Remote

C:\Windows\system32>whoami && hostname
nt authority\system
remote

User was painful, but the best hints for it are already in here. Root took one well-crafted enumeration script, two minutes of google, and one minute of execution.

Rooted!! Nice machine. Revised every basics with this machine.
User: Mounting will help you a lottt and the cve exploit will lead you.
Root: Just some common sense will give you a stable shell and then just some enumeration.
If stuck feel free to pm.

hello I know what to exploit but I can’t find how to set the path.
Can someone push me in the direction

thanks

@jvlavl said:

hello I know what to exploit but I can’t find how to set the path.
Can someone push me in the direction

thanks

Not the easiest question to help with…

For example, I could say “set the host” but that might not help you…

I accessed the file system, i found what i think are a validation key / decryption key in one file and usernames in another file. Tried to john the keys but I got nothing. Are those keys the hashes or am I way off?

@squirrelpizza said:

I accessed the file system, i found what i think are a validation key / decryption key in one file and usernames in another file. Tried to john the keys but I got nothing. Are those keys the hashes or am I way off?

I think you might be going down a rabbit hole here.

The thing you want tells you what user account it is associated with and what algo was used to create it.

FINALLY popped root with the help of a nudge from @cY83rR0H1t

Start

Enumerate at first. Dig through each and every thing you find. You’ll eventually come across a lot of files. It may be easier to work with them locally… If you find any interesting files, instead of looking for software to open/analyze them, look into utilities already available in your terminal. There are a lot of basic Linux binary utilities that can help you here. I actually sat here for a while and refined my skills with a variety of the tools available in almost every linux system, and ended up finding additional information that would help with lateral movement should this be a production system. Really learn the tools available to you. Platforms such as PentesterLab and OverTheWire would definitely help you learn about them.

User

Make sure the exploits you find are for the version of the service you’re likely trying to attack. My (and likely your) tool of choice didn’t have the exploit I ended up using. I highly advise avoiding bundled exploits and those that come up from searching Kali’s filesystem (although you may have more luck with these than I did). I found my exploit online, and not in an exploit database.

You’re going to have to learn and read a LOT about Windows enumeration and privilege escalation procedures if you aren’t familiar with Windows boxes. There are windows versions of popular linux enumeration tools. Because there’s a web server, consider trying to find any services that you might be able to exploit. Also consider using your exploit of choice to help other tools available on Kali to pop a shell.

Root

There are windows versions of popular linux enumeration tools. Once you’ve owned user and enumerated the system, you’ll know what people are talking about when it comes to TV. Enumerate it well. You may find an exploit or tool to help you if you search in the right places.


If any of this was too revealing, please let me know and I’ll edit it. Tried to be as obscure as possible while also providing subtle nudges without explicitly naming anything specific to this box.

Feel free to reach out to me for nudges!

Nice machine :mrgreen:

Rooted without tv, will go back and give that a go now.

thanks @mrb3n

pm for a hint if you’re really stuck.

Hi. I am stuck on my way to user. I have found the s** file but cannot crack anything inside, either it’s not recognized as a hh or doesn’t find any matching pw***. Any nudges?

@dany10101 said:

Hi. I am stuck on my way to user. I have found the s** file but cannot crack anything inside, either it’s not recognized as a hh or doesn’t find any matching pw***. Any nudges?

You know you have the right string if it tells you the algorithm it used.

In turn that tells you how many characters the hash should be and if you use a tool (hashid, cyberchef, whatever) to analyse the hash it should match.

Then, when you know you have copied out the correct characters, you can use the --format= option to specify how you want it cracked.

Then it should crack pretty quickly.

Rooted !
DM if you stuck

Great machine finally rooted! Was unable to do it with the TV so I did it with the Power and google! :wink:

DM if you need help!

Spoiler Removed

rooted!! This was an interesting one to say the least!!

Been trying to root this for a day now. For the past hour I can’t get my reverse shell to even download nc anymore InvalidOperation (System.Net.HttpWebRequest:HttpWebRequest… wtf I’ve been downloading things through the reverse shell with this same method multiple times for the past couple days. Now its jacked even through resetting the box.

Really nice box!
Feel free to PM me if you need help.

Rooted the U***** way. Many thanks to @h0plite for the help. PM for nudges.
Did someone get root the TV way and can help me with that? Still stuck there.

Machine owned! Really interesting.

Feel free to contact me if you need an hint

Spoiler Removed

Hey guys, I found a user hash but after searching it says not a valid hash. So, I’m trying to crack this hash but not getting any idea how to crack it ??. So, need a little help ?