cracked hashes.. aaaand they aren't leading anywhere😐
I'm at the same point lol
Try harder
GCIH | GCIA
If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
I'm trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can't access D**********, found new information in ****** that I'm not sure yet how useful it is. Is that the way?
Edit: sorry was an idiot, got the user flag
Edit2: aaaaand it was decided that the 'patch' will reset all progress... not cool.
GCIH | GCIA
If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
Ok. I guess i miss something..
I have no pb to get a list of users (with 2 methods: k*****te and web front end) and i don't see any waf blocking me. by the way actually i can't enumerate web front end (the waf thing must be here ) and.. i'm lost.
Can't get any hash from users i found (even changing domain etc..) so can't get any real entrypoint. (nor dictionnary, nor dog, nor evil etc..)
So my only question is: should i work harder to scan web front end or should i work harder with tools like im*****t or is there another way i totally missed ?
I'm trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can't access D**********, found new information in ****** that I'm not sure yet how useful it is. Is that the way?
Edit: sorry was an idiot, got the user flag
Edit2: aaaaand it was decided that the 'patch' will reset all progress... not cool.
I didn't find the user reset to be that bad actually... It was almost the exact same thing, you just couldn't abuse the original tool and wordlist.
Edit: Rooted. Pretty tough box, especially after those user runs. Happily learned quite a bit from this one.
Foothold: Refer to @clubby789 as his comment is spot on here. The bypass isn't as difficult as you think. Once you know how to bypass the WAF, enumerate away!
User: Your username wordlist may be a bit too short right now... Try harder
Root: AD is a monster. Send the hounds. Common enumeration/privesc techniques should be enough to get you through this one.
I might be a little bit out of my league here, but found the users along with the homage users , currently trying to exhaust all possibilities for where the hashes are, so far feeling pretty good not feeling beat down by the box yet... I'll check in tomorrow to see if i have more gray hairs
Trying to get the needed username. I think I know what to do, but because of the WAF I cannot reuse any code, but instead need to write my own.
This part is really frustrating... If anyone has gotten the needed user to login the intended way, could you PM me, so I can check if my script is correct?
Nice learning experience so far though.
Edit: Finally got user!
This was really tough. I liked the part to get user though. Really made me look deep into a lot of things a never really even thought about.
Thanks to @MinatoTW and @egre55 for the painful, but awesome experience so far.
Root must wait till tomorrow... This was really exhausting.
Edit 2: Got root!
Really interesting walk through AD.
However, the box has a bit of a design-flaw so that it can easily spoil other users....
Ok got the user the intended way now as well I'm worried what root will be like, because so far this wasn't really Insane. Medium/Hard at best depending on your comfort level with certain things.
Rooted! This was a tough box, but a great learning experience for abusing Windows/Active Directory. Finding the right username for the user part was where I got stuck, but thanks to @idomino for the nudge in the right direction. I learned a new technique.
After that, as has been mentioned, it's just lots of enum and lateral movement. I liked that each lateral movement could serve as a "checkpoint" you could return to pretty easily (in case of resets, fatigue).
I learned a lot and got to put into practice a lot of techniques I've mostly read about. Thanks for the great box @MinatoTW and @egre55.
cracked hashes.. aaaand they aren't leading anywhere😐
can you hint how you cracked them I tried everything with the unique ones
EDIT: got user
Edit: Finally got root very thanks to my friend @rootSySdk for his nudges and patience
learned a lot of things thanks to @MinatoTW and @egre55 for this great box
Rooted! Khm at least got the root flag Will come back at some point to get a full shell. Insanely fun machine, more of a marathon than a sprint. Thank you @seekorswim and Shusaku for those 2 nudges in the right direction. Great box @MinatoTW and @egre55!
Comments
Type your comment> @init5 said:
You're not moving in the wrong direction. Try harder
defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”
Type your comment> @init5 said:
I'm at the same point lol
@idomino said:
Try harder
If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
So if you have the passwords maybe you miss the other part...
I'm trying to ask this as cryptic as I can, please mark it spoiler if too much. So I managed to use a user/pass pair in a service where I was surprised I can only access ****** and can't access D**********, found new information in ****** that I'm not sure yet how useful it is. Is that the way?
Edit: sorry was an idiot, got the user flag
Edit2: aaaaand it was decided that the 'patch' will reset all progress... not cool.
Spoiler Removed
If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
Ok. I guess i miss something..
) and.. i'm lost.
?
