Rabbit

@excidium we are on the same boat :tired_face:
could someone give a hint to proceed …

The two more difficult hashes might be uncrackable. The 10 easier ones should be useful, or at least some of them are useful.

I’m struggling with a certain payload I have in my hands. My payload is in a way “accepted” by a certain system and looks actually very similar to other payloads I have acccidentally seen there, but for some reason it doesn’t have any effect. So maybe it’s not executed or maybe I have missed something about this.

Very humiliating experience this has been so far to me :cold_sweat:

@lokori said:
Who you gonna call? Gobusters! Here’s some gobustering in case someone else has difficulties on this machine or some other machine: gobuster enumerator for hack-the-box machines. This generates huge amount of useless requests.. · GitHub

About to start enumerating this machine and after I saw your post decided to modify your script so works in any GNU/Linux, I am personally using blackarch as my main desktop so the path to the files is diff such why the variables and array.
https://gist.github.com/ReK2Fernandez/fe49a07d096aff95c17572d9ea170ab1

Since that post I have also added -l option to Dirbuster so that I get the length of server response in addition to HTTP status. Sometimes the length makes all the difference to find the interesting one compared to “normal”.

so far I found something interesting among all the rabbits and fake vulns :slight_smile: not sure if is the right thing yet but was able to create a certain account and then modify certain things to change privileges. will continue tomorrow need to work in a couple hours. cheers. @lokori yeah the one I usually use have a couple more options as well.

Any nudge towards priv esc ?

There is access to the correct interface (I guess), there is even a clue given, what to do next. There are even exploits (I tried two so far) which should potentially work and … nothing, no shell so far. What am I doing wrong?

Yeah been poking around this box and found a few rabbit holes. Is someone around to help steer me in the right direction? Been enumerating and testing for vulns for several days. Not sure what is left to test.

so far i found 3 apps (o, j, c) . Atm it looks like all of them are rabbit holes. Is one of them the door in or do I need to do more enumeration. PM appreciated, thanks.

I have access to two of them (probably even to all, did not check yet everything) a number of hashes and … still trying figure out where is the way to getting the user. Really iritating.

@gash said:
so far i found 3 apps (o, j, c) . Atm it looks like all of them are rabbit holes. Is one of them the door in or do I need to do more enumeration. PM appreciated, thanks.

Maybe one of them is the door maybe or not. Just try to exploit every single endpoint you detected. If you do not do, you will never know it is the door or not. Try Harder !!

@macw141 said:
I have access to two of them (probably even to all, did not check yet everything) a number of hashes and … still trying figure out where is the way to getting the user. Really iritating.

Read carefully every piece of information you had during attack the box. After you realize what you need to do, try make it work on your own system.

ok several username and passwords/hashes. Anyone knows if they are useful or just a rabbit hole?

@securityNinja said:
ok several username and passwords/hashes. Anyone knows if they are useful or just a rabbit hole?

you need to try them in order to know

Anyone up for a hint on prives for RABBIT? I tried several thing so far but no luck. Please PM, thx

@gash said:
Anyone up for a hint on prives for RABBIT? I tried several thing so far but no luck. Please PM, thx

prives is just there -:wink:

Guys can I pm someone on rabbit? i know how to get the shell but seems dosen’t work. I just want to know if my commands are ok…

i can receive ping back from the Rabbit machine but not shell is getting back. Could i pm anyone?

WTF with that box ?

I probably have sent about hundred documents and all I got so far is an unbreakable NTLM hash.

I tried every possible techniques and they all work on my VM with the same AV that the one from Rabbit running, getting me a shell everytime.

Such a pain…

Finally got system.

To sum it up: directly reset the box before sending a doc then wait 7 minutes to see if it works.

Tips:

the installed Office software is not the one announced but very close… Is there technical differences between the both ? I can’t say but it may explain some things.

Just act like there is no AV on the system… I mean the doc I used to get shell was definitively blocked on my box with the AV announced but if worked on Rabbit. If one doc doesn’t work on Rabbit just try another method.