying to work on root privesc.

I reset the box a couple times to no avail. If someone knows what’s up please shoot me a msg, thanks.

Type your comment> @bodyrot said:

I can no longer connect to winrm. Took a couple weeks off the box so perhaps something was changed, or maybe something wrong on my end? I have the valid user/pw combo for the two users and previously had been using the evil tool to connect to the box successfully (with both the aforementioned users). Just trying to work on root privesc.

I reset the box a couple times to no avail. If someone knows what’s up please shoot me a msg, thanks.

I can confirm the evil tool is still working to connect as I have been using it all day trying to get root.

Mouse51180 said:

I can confirm the evil tool is still working to connect as I have been using it all day trying to get root.

Thanks for letting me know, maybe it has to do with me switching servers earlier in the day.

EDIT:
Haha, wow. Note to self. Take better notes and thoroughly read the help blurb for tools. Was using -ip flag for the ip instead of -i. YEEEESH! Anywho, crisis averted.

Type your comment> @Mouse51180 said:

Type your comment> @glezo1 said:

Hummm I’m completely stucked here…
I think I shall upload a payloaded d-- and compromise the d–c-d program, but, no matter how I generate the payloaded d-- with m–v—m, the AV keeps detecting it.
Any word of advice by PM, pleeease?

I think im in the same boat as you. Cant seem to get my privilege escalation to work. How do you know its the AV that keeps detecting you? Is there something you are checking or see that states the AV picked it up?

Hey!
My d-- files keeps being deleted… so… there’s a really funny user, or, more likely, the AV is cathing the payloaded d–, no matter what I try.

Rooted! :smiley: Hoorray!!!

C:\Users\Administrator\Desktop > getuid
Server username: NT AUTHORITY\SYSTEM
C:\Users\Administrator\Desktop > dir
100444/r–r–r-- 32 fil 2019-12-03 16:31:54 +0100 root.txt

Wow! Finally rooted!! :smiley:

The user.txt has been challenging because I didn’t enumerate enough initially :wink:
The root part has been super easy once found the right ms*t module!

By the way, I also tried the D** Inj******* method but had troubles with the AV; I’d be really interested if someone could please explain how to bypass it…

Root Owned!
Thanks to @EvilT0r13 for helping me at the last parts. Got a new tool in my arsenal to use now.

When i run d*md command it does not contact my smbserver do not know why but stuck here. I have everything to get root but can’t get my D to resolute. Any help would be very much appreciated.

Hey all!!
I can’t get my privilege escalation to work and i don’t know why, i did :
d** in through dd ,payload generated with mm.Everything seems working normally but it just doesn’t give m*** user the access :neutral: . Any help please ??