Official Worker Discussion

Found user. Any tips for system/admin?

Type your comment> @m3chmania said:

Found user. Any tips for system/admin?

hint: do that which you did b4

The box is down?

@Pb22 said:

@m3chmania said:
Found user. Any tips for system/admin?

hint: do that which you did b4

Do I need to use another set of credentials from that user file?

Edit: Got it. Fun box!

Type your comment> @S98 said:

I don’t understand. What am I doing wrong?
Some guys said that the creds is used in plain text.
I tried it over and over again, without proxy, even used
curl -v “http://d.w.h” --ntlm -u d.w.h/user:pass --noproxy “*”.
For now, still no luck.

It is possible to use curl to access the page, but you will be better off using a gui based browser.

For you that got proxy problems, there is an issue with burpsuite and NTLM auth.

PM for help

Rooted ! :slight_smile:

Rooted!!

Rooted! Great machine. I liked how it doesn’t require any blind guessing - just good thorough enumeration from one point to the next. Too bad it is very slow sometimes. I wonder if it depends on number of concurrent users or some other factor?
Anyway, congratulations to @ekenas for such great machine. It is the one I enjoyed the most from all machines I tried on HTB. And got Elite rank with it. Yay! :smiley:

I would really like to kill the r******r before he kills me :joy:

Uf… finally got the user!

Edit again: rooted! A bit frustrating because of poor performance. But an enjoyable machine overall, and quite realistic.

Need some nudge for user.

I got a low shell and found some creds for user r****l. But I haven’t been able to use it anywhere. can someone provide a nudge on how to proceed.

@thatjoe look over your full nmap scan.

Type your comment> @3DxHex said:

@thatjoe look over your full nmap scan.

yeah got it now. I was confused because the higher port was giving a 404 error page. so i thought it was running iis. my bad

Stuck at foothold. I can follow the pipelines to upload txt and js files but can’t do anything useful, e.g. ps1 files return 404. what am i missing?

Spoiler Removed

I believe you may find Invoke-ReversePowerShell from my repo GitHub - tobor88/ReversePowerShell: Functions that can be used to gain Reverse Shells with PowerShell to be helpful on this one

rooted. thanks @ekenas for the fun machine.

Rooted and agree with @camk thanks for the fun box and exposure to a different attack surface.

rooted the box and it was a wild ride. I had no clue about the azure thingy so i needed soooo many nudges. Something i really liked is the cleanup scripts that were running in background.

thanks @ekenas for the box.

if anyone need any nudges, DM.

@tobor said:

I believe you may find Invoke-ReversePowerShell from my repo GitHub - tobor88/ReversePowerShell: Functions that can be used to gain Reverse Shells with PowerShell to be helpful on this one

Just wanna say props to you for that script man. I love how it reconnects after the session borks.