Multimaster

Managed to get user. Now stuck on lateral movement, any hints would be appreciated for this stage.

If anyone managed to bypass AMSI on the machine, please let me know how you did that :slight_smile:

(this is not related to the solution of the machine… I’m just generally curious if anyone found a way!)

Kind regards

edit: got an answer for the bypass… thank you all :slight_smile:

Root dance yesterday! What a journey! This has been the longest path to root ever! I learned a ton of stuff and rooting this beast was not easy… So my hints and thanks are:

  • foothold: find a way to bypass the WAF
  • crack those hashes (thanks @Chr0x6eOs and @idomino for reminding me that yes, they are crackable, under 5 sec BTW)
  • user 1: enumerate the AD. Thank you @APD1970 for sharing that article!
  • user 1 to user 2: Thanks @phate890 and @nasri136TH for the nudges and @PwnAddict for sharing that article. This was new to me and I overcomplicated stuff a lot. A week break helped me to see this through. I used some of that pizza and I finally got it :slight_smile:
  • user 2 to user 3: Enumerate. To which folder you have access now? Anything that sticks out (filename and date)?
  • user 3 to user 4: Send the dog out and google as handy scripts will be blocked
  • user 4 to root: typical

So a big thanks to the creators!

Finally rooted after a week!
First two steps were really insane but also a great learning opportunity.

Thanks to creator for such a great box @egre55 and @MinatoTW
Also thanks to @zime and @Skunkfoot for the nudges.

Pm me if anyone needs help on this

Hi guys so the last 2 days all I have done is read about wafs and how they work.
I can see 17 users to start with. I have also run a bypass using a ww tool but I am not getting anywhere.
@MariaB I would appreciate if you can share the article with me as learning is more important than actually getting any flags for me.
Any hints or articles will be taken with open arms.

Type your comment> @idevilkz said:

Hi guys so the last 2 days all I have done is read about wafs and how they work.
I can see 17 users to start with. I have also run a bypass using a ww tool but I am not getting anywhere.
@MariaB I would appreciate if you can share the article with me as learning is more important than actually getting any flags for me.
Any hints or articles will be taken with open arms.

same exact point. have 17 employees. but cant get further. tried to fuzz with intruder but its too slow to finish. Focused on 403’s and 401’s but cant get any entrance point nor the hashes. I am definitely stucked.
Any learning material would be appreciated.

@tuzz3232 @idevilkz i messaged to both of you .And it is not that you cant message me directly ? : )

Finally got user!
It was insane. Thanks a lot @MariaB for sharing that useful article. It helped me bypassing WAF and getting the desired hashes.Cracking the hashes must be quick, yo don’t need to complicate things.
AD enumeration was not easy. I had to write my own RIDiculous script for enumerate all the AD users.
Now on to root…

Rooted this badboy a couple of days ago. Best Windows box I have done on this platform! Kudos to the makers. Several new techniques picked up on user journey. User 1 to 2 was trickiest for me as the exploitable thing kept dying so needed to keep refreshing / updating my script. Thanks to @Frundrod and @syn4ps for reference articles.

Type your comment> @MariaB said:

@tuzz3232 @idevilkz i messaged to both of you .And it is not that you cant message me directly ? : )

@MariaB I was scared :smiley: you sounded like a lady not to be messed with :D.

Thanks for sending this over

Hey dear community, this machine may be a bit over my skill lvl, however i try to learn something new. Can someone give me some material about how to bypass the WAF? Im currently trying it with a common OWASP vuln but always get a 403 Forbidden

@sh0wa said:

Hey dear community, this machine may be a bit over my skill lvl, however i try to learn something new. Can someone give me some material about how to bypass the WAF? Im currently trying it with a common OWASP vuln but always get a 403 Forbidden

Research different ways to encode characters as a way to bypass WAFs.

Hi, Can someone be kind enough to give me a little nudge towards user. I am close but struggling with r,s , id conversion I believe from the shell

its okay, the joy of getting to this point can’t be explained :slight_smile:

thank you @MariaB for your articles as they helped understand a lot.

Spoiler Removed

Not sure why my post was a spoiler and it was removed, there was only one mention on the first tool that someone will use in these cases. It will be great to have a message from the person that reported it as spoiler to describe what was wrong with it.

In any case if someone needs a hint …

Rooted this box, thanks for all the hints in DM and forum.
HINTS:
initial-foothold: try to escape.
users: 2) unusual proc, 3) enum and search, 4) AD enum.
root: standard escalation but I had to brute force some.

why i am only geting some chinese chars. or null. But not giving up. Try harder till death :trollface:

what the f*** i 've done i dont know but i got the needed user direct fr. s**-s**** . i swear i tried it for million times. but why this time :hushed:

Finally rooted this box. Learnt a lot, thanks to the posts here and hints from @tupi, @dinosn and @MariaB !

Guys,
I am stuck at User2->User3 process. I found some creds but was not able to find where those are applicable. Can anyone give me a double check if I am (or not) in a blind spot?

Edit: NVM, just solved that. Lesson learnt: try all you can, after enumeration.

Edit: Rooted but without using DOG. Can anyone clarify where it was supposed to be used and how?