I have no pb to get a list of users (with 2 methods: k*****te and web front end) and i don't see any waf blocking me. by the way actually i can't enumerate web front end (the waf thing must be here
Can't get any hash from users i found (even changing domain etc..) so can't get any real entrypoint. (nor dictionnary, nor dog, nor evil etc..)
So my only question is: should i work harder to scan web front end or should i work harder with tools like im*****t or is there another way i totally missed
Is rockyou supposed to be used for the hash? Tried that with about 10 other dicts and nothing so far
Type your comment> @idomino said:
I didn't find the user reset to be that bad actually... It was almost the exact same thing, you just couldn't abuse the original tool and wordlist.
Edit: Rooted. Pretty tough box, especially after those user runs. Happily learned quite a bit from this one.
Foothold: Refer to @clubby789 as his comment is spot on here. The bypass isn't as difficult as you think. Once you know how to bypass the WAF, enumerate away!
User: Your username wordlist may be a bit too short right now... Try harder
Root: AD is a monster. Send the hounds. Common enumeration/privesc techniques should be enough to get you through this one.
defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”
I might be a little bit out of my league here, but found the users along with the homage users , currently trying to exhaust all possibilities for where the hashes are, so far feeling pretty good not feeling beat down by the box yet... I'll check in tomorrow to see if i have more gray hairs
Trying to get the needed username. I think I know what to do, but because of the WAF I cannot reuse any code, but instead need to write my own.
This part is really frustrating... If anyone has gotten the needed user to login the intended way, could you PM me, so I can check if my script is correct?
Nice learning experience so far though.
Edit: Finally got user!
This was really tough. I liked the part to get user though. Really made me look deep into a lot of things a never really even thought about.
Thanks to @MinatoTW and @egre55 for the painful, but awesome experience so far.
Root must wait till tomorrow... This was really exhausting.
Edit 2: Got root!
Really interesting walk through AD.
However, the box has a bit of a design-flaw so that it can easily spoil other users....
https://www.hackthebox.eu/home/users/profile/134448
Ok got the user the intended way now as well
I'm worried what root will be like, because so far this wasn't really
Insane. Medium/Hard at best depending on your comfort level with certain things.Are the 403s expected? really annoying
Yes, it's part of the game
GREM | OSCE | GASF | eJPT
Feel free to PM me your questions, but please explain what you tried, so far.
Finally got root, really nice machine!
Anyone that owned the machine willing to discuss different approaches to own the entire domain? Please PM me.
Rooted.
One of the best machine i ever did from now. Thanks to @MinatoTW & @egre55, i learned a bunch of new things.
User hint: Take a look on the principal running services we always use to perform a certains kind of attacks and try a way to breach.
Root hint: Lateral and enum, lateral and enum, lateral and..
Rooted! This was a tough box, but a great learning experience for abusing Windows/Active Directory. Finding the right username for the user part was where I got stuck, but thanks to @idomino for the nudge in the right direction. I learned a new technique.
After that, as has been mentioned, it's just lots of enum and lateral movement. I liked that each lateral movement could serve as a "checkpoint" you could return to pretty easily (in case of resets, fatigue).
I learned a lot and got to put into practice a lot of techniques I've mostly read about. Thanks for the great box @MinatoTW and @egre55.
OSCP, SSCP
Type your comment> @init5 said:
can you hint how you cracked them I tried everything with the unique ones
EDIT: got user
Edit: Finally got root very thanks to my friend @rootSySdk for his nudges and patience
learned a lot of things thanks to @MinatoTW and @egre55 for this great box
Anyone wanna throw a nudge towards bypassing that WAF? I feel like i've tried to tamper with everything.
Rooted! Khm at least got the root flag
Will come back at some point to get a full shell. Insanely fun machine, more of a marathon than a sprint. Thank you @seekorswim and Shusaku for those 2 nudges in the right direction. Great box @MinatoTW and @egre55!
> Validated users and dumped a hash. Onward!
>
> Edit: Passwords obtained!
Any hint about how to find the hash? Impacket or Web? Or any reading material?
Thanks!
Spoiler Removed
Spoiler Removed
Spoiler Removed
finally rooted!!! All the initial foothold is in this forum.. Thanks for the root nudges @PwnAddict
> finally rooted!!! All the initial foothold is in this forum.. Thanks for the root nudges @PwnAddict
Welcome bro!
From https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers:
The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation.
Write-ups | Discord - limbernie#0386
Finally got root , a very long but very interesting way to root
I learned a bunch
Thanks for this box !
pm me for hints