Multimaster

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

Type your comment> @moszkva said:

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :confused:

EDIT: Slow down the queries to get a full list of Domain users… I was greping my script and did not notice the 403s… User owned!

Type your comment> @syn4ps said:

Type your comment> @moszkva said:

Hi guys. I am stuck for hours after bypassing the WAF and exploiting the vulnerability and cracking the obtained hashes. The revealed passwords don’t seem to be valid for one of the users enumerated earlier. I found two other users after expanding my username list and using k*****te but I still don’t have valid password. Am I on the right path or should I perform further enumerations such as directory enumeration, ldap etc…?

You should enumerate Domain Users using the same technique you used for the 17 users you found. However, I must say that even if I got a list of them, I could not authenticate with any of them :confused:

Yes. This is where I am right now. I got new domain users but the cracked passwords are not valid to them.

I tried to login with them into other services and to mutate them based on frequently used rulesets. But nothing :frowning:

I thought these are just default passwords which have been changed by the users and this is the reasony why they are not valid.

I also thought that somehow I should reset the users as these are their default passwords but I could not find a way so far to perform this.

just got the user flag. the cred is still valid, so keep try harder
onto root now

Spoiler Removed

I’m stuck trying to crack the hashes, could anyone give me a hint ? :smile:

Type your comment> @MrBlu3 said:

I’m stuck trying to crack the hashes, could anyone give me a hint ? :smile:

With the good hash function and rocks, you can crack them under 5 seconds :slight_smile:

I just got user .

Was very tough but was worth it .A lot of manual work. I will not give you nudges because the exploitation is awesome and we should struggle .

For the initial users yes i can give a good article which can help for the overall exploit .
But finding the real user was insane and beautiful : )
I struggled so much but when i found it was super proud of me . Was so so cool …

Now onto root …Lets see if i will struggle again :smiley: most probably yes : )

BIG THANKS @egre55 and @MinatoTW for this amazing box .

If you have trouble smelling what the Rock is cooking, you can try to Google for “hash brown analysis online”. It’s not what you think it is.

To correct myself so that i dont sound so bad b**** :slight_smile:
For the next user i can also provide reading material

mariab

ROOTED i found root way easier than initial foothold. Of course there was a bit hopping thru users here as well : )

EDIT : seemed i skipped a step thru lateral movement
: ) but will go back and try to do as intended

I guess I need a nudge for root :confused: anyone willing to throw a nugget?

The path to user was one of the most awesome ones I have seen among the machines published.
Thanks @egre55 and @MinatoTW for creating the amazing challenge.

Stuck on root now for 2-3 days, went deep into 2 possible scenario’s but couldn’t quite get them working.

If anyone is willing to provide me a small nudge, I would highly appreciate it :slight_smile:

quick sanity check…got 4 unique hashes but can only crack 3 of them. Should I be able to get all 4?

No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )

@velocicat

No you need to find a user that can log in with a password. But first you need to find that user which is another moment of struggle : )
also for that user you need to go back and search again

Finally rooted and I want to once again say:

This was the best machine I’ve ever done on this site, massive props to the creators!

Finally got user! On to root…Great box so far! Thanks to everyone for the nudges and the hints on the forum.

This has been a very hard box for me. Feeling pretty hard-stuck as I finally got nudges to get me close to finding certain types of accounts, but the responses I’m getting back are not being encoded/decoded cleanly. Not sure how to handle.