Resolute

D*****ins INJECT no work!!According to the information on Google, it doesn’t seem to work properly,I wasted a few hours here. need help, please PM me, thanks

Type your comment> @n00baaa said:

D*****ins INJECT no work!!According to the information on Google, it doesn’t seem to work properly,I wasted a few hours here. need help, please PM me, thanks

oh,root it! This road is right. sometimes “smbshare”.py have problems,maybe use " -smb2support -debug " should be better.if it doesn’t work,just try again and reset the box…

Got root there after a serious headache.

Tried the DLL way for a few hours, 100% sure the syntax of my commands and the payload were correct and it wasn’t working. Possibly because it was on a free box.

Used the msf module instead, wish I’d done that from the start, only took a minute.

Nice box, learned a curious way to get root, nice work @egre55 !!

Awesome box, I always love learning LDAP enum methods. Thanks @egre55 for a fantastic box!! Any help I can be to anyone, shoot me a DM. Thanks.

Is normal that smb doesn’t respond? seems to be down.

@g1anma5 said:

Is normal that smb doesn’t respond? seems to be down.

SMB being down isn’t normal.

Possible Spoiler Removed
Is it supposed to be that way ? It should not be I guess

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@ev1lm0rty said:

Is it supposed to be that way ? It should not be I guess

Chances are someone else left it in an unstable state when they rooted it. You can test this by resetting the box and trying it again (the password wont have changed).

Alternatively, you have a valid short cut to root.

Well I’ll try that. Requested a reset.

Type your comment> @TazWake said:

@g1anma5 said:

Is normal that smb doesn’t respond? seems to be down.

SMB being down isn’t normal.

After a reset, it seems to work properly.

Finally ROOT! fun and instructive windows machine. User was easy. Root was hard to me, wastes a lot of time. Try hard!

My hints:
USER1: just enumerate all you can see…
USER2: …and you CAN’T see.

ROOT: If you think that you are in correct way, rembember to restart the right service.

PM me if needs more hints!

Rooted after 1.5 days of work.

Users are pretty straightforward and people in this forum have already mentioned everything you need.

Initial foothold - enumerate (a classic tool and comes installed with kali). Use the value obtained and try it everywhere you can possibly find.

User - Once you find the right credentials, this should be pretty straightforward.

Root - You should have the credentials to 2 users by now, but you need to gain access to another user. To find it, imagine yourself as a user that tries to HIDE information from other users. That user can do some stuff related to d**, from here google your way to privesc. Just to note, off the shelf payload is fine but architecture is important!

Hope this doesn’t give away too much. If you need a nudge, feel free to PM me.

I’m struggling with priv escalation part
Tried dn**Adm dll injection several times
I don’t figure out the catch for the momemt
!!! Any suggestions please??

Type your comment> @djnux said:

I’m struggling with priv escalation part
Tried dn**Adm dll injection several times
I don’t figure out the catch for the momemt
!!! Any suggestions please??

Architecture of the target machine is important, make sure you are restarting the right service. Sometimes other people are on the machine doing the same things too.

The arch is x64 and then scxxx things

login with 1st user, now stuck with 2nd user r*** any tips??

Type your comment> @DeeKay911 said:

login with 1st user, now stuck with 2nd user r*** any tips??

You want to start looking around. Looking for things that you might not see if you aren’t looking for everything.

got the second user r***, and know that he is in dn gp.
I also made the payload with the poison, shared it via s
* to the host, done the “dn****d …” command part and after that the restart, but got no reverse shell. also tried x86 and x64 architecture and different encoding types with poison.
help would be very appreciated!

Type your comment> @grab0id said:

Type your comment> @DeeKay911 said:

login with 1st user, now stuck with 2nd user r*** any tips??

You want to start looking around. Looking for things that you might not see if you aren’t looking for everything.

Thanks @grab0id, found the way for r***

Type your comment> @Cooper24 said:

got the second user r***, and know that he is in dn gp.
I also made the payload with the poison, shared it via s
* to the host, done the “dn****d …” command part and after that the restart, but got no reverse shell. also tried x86 and x64 architecture and different encoding types with poison.
help would be very appreciated!

i am facing same issue, have you got any solution ?