Multimaster

Finally got User. Had to go do a bunch of other boxes and come back a month later but I’m glad I did. This is easily the hardest user flag I’ve done so far

Got user. What a journey. Many thanks to @velocicat and @lesleybw for helpful articles.
Root now.

Edit: Rooted. That was awesome box. Many thanks to @MinatoTW and @egre55 for such a enjoyable and painful journey. I learnt a lot. Thanks @zeeshansahi for the nudges.

Hi
got 4 hashes but stuck at cracking them. Any hint on them?

Spoiler Removed

I am completely lost getting from user1 to user2. I think I found an exploit using the c******g tool but thats become a no go because its raising an av alert. Can anyone help with a nudge?

EDIT: FInally rooted. Painful but educational box. Thanks @MinatoTW and @egre55 for a great experience

Finally rooted! Thanks @egre55 & @MinatoTW for such a nice box.

Long journey to root but effort is really rewarding. For nudge please DM.

And thanks @MariaB for sharing article on user enumeration.

After 3 days of struggling @0F0Bh and I finally managed to root this one.

Hats off to the creators!

Thanks to @MariaB for some sanity checks along the way :smile:

User: Don’t let that WAF scare you too much.
Way to root: What are other people doing on the machine?

Hardest box I’ve ever rooted took a full week and a lot of help. Thanks to @MariaB, @metuldann, @zeeshansahi, and @nasri136TH - you guys are great! @gurbanli advice above was memorized over the past few days getting through this - great overall guide. Lots of enum and users to get before the easier ending. Just enum everything new with each new user remember preauth isn’t ineradicable.

RooTed … need hints ?? ping me on discord icoNic#0097

Arrexel

RooTed … need hints ?? ping me on discord icoNic#0097

Arrexel

WTF

this box was really greate > @gurbanli said:

Rooted. User part was difficult than root part. But root part was long

Hints:
Foothold: Abuse pi functionality with well-known OWASP attack and bypass WAF
User1: Enumerate with what you have in order to get what you need
User2: look who you are and which processes are running
User3: Reverse it
User4: Standard AD Attack with imp
****
Root: Standard windows privilege escalation

this were all the hints that I needed I just want to add the initial foothold. You will need to write some scripts.

Thx I learned a lot!

PS: when you own this box you got the name

Managed to get user. Now stuck on lateral movement, any hints would be appreciated for this stage.

If anyone managed to bypass AMSI on the machine, please let me know how you did that :slight_smile:

(this is not related to the solution of the machine… I’m just generally curious if anyone found a way!)

Kind regards

edit: got an answer for the bypass… thank you all :slight_smile:

Root dance yesterday! What a journey! This has been the longest path to root ever! I learned a ton of stuff and rooting this beast was not easy… So my hints and thanks are:

  • foothold: find a way to bypass the WAF
  • crack those hashes (thanks @Chr0x6eOs and @idomino for reminding me that yes, they are crackable, under 5 sec BTW)
  • user 1: enumerate the AD. Thank you @APD1970 for sharing that article!
  • user 1 to user 2: Thanks @phate890 and @nasri136TH for the nudges and @PwnAddict for sharing that article. This was new to me and I overcomplicated stuff a lot. A week break helped me to see this through. I used some of that pizza and I finally got it :slight_smile:
  • user 2 to user 3: Enumerate. To which folder you have access now? Anything that sticks out (filename and date)?
  • user 3 to user 4: Send the dog out and google as handy scripts will be blocked
  • user 4 to root: typical

So a big thanks to the creators!

Finally rooted after a week!
First two steps were really insane but also a great learning opportunity.

Thanks to creator for such a great box @egre55 and @MinatoTW
Also thanks to @zime and @Skunkfoot for the nudges.

Pm me if anyone needs help on this

Hi guys so the last 2 days all I have done is read about wafs and how they work.
I can see 17 users to start with. I have also run a bypass using a ww tool but I am not getting anywhere.
@MariaB I would appreciate if you can share the article with me as learning is more important than actually getting any flags for me.
Any hints or articles will be taken with open arms.

Type your comment> @idevilkz said:

Hi guys so the last 2 days all I have done is read about wafs and how they work.
I can see 17 users to start with. I have also run a bypass using a ww tool but I am not getting anywhere.
@MariaB I would appreciate if you can share the article with me as learning is more important than actually getting any flags for me.
Any hints or articles will be taken with open arms.

same exact point. have 17 employees. but cant get further. tried to fuzz with intruder but its too slow to finish. Focused on 403’s and 401’s but cant get any entrance point nor the hashes. I am definitely stucked.
Any learning material would be appreciated.

@tuzz3232 @idevilkz i messaged to both of you .And it is not that you cant message me directly ? : )

Finally got user!
It was insane. Thanks a lot @MariaB for sharing that useful article. It helped me bypassing WAF and getting the desired hashes.Cracking the hashes must be quick, yo don’t need to complicate things.
AD enumeration was not easy. I had to write my own RIDiculous script for enumerate all the AD users.
Now on to root…