@c0met said:
ROOT - Once you found who you are. Google is your friend. There’s a lot of POC in the wild. Do a lot of research.
Yeah this is an issue now. Since this box went live there are now a lot more scripts and tools for this specific exploit (I even made one myself). So when people say “you don’t need to modify anything in the POC” its potentially misleading depending on which one you’re using.
FWIW the original POC on a fairly well known blog was po******* code and definitely did need one small part changing to work on this machine.
agree with @VbScrub .
I finally rooted this machine after reading lots article and POC about this particular vulnerability. Learn a lot of new techniques about po******** tricks. It was fun.
Wow this box is really easy. I made forest before which was a lot harder.
User: Basic Enumeration. Honestly the password part isn’t guessing at all. Its just a basic check you should always perform.
Root: Easy. Just google. Try to understand the service in question (Microsoft Docs). Then you just have to do some basic troubleshooting and alter the C********S****g Information in the right script you got from googling (Search word: POC ). That’s it!
hello, may I kindly ask someone to nudge me on the root.
i have the 2 part files and also the pshell script and I think I know where I am going wrong but failing to correct it.
Awww yeeeah! What a rush, ended up writing a bit of a custom exploit for root, not sure how others got there, but the road was bumpy. Probably the first time I got a Windows root without resorting to reading the comments on the forums, and it feels so good.
It started off when I noticed something different compared to other windows boxes I’d done. Decided to Google it, and lo and behold there were a bunch of blogs and talks about this exact thing - great! Looked involved, but couldn’t find any other route, so I started reading and following along. Only problem is their code doesn’t work in this case, and neither do the manual steps, for a couple of reasons.
I’d love to know how other people got around these hurdles. I ended up doing some manual extraction of data, then modifying one of the blog’s code and running that. Even this wasn’t plain sailing though due to the annoying output of another tool.
Ok I have rooted this with some help
Its an irony that people will post here saying its rooted and done.
There is a lot going on that machine and here are some pointers for all who are on to it.
Take this opportunity to learn, not just crack it.
Initial Foothold:
once you have enumerated and found the users, just think what you can do with the list and how can you compare it to get the details.
or another way is to just think of how lazy admins think. I couldn’t get it working this way but then I found out, I was using the wrong tool to test but I did guess the password right.
Once In:
Then have a troll through folders and see what kind of server that is. ie.: modern ms offering and see if you can find anything useful in google
at this point, you will find some article. Read them and understand them and how the structure etc works and saves info. You will see this server has that a wee little bit different.
at this point, also think of what happens when you run something fishy on your personal PC as it may help.
PM me and I will try to guide you with hints in the right directions. I have learned a lot from this VM and ended up setting a test environment to understand in detail.
User Hint : enumeration of users is key. Don’t overthink credentials and no brute forcing is required.
Root Hint : Look at the applications running on the server and ask why it would be running on this box. One of the usernames gives a hint to what this box might be used for. When you have this google how this function works.
USER: the password part is really trivial, but there’s the risk you’ll get frustrated very soon (I lost several hours…). Make sure you include all users into your users list, I discarded a few of them (thinking they were not related to the user.txt file) and lost so much time trying to find a not existent user/pass match. Thanks to @TazWake for the nudge!
ROOT: thanks to everyone who commented in this discussion. Each comment helped to identify the right tool to exploit the right service. Learnt a lot of new stuff I wasn’t even aware of. Some difficulties configuring the connection but some good M$ utilities helped a bit…
If you’re struggling with the Foothold, here is my advice:
A) Build a simple password list based on typical bad practices. A wordlist will more than likely not work.
B) if that doesn’t work, remember there are more than one services running on the box
I finally got through after a lot of reading around so many exploits(I’m never signing up for z** lol), I finally got through. I did not need to play around with the PoC like many others here because our man, @VbScrub is a legend both on HTB and other places(Wink wink)!!