For user1: Active Directory enumeration will give you good information, after obtaining this information and connecting to a windows service, it will give you a password for that first user.
User2: Logged in with the username and password you obtained earlier, look for things in C: using some commands that give you better kept information
For Root when using Wi *** eas.exe it will show you some things there is spo go on google and search for this information, it will give you all the way to privesc.
Ive tried a couple of things, but I havent been able to get them to work. msv seems the easiest route, after paying attetnion to architecture and creating a basic reverse shell, I am unable to actually get the shell using dnsc**. Could use a nudge
Stuck for hours and hours on checking if the victim is able to access my share through the smb…
“net view \smb_server_ip” → net.exe : The Server service is not started
Can someone help me?
Really good box! I was nervous seeing there was no http service like usual but it really helped be learn about some new tools and windows! Thanks to the creator!
Rooted! Interestingly, I was able to root this machine much more quickly than my previous Windows boxes, Sauna and Monteverde. As if what I have learned so far was being put to good use. All the useful hints are already available on this forum thread.
user1: be diligent with your enumeration, I didn’t expect to find the useful bit of information there, but I did it anyway, and it’s there.
user1->user2: hunt for a hidden place
user2->root: check his group, what he can do with it, and inject the exploit
Argg…
So I’ve got access to R & I’ve got a possible payload with I’m Packett running…
Bu I can’t get access to it from R no matter what.
All fine locally…
Tried usual dir //somenumbers/etc…am I missing something?
hello, i obtain user access but i have a problem for root access:
the victim (resolute) don’t come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:
Rooted. Good box, learned a ton. Be patient, what you tried once (or more times) that didn’t work may suddenly start working. I suppose that is how it goes with shared boxes.
Ugh. Literally have every command setup for privesc to execute quickly but the ■■■■ box keeps timing out connections after one or two commands. Traceroute keeps going from one hop to 30 and timing out. VPN connection shows as stable too. Anyone else have issues with it? Tried on EU, AU, and USA servers.
Rooted Finally!! Great Box
User1: Enumerate all the services running. Sometimes peace is found underneath the trees of the forest
User2: Some things are just there, you should be able to look at everything
Root: What can I say, I tried the d** injection exploit. You should know the exploit beforehand otherwise its difficult to find. Groups are your friends.
Also, if anyone would dm me about the second method to root, I will highly appreciate it
Could use some help with the last step to root, I believe I know what to do, however I can’t get the command to call back to me at all. It says it was successful but not seeing anything callingback.
Any one else seen this ? I don’t seem able to check the registry so can’t verify if the command has taken hold.
FOOTHOLD: enum4linux and test with each one
USER1: WinRM, take your magnifying glass and/or your shovel
USER2: enumeration (groups…)
ROOT: find the right SERVICE NAME to use
I would really appreciate some guidance over the root exploitation. It might be that my Windows skills are not that good, read all the forum and still not clear what to try, user was found (m******), but cannot advance anymore. Please PM me if you wish to help. Thanks!