Multimaster

rooted this monster…

its a great box, thank you @MariaB for your articles, after that it was funny…

Just like real world scenarios,

thanks @egre55 and @MinatoTW keep doing this amazing job with AD machines.

Even if i get the needed username (from the tool used for bypass) to login after cracking part. I am still obsessed with getting the must have info for the python part. can someone reach me who found that RD part manually, not by the script. cause i am starting to think about no one found that RD manually and convert it to useful shape.

Edit: @sc0rp9x dm me and help me to get that process but only difference with his encoding and mine was the capital letters on encoded string. Thx. to @apostatic , @MariaB for their patience.

+1 to above. I would like to know this too.
I spent nearly 2 days trying to convert the RID manually but the RID i was getting wasn’t all unicode, it had some WINGDINGS font in it :slight_smile:

I have never seen a machine like this in windows. This machine is ART.
Thank you @MinatoTW and @egre55 and congratulations for creating a monster like this.

Hi,
I got all the usernames from the injection… but looks like all credentials I recovered could not do evil… I need help… xD

OK feel like an idiot reading back over the posts. so without spoilers, I have 17 aka 4 hashes. thought I knew the format as hash-id said so, but trying to crack passwds nothing matches. tried online, wrote a python script comparing with hash(ry) etc. nothing matches hashes found. need a little nudge please. is the hash type one of the ones hash-id said… and hopefully no the hmac one… :slight_smile:
DM/PM whatevs. :slight_smile:

ok got hash type (with help). now back to working out how I should have known it

Great box, really great box.

Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?

Update: Rooted! I sincerely enjoyed this box. It was a crazy challenge, learned many things, and completed my first insane box!

@applepyguy said:

Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?

For me, everything on this box was hard but it is a mix of lots of enumeration and some lateral thinking.

If you are in the user account which gets the flag, enumerate all aspects of the account. If you find something which groups the account with other users, look at them because there is a good chance you’ll need to get into almost every one of their accounts.

Look to see if you can find any interesting running processes that might be vulnerable to a public exploit. From there more enumeration and more enumeration (a popular puppy might help with last bit).

Took 4 days to own this monster. Can’t express the struggle. Frustating but awesome parts were initial shell and user2. Root was easy compared to that. Pm for nudges.

i can not get any thing in response when i use un*** operation i know there is injection for that i use UC* bypass it work for some statement but for un*** response is

i am missing someting ?? PM

edit : working fine

Is there any trick to read the root flag?
I’m getting an md5-like content from “root.txt” but HTB says that the flag is wrong. I don’t see alternate streams or similar.
Is this a problem with the flag submitting system?

@Hashut said:

Is this a problem with the flag submitting system?

I think Multimaster uses a dynamic flag - and it was one of the first to do so. The main advice here is to submit as soon as you root and if that doesn’t work, reset the box, wait a bit and see if there is a new flag you can use.

If you are having problems, it’s definitely worth raising a Jira ticket Jira Service Management

I think the biggest issue is on boxes where you have to do several steps to get root - resetting and retrying may well become tedious. However, on this box it should be ok as you can log in & exploit fairly quickly.

@TazWake said:

The main advice here is to submit as soon as you root and if that doesn’t work, reset the box, wait a bit and see if there is a new flag you can use.

Yes, that worked. Thanks a lot.

i am suck at user i got hash but i don’t know users try all 17 but don’t get anything
need help
edit : got a way to get the users with m*****-d***.py

edit : m*****-d***.py need modification or run command menually

Hey. I got valid creds for user *********mo and the pass nan1. I verified it with winrm utility login in MSF. Yeah it is working. But when I try to login with those creds using evil-winrm… “execution expired” … this is the only message I’m getting. Did a lot of resets and updated my ruby, rubygems and evil-winrm also. But yet the result is same as dump. Can anyone please show me a way how to fix this?
It took a week to enum the valid creds but this error really killing me.
Please dm me if you have any solution.

Hey all got a valid user login via msfconsole, but when trying with evil-winrm get Timeout error? anyone else getting this?

Hey @COVID19 . I have the same issue and haven’t found any fixes. If you have any solution, please share here.
Thanks

Maybe someone is skewing around with you ?

Type your comment> @Warlord711 said:

Maybe someone is skewing around with you ?

Turns out it was my own VPN was blocking the connections