Multimaster

rooted, very good to learn active directory, powershell and a bit of python

Got root. I really need to work on my scripting.

Thanks to @peek for the nudge!

Type your comment

Finally Rooted.

It is an INSANE machine. You will need to jump many hoops before you can even think of getting either of the USER or ROOT.

Patience is the key with this box. You’ll be able to enumerate without much issues but boy oh boy you need a ■■■■-ton of patience.

Hit me up if you need help.

DISCORD: jtnydv#5773

Can someone please DM me some hints/articles to read how to bypass the WAF.

Finally got User. Had to go do a bunch of other boxes and come back a month later but I’m glad I did. This is easily the hardest user flag I’ve done so far

Got user. What a journey. Many thanks to @velocicat and @lesleybw for helpful articles.
Root now.

Edit: Rooted. That was awesome box. Many thanks to @MinatoTW and @egre55 for such a enjoyable and painful journey. I learnt a lot. Thanks @zeeshansahi for the nudges.

Hi
got 4 hashes but stuck at cracking them. Any hint on them?

Spoiler Removed

I am completely lost getting from user1 to user2. I think I found an exploit using the c******g tool but thats become a no go because its raising an av alert. Can anyone help with a nudge?

EDIT: FInally rooted. Painful but educational box. Thanks @MinatoTW and @egre55 for a great experience

Finally rooted! Thanks @egre55 & @MinatoTW for such a nice box.

Long journey to root but effort is really rewarding. For nudge please DM.

And thanks @MariaB for sharing article on user enumeration.

After 3 days of struggling @0F0Bh and I finally managed to root this one.

Hats off to the creators!

Thanks to @MariaB for some sanity checks along the way :smile:

User: Don’t let that WAF scare you too much.
Way to root: What are other people doing on the machine?

Hardest box I’ve ever rooted took a full week and a lot of help. Thanks to @MariaB, @metuldann, @zeeshansahi, and @nasri136TH - you guys are great! @gurbanli advice above was memorized over the past few days getting through this - great overall guide. Lots of enum and users to get before the easier ending. Just enum everything new with each new user remember preauth isn’t ineradicable.

RooTed … need hints ?? ping me on discord icoNic#0097

Arrexel

RooTed … need hints ?? ping me on discord icoNic#0097

Arrexel

WTF

this box was really greate > @gurbanli said:

Rooted. User part was difficult than root part. But root part was long

Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp
****
Root: Standard windows privilege escalation

this were all the hints that I needed I just want to add the initial foothold. You will need to write some scripts.

Thx I learned a lot!

PS: when you own this box you got the name

Managed to get user. Now stuck on lateral movement, any hints would be appreciated for this stage.

If anyone managed to bypass AMSI on the machine, please let me know how you did that :slight_smile:

(this is not related to the solution of the machine… I’m just generally curious if anyone found a way!)

Kind regards

edit: got an answer for the bypass… thank you all :slight_smile:

Root dance yesterday! What a journey! This has been the longest path to root ever! I learned a ton of stuff and rooting this beast was not easy… So my hints and thanks are:

  • foothold: find a way to bypass the WAF
  • crack those hashes (thanks @Chr0x6eOs and @idomino for reminding me that yes, they are crackable, under 5 sec BTW)
  • user 1: enumerate the AD. Thank you @APD1970 for sharing that article!
  • user 1 to user 2: Thanks @phate890 and @nasri136TH for the nudges and @PwnAddict for sharing that article. This was new to me and I overcomplicated stuff a lot. A week break helped me to see this through. I used some of that pizza and I finally got it :slight_smile:
  • user 2 to user 3: Enumerate. To which folder you have access now? Anything that sticks out (filename and date)?
  • user 3 to user 4: Send the dog out and google as handy scripts will be blocked
  • user 4 to root: typical

So a big thanks to the creators!

Finally rooted after a week!
First two steps were really insane but also a great learning opportunity.

Thanks to creator for such a great box @egre55 and @MinatoTW
Also thanks to @zime and @Skunkfoot for the nudges.