Cascade

@IvanGlinkin said:

Guys, I’m stuck on the smb. I have connection as r.t******* user.
I looked through the all of dirs (mount and then ‘ls -laR’), but I couldn’t find something interesting for further steps (except email, VN*.reg)
P.s. I cannot connect to AU**T$, because r.t******* doesn’t have permission to it.
Can you PM with the help? Thank you!

Check what is inside the files you found :wink:

Rooted - great box @VbScrub :smile:

@IvanGlinkin said:

Guys, I’m stuck on the smb. I have connection as r.t******* user.
I looked through the all of dirs (mount and then ‘ls -laR’), but I couldn’t find something interesting for further steps (except email, VN*.reg)
P.s. I cannot connect to AU**T$, because r.t******* doesn’t have permission to it.
Can you PM with the help? Thank you!

The answer is inside your question.

Rooted - but had to move to a Windows box at least twice on this one.
Starting to think I need to have a Windows VM on standby for these boxes.

Very much enjoyed it. Closer to hard than medium though, I thought.

@x00byte said:

Hi so i got root flag first is this an unintended method ?

Probably. Depends how you did it.

Rooted!

Some hints:
Initial foothold - This took by far the longest for me because I was looking in the wrong spot. Typically when I see AD environments, I’ll use a particular service to get a list of usernames. However this time, once you have that, move on to another service that you might often overlook.

User - Look for interesting things with your new access. You’ll find something, but it’s encoded weird. Do some googling.

User2 - Simple RE

Root - Enumerate your user and start Googling.

Thanks guys. Finally got it. Thanks)

Excellent box :slight_smile:

MY hints

User :

  • enumeration manually and look for a secrets .
  • Then re-enumeration manually and look for another a secrets .

Root:

  • look for how the file Work .
  • look for what the note mean , and google it .
  • use PS native commands , it will be easier .

Rooted! Amazing box!

Rooted!!! Lot of manual work and thanks to all for hints :smiley:

Type your comment> @VbScrub said:

Type your comment> @x00byte said:

Hi so i got root flag first is this an unintended method ?

Yep. Someone probably restored an object they shouldn’t have. Don’t really know why they’d do that as you only gain permissions to do that when you already have root :confused: but yeah, reset the box and try again

Well I have to do it again ?

Thanks @VbScrub for putting this together.

I really enjoyed the box after the initial step which I honestly found not that realistic: if you dump an entire GC on a real AD environment you end up with so much data that “without knowing that there is something” you’d never actually take the time to go through it manually.

That’s just my opinion of course, it took me way more time to find that piece of information than get to the root.txt so probably I’m biased :smile:

The next steps are very well and logically connected!

Rooted!!!

Wow,what a ride @VbScrub ,that initial foothold cracked my skull for quite some time but once over it it was smooth sail until the RE step and @cyberafro and @EvilT0r13 helped me cross that bridge.
Looking back at it I can see how the machine was really straightforward and could have potentially been rated easy,I guess that RE changed that rating.A lot of hints in the initial enumeration to complete the whole box honestly,enum enum and more enum!!!
This box just added onto my now extensive experience in AD bro,interacting with the dead was a brand new concept to me completely.

Would anyone be willing to nudge on what to do with the hex info in .r** file? I am out of ideas what else to try. I got r.t user and password, looted through files and have been completely stuck for 2 days since…

@egorchel said:

Would anyone be willing to nudge on what to do with the hex info in .r** file? I am out of ideas what else to try. I got r.t user and password, looted through files and have been completely stuck for 2 days since…

Google the tool and there are a few articles on how to translate that into a real password. It’s easier on windows but can be done in Linux as far as I am aware.

Spoiler Removed

Rooted i very like this machine.
@VbScrub wait for your next one thanks for great boxes :slight_smile:

I don’t normally comment on boxes. This one actually represented the difficulty level in my opinion. As far as how real it is very real if your doing a pentest. Dumping GC and grepping for keywords is very common way of finding interesting things even if your a normal admin doing maintenance.

Kudos @VbScrub

Rooted. Thanks @VbScrub for the good box.

Hint for root: all that you need is the right param.

When I got my hands on the root, I understood what everyone’s admiration meant.
Very nice box.Thanks to @VbScrub .