Resolute

Root complete. thanks for a fun box!

Really fun and straight forward box!

C:\Users\Administrator>whoami
whoami
nt authority\system

C:\Users\Administrator>dir Desktop\ 
dir Desktop\
 Volume in drive C has no label.
 Volume Serial Number is 923F-3611

 Directory of C:\Users\Administrator\Desktop

12/04/2019  06:18 AM    <DIR>          .
12/04/2019  06:18 AM    <DIR>          ..
12/03/2019  08:32 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  30,963,376,128 bytes free

C:\Users\Administrator>

Finally got root!
My hints for it ( without repeating other people’s super useful hints)
Second user: I was trying to be smart by scripting my enumeration, but forgot to look for EVERYTHING when doing so (what you can see with naked eye and what you cannot).
Root: when loading the payload remotely, make sure you’re in the right place (it seems like pwsh needs to ‘see’ the content first, before it can load things from a remote location)

Hope this helps people still struggling with the machine, I enjoy it and learned a LOT from it. Thanks @egre55

I’ve gotten root this morning so this is just my mini review and hints for how to root it yourself

The box was really fun, i really liked the Privilege escalation as it was my first time doing something like this! I honestly wouldn’t even consider the box a medium box, an easy box just because how easy user was, but it all depends on how much you know beforehand.

Hints:

User: Don’t script or anything, manually enumerate everything, not only are you gonna learn more this way but also find your way onto root, once you’ve found something interesting about an user, see if, said interesting thing can apply to other users.
User 2: Couldn’t be simpler, just look around in the filesystem, start at C:\ and continue.
Root: Reflect on what you can do.

Thanks for reading! hope you get root! i believe in ya peeps!
DM if you’re still stuck.

Rooted D** way, very nice box.
What about the m********t module? PM me plz…

If anyone is awake and out there i could use some assistance on root. think i have the path i need but haven’t been lucky yet.

I can elaborate more on my methods so far, just PM me please.

Thanks in advance!!

Command failed: RPC_S_SERVER_UNAVAILABLE 1722 0x6BA…still

JMFL

Rooted!

root part was tricky, big thank’s to @EvilT0r13 for support

feel free pm for nudge

Rooted, thanks for this machine. :slight_smile:

finally rooted.
but tbh, i didnt know what service i could exploit until i read the forum.
can someone tell/pm me how he figured this out?
thanks :slight_smile:

got first user… then p/w for second user… struggling to get root …

Wow, waste too much time, thinking there was something wrong with my payload creation…

C:\Windows\system32>whoami
whoami
nt authority\system

Finally !

hint for root : be quick at the end !

Type your comment> @Bokanovitch said:

Wow, waste too much time, thinking there was something wrong with my payload creation…

C:\Windows\system32>whoami
whoami
nt authority\system

Finally !

hint for root : be quick at the end !

got it…your last hint is why it didnt work at first for me then I found the clue that said why to be quick :slight_smile:

Anyone available right now that can help me out? So close to getting root but something is just off… Want to run my process/*** payload/commands, etc by someone and see if the box is messed up or if it’s me. Discord is SullyInATX#4126.

Finally got Root! Thanks to @guanicoe for nudging me in the right direction.

Hey guys if someone can give me a hand.
ive tried with ldapsearch but i didnt find the password of the first user am i on the right path ???

got root but tried to replicate if again but cant seem to repeat this time, does seem inconsistant

Rooted. Really fun machine that I learned a lot from.

For that other user, not everything is immediately visible…

I would really appreciate anyone sharing their enumeration tips as to how the root path was uncovered via PM. A friendly green vegetable didn’t reveal that…

After 2 days finally rooted that box. Biggest challenge for me was using Powershell with those brain-damaged Get-ChildItem. And finding way to compile Windows DLL on Linux. Great box though, very entertaining and real-life feeling. Thanks a lot @egre55

Rooted, onto Cascade! PM for nudges/help. Respect greatly appreciated (and expected, as I give respect to anyone who responds to one of my messages or helps me on Discord - profile link is Login :: Hack The Box :: Penetration Testing Labs).

Really cool box. Especially if you’re new to Medium level boxes, this would be a comfortable start.

HInts!

User: If you’ve done boxes Active, Sauna and Forest, follow the same methodology and READ EVERYTHING!
Root: Enumeration is key. look for not so obvious files then look at who you are on the box.