Resolute

For user1: Active Directory enumeration will give you good information, after obtaining this information and connecting to a windows service, it will give you a password for that first user.
User2: Logged in with the username and password you obtained earlier, look for things in C: using some commands that give you better kept information

For Root when using Wi *** eas.exe it will show you some things there is spo go on google and search for this information, it will give you all the way to privesc.

Anything can call me …

That was the best machine I’ve ever made.

Hello! Can someone help me with the last steps to get root? PM, I’m really stuck for a few hours… :neutral:
Thank you!

Ive tried a couple of things, but I havent been able to get them to work. msv seems the easiest route, after paying attetnion to architecture and creating a basic reverse shell, I am unable to actually get the shell using dnsc**. Could use a nudge

Stuck for hours and hours on checking if the victim is able to access my share through the smb…
“net view \smb_server_ip” → net.exe : The Server service is not started
Can someone help me? :frowning:

Amazing machine. Humble me too much.

C:\Users\Administrator\Desktop>whoami 
whoami 
nt authority\system

C:\Users\Administrator\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2

Really good box! I was nervous seeing there was no http service like usual but it really helped be learn about some new tools and windows! Thanks to the creator!

Rooted! Interestingly, I was able to root this machine much more quickly than my previous Windows boxes, Sauna and Monteverde. As if what I have learned so far was being put to good use. All the useful hints are already available on this forum thread.

user1: be diligent with your enumeration, I didn’t expect to find the useful bit of information there, but I did it anyway, and it’s there.
user1->user2: hunt for a hidden place
user2->root: check his group, what he can do with it, and inject the exploit

Argg…
So I’ve got access to R & I’ve got a possible payload with I’m Packett running…
Bu I can’t get access to it from R no matter what.
All fine locally…
Tried usual dir //somenumbers/etc…am I missing something?

hello, i obtain user access but i have a problem for root access:
the victim (resolute) don’t come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:

impacket-smbserver -debug share /tmp
[] Config file parsed
[
] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[
] Config file parsed
[] Config file parsed
[
] Config file parsed

and i execute the dnscmd command on ther server with the good options normally…

Finally got root.
Delays were I admit my own fault, maybe trying too hard?
Had to stop and start the root side from scratch.

Think my neighbors are wondering what’s happened…bit of a cheer when that rev shell started working.

Good box, learned a lot.
Not to mention checking and trying the simplest solutions first.

Rooted. Good box, learned a ton. Be patient, what you tried once (or more times) that didn’t work may suddenly start working. I suppose that is how it goes with shared boxes.

Ugh. Literally have every command setup for privesc to execute quickly but the ■■■■ box keeps timing out connections after one or two commands. Traceroute keeps going from one hop to 30 and timing out. VPN connection shows as stable too. Anyone else have issues with it? Tried on EU, AU, and USA servers.

Rooted. I learnt a lot, thanks to the creator of the machine.

User: automatic enumeration and brute force are enough to get the credentials.

User2: enumerate what you cannot see.

Root: check privileges, google and create your payload. Msfvenom is your friend.

If you need any nudge, feel free to PM me.

Rooted. Fun box.

PM me for hint.

User: Very easy. Enumerate service.
Root: I liked this method technically. It’s pretty easy to do. Check services and search google.

Rooted Finally!! Great Box
User1: Enumerate all the services running. Sometimes peace is found underneath the trees of the forest
User2: Some things are just there, you should be able to look at everything
Root: What can I say, I tried the d** injection exploit. You should know the exploit beforehand otherwise its difficult to find. Groups are your friends.

Also, if anyone would dm me about the second method to root, I will highly appreciate it :slight_smile:

Could use some help with the last step to root, I believe I know what to do, however I can’t get the command to call back to me at all. It says it was successful but not seeing anything callingback.

Any one else seen this ? I don’t seem able to check the registry so can’t verify if the command has taken hold.

Many thanks
Wns

Another great and funny box! Thanks @egre55

FOOTHOLD: enum4linux and test with each one
USER1: WinRM, take your magnifying glass and/or your shovel
USER2: enumeration (groups…)
ROOT: find the right SERVICE NAME to use

Got first user as m****** but having trouble getting second user while using the shell with e*** ***** and searching the different files and folders.

Any suggestions?

I would really appreciate some guidance over the root exploitation. It might be that my Windows skills are not that good, read all the forum and still not clear what to try, user was found (m******), but cannot advance anymore. Please PM me if you wish to help. Thanks!

Awesome box, learned new ways to attack AD, thanks!
PM for nudges