Cascade

Seems it was a box problem and is getting fixed / is fixed now. Reporting things via JIRA is an effective way to get things resolved.

@TazWake
I assumed that all of the machines were dynamic hash now and that the box authors didn’t have to do anything to enable that. There’s no mention of it in the machine submission FAQ or checklist, so I didn’t do anything related to that. I assumed as long as HTB know where the flag files are, they take care of dynamically changing them on every reset.

@VbScrub - I think your assumptions were correct. I wasn’t sure if all boxes were now dynamic or just ones released after the change date.

I think the dynamic hash had broken as I was getting the same hash after a reboot and the same hash as other people on different servers, on different days.

A jira ticket was raised and HTB responded really quickly as far as I can see.

I never comment after finishing boxes, but WOW, @VbScrub, this was an outstanding box. Really enjoyed this as you got to follow a logical progression to the finish. It was also very realistic and wasn’t focused on just one thing!

Just got access to the user1 (s.~~h).
Looked around and find nothing interested, except the l~k file.
Tried to read it and copy some text and search on pervious l
p result, seems nothing interest.
Should I continue to look around? or I should play around with the l~k file?

@Peri said:
I never comment after finishing boxes, but WOW, @VbScrub, this was an outstanding box. Really enjoyed this as you got to follow a logical progression to the finish. It was also very realistic and wasn’t focused on just one thing!

Thanks, glad it was worthy of a comment :slight_smile: haha

@6uta
I’m not sure what the l*k file is that you’re referring to but send me a PM if you want to discuss without having to censor

Finally rooted. Awww man this machine was a pain in the @ss :smiley: The initial foothold was the hardest for me; it took 2 days to get that f*cking password. After that 2 other days of suffering, but lessons learned; my enumeration skills are bad. Learned a ton, learned new things about grep, privesc and enumeration.

User0: If you use a specific service try to grep the output. Someone mentioned earlier that you can write down words in different ways; my advice is to check the most common names or values for the word password. Use these different variants as a grep filter and you’ll see something. Also you can filter out what you don’t need.

User1: Again, enumerate everything. Enumerate the services you have, you can download all the files using a one-liner, no specific commands needed. Then check all the data; folders and the files in it. Sometimes grep don’t work as expected, so check the files manually.

User2: Using an online service and a specific program you can RE it :slight_smile: . If you need a starting point, use file command.

Root: Check the difference between the last 2 accounts and reread the notes you’ve found earlier. You’ll get it, not so complicated. Similar to User0

@VbScrub you gave me a lot of headaches but it absolutely worth it! I can’t wait to solve your future machines :slight_smile:

root’em up just root’em up what. shells, shells, shells. plunder, plunder, plunder. Haha this was as fun as the last one from @VbScrub. Great Job on the box. You always give us threads to pull on, rabbit hole or not so much fun. Valuable information too. The ‘hit a brick wall’ boxes are rough…Anyway, thank you! Hit me up if anyone needs help.

Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-hs-        1/26/2020  11:56 PM            282 desktop.ini
-ar---         6/9/2020  11:27 AM             34 root.txt
-a----        3/25/2020  11:17 AM           1031 WinDirStat.lnk

Finally rooted! Big thanks to @VbScrub and @TazWake for the nudges! Feel free to PM me if you need a nudge!

Just find encoded password of user “A****c”.
But I cannot decode it with online tools.

@6uta Not all passwords can be decoded with online tools. PM me if you’re still having trouble.

Somehow I get help from the search engine and find a place which give me the answer.
Is it the correct way? or it is some kind of cheating?

@r0kit said:

@6uta Not all passwords can be decoded with online tools. PM me if you’re still having trouble.

@6uta said:

Somehow I get help from the search engine and find a place which give me the answer.

I think it depends. The objective here is to hack the box, how you do that is down to you. Search engines can just be massive rainbow tables.

On this box there is a slight difference as it may be that you’ve bypassed a learning step but it’s down to you if that matters.

ROOTED!

Wow this box was really challenging but I learend a lot from it and, once again, I understand how less I know about Windows enum/privesc. Thank you @VbScrub for this box, I really appreciate that you were able to create an easy/medium Windows machine addressing more topics: enumeration, AD, RE, password decryption, etc…

As always PM me if you need help but this time I’m still trying to deeply understand some steps! Btw here some hints:

  • Foothold: enumerate the “light” service using the right options (one of the first @TazWake comment will help you a lot). You’ll receive a big output but it’s easy to understand where to look (grep is your friend).

  • User: find that file and Google how to decrypt that password, probably the “easiest” part of the box.

  • Root: you can access something else now, inspect the db file first then move to the exe, here you will find what you need to decrypt the information. A super simple .NET decompiler is enough. At this point check what AD groups you are member of, remember one of the first information you got and, as @VbScrub already said, Google how to VIEW CONTENTS from there.

I just rooted the box thx @VbScrub.

On little hint for people who are at the point where you have to fiddle with the exe and dll file in order to decrypt stuff:
Don’t make your live harder than needed. No need to write or rewrite stuff.
From the dll you will clearly see what exactly was used to decrypt things. Put all this together and use sth. like “encryption algorithm” online tool. Just fill in the data you have and you will be fine. No need for .netfiddle and stuff like that.

anyone able to give me a nudge, got user.txt, got myself the key to noah’s boat. but now i’m stumped but think it could be ss priv?

Edit: Stupid me, picked up the wrong keys for the boat.

After 2 weeks break i started my hunt for root on this. Got stuck at resurrecting the dead guy. When i try to bring him back from dead as s.*****th . by first listing out the deads but typical command (Ge#A#O##j )does not give me any output, i tried various combinations but s.*****th just does not see deads. since it does not see deads, it can not bring them back using well known command for it.

on the other hand A##S##C is able to see deads but it does not have the rights to bring them to life.

I was wondering if i m on right track.

@6uta said:
Somehow I get help from the search engine and find a place which give me the answer.
Is it the correct way? or it is some kind of cheating?

If you mean you just googled the encrypted password and found the code online that decrypts it, then no that is not the correct way. A few people have reported that there’s some public examples of where people have put the decompiled code online, but unfortunately there’s not a lot I (or HTB) can do about that.

@sunshinesec said:
After 2 weeks break i started my hunt for root on this. Got stuck at resurrecting the dead guy. When i try to bring him back from dead as s.*****th . by first listing out the deads but typical command (Ge#A#O##j )does not give me any output, i tried various combinations but s.*****th just does not see deads. since it does not see deads, it can not bring them back using well known command for it.

on the other hand A##S#c is able to see deads but it does not have the rights to bring them to life.

I was wondering if i m on right track.

Its been said a lot of times in this thread already (surprised you’ve not read through a few pages if you’ve been stuck for ages), but you don’t need to bring the dead back to life. If you did that it would ruin the box for everyone else until it was reset. Just inspect the dead people

Well I’ve done it, all I can say is… cheeky little box. It was a lot of fun though and when i come to terms with what was staring me in the face the whole time. Learned a few new things though about the dead.