Multimaster

OK feel like an idiot reading back over the posts. so without spoilers, I have 17 aka 4 hashes. thought I knew the format as hash-id said so, but trying to crack passwds nothing matches. tried online, wrote a python script comparing with hash(ry) etc. nothing matches hashes found. need a little nudge please. is the hash type one of the ones hash-id said… and hopefully no the hmac one… :slight_smile:
DM/PM whatevs. :slight_smile:

ok got hash type (with help). now back to working out how I should have known it

Great box, really great box.

Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?

Update: Rooted! I sincerely enjoyed this box. It was a crazy challenge, learned many things, and completed my first insane box!

@applepyguy said:

Got user last night. Working on going from first on-box user to another, but have exhausted all my normal options. Anyone available for a PM to talk things through?

For me, everything on this box was hard but it is a mix of lots of enumeration and some lateral thinking.

If you are in the user account which gets the flag, enumerate all aspects of the account. If you find something which groups the account with other users, look at them because there is a good chance you’ll need to get into almost every one of their accounts.

Look to see if you can find any interesting running processes that might be vulnerable to a public exploit. From there more enumeration and more enumeration (a popular puppy might help with last bit).

Took 4 days to own this monster. Can’t express the struggle. Frustating but awesome parts were initial shell and user2. Root was easy compared to that. Pm for nudges.

i can not get any thing in response when i use un*** operation i know there is injection for that i use UC* bypass it work for some statement but for un*** response is

i am missing someting ?? PM

edit : working fine

Is there any trick to read the root flag?
I’m getting an md5-like content from “root.txt” but HTB says that the flag is wrong. I don’t see alternate streams or similar.
Is this a problem with the flag submitting system?

@Hashut said:

Is this a problem with the flag submitting system?

I think Multimaster uses a dynamic flag - and it was one of the first to do so. The main advice here is to submit as soon as you root and if that doesn’t work, reset the box, wait a bit and see if there is a new flag you can use.

If you are having problems, it’s definitely worth raising a Jira ticket Jira Service Management

I think the biggest issue is on boxes where you have to do several steps to get root - resetting and retrying may well become tedious. However, on this box it should be ok as you can log in & exploit fairly quickly.

@TazWake said:

The main advice here is to submit as soon as you root and if that doesn’t work, reset the box, wait a bit and see if there is a new flag you can use.

Yes, that worked. Thanks a lot.

i am suck at user i got hash but i don’t know users try all 17 but don’t get anything
need help
edit : got a way to get the users with m*****-d***.py

edit : m*****-d***.py need modification or run command menually

Hey. I got valid creds for user *********mo and the pass nan1. I verified it with winrm utility login in MSF. Yeah it is working. But when I try to login with those creds using evil-winrm… “execution expired” … this is the only message I’m getting. Did a lot of resets and updated my ruby, rubygems and evil-winrm also. But yet the result is same as dump. Can anyone please show me a way how to fix this?
It took a week to enum the valid creds but this error really killing me.
Please dm me if you have any solution.

Hey all got a valid user login via msfconsole, but when trying with evil-winrm get Timeout error? anyone else getting this?

Hey @COVID19 . I have the same issue and haven’t found any fixes. If you have any solution, please share here.
Thanks

Maybe someone is skewing around with you ?

Type your comment> @Warlord711 said:

Maybe someone is skewing around with you ?

Turns out it was my own VPN was blocking the connections

Finally, a box that makes me question my existence.

■■■! What an insane box!
This is the first active Insane Rated box I ever owned.
It just took 13 days to complete with a lot lot of help from Friends and forum.
So proud that I did it.
Learned a lot along every steps.
Thanks for the creator.

***EDIT - Got it, thanks to a kind soul who helped me.

I can make a query to look up anyone/thing using the D, but I can’t quite figure out how to make a query to find where the user I need is within in the large range of possible R’s. Is there a way to query all possible? If someone can DM me, I can explain better. I am trying not to give anything away here.

Finally got user in this insane machine, and thanks from info by @hasky and @syn4ps

Edit: rooted, very difficult machine, used all the windows skills to try

Did something change on this box and open up more than was intended?

I harvested the 4 hashes and cracked 3 of them, and I have been trying to figure out login with no success. Today, while showing my non-tech GF that you can determine if a username exists or not in a domain, I reran an uncredentialed script from yesterday and got different output, specifically a newly crackable hash for a user that turns out to be a server admin.

Did the box just need a reset, or was this not the intended path?