@TazWake i was trying to dump password hash as this is a fun box with Win based. Just playing with this box like without any password dumping tool working still we can dump hashes. Just for learning if these types of situations arrive in real world so i would know what i have to do. I know i have the admin pass i can convert that pass to NTLM hASh. just learning different ways.
The box is quite good enumeration is the key it took me 4 hours to find my foothold. After that it’s like a piece of cake.
For the people struggling to get foothold here is a quick reference. Every thing is on the forum. I will just brief about this box.
Enumeration is the key look for every piece of information . look closely to nmap scan it might help to find what is running in this machine
once you get what is running Google is your best friend. Don’t look or overthink as i missed and overthink here. Everything is in front of us nee to just think in that way.
once you get what is required and get shell . There is something more just a normal enumeration in the box and maybe some switches can help here.
user and administrator is piece of cake once you get your required thing after getting shell.
@TazWake i was trying to dump password hash as this is a fun box with Win based. Just playing with this box like without any password dumping tool working still we can dump hashes. Just for learning if these types of situations arrive in real world so i would know what i have to do. I know i have the admin pass i can convert that pass to NTLM hASh. just learning different ways.
Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:
Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:
If you have a reverse shell which got you the user flag, then you do a very similar thing to get root.
If you haven’t got user yet, you need to enumerate quite hard on this box. There are good techniques for searching for what you need and it helps a lot if you have a powershell shell.
Rooted! Went down a rabbit hole after getting initial foothold which cost me a day of wasted effort, but woke up this morning and remembered to go back to basics, and then it all fell into place. Got a bit hung up looking trying to shift user identities, until I realised I didn’t need to to get user. Once you get user, root is like 3 mins more work.
My advice - don’t get ahead of yourself thinking you’ve got it in the bag once you get the initial exploit - you still need actual user creds to get the flags.
Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:
If you have a reverse shell which got you the user flag, then you do a very similar thing to get root.
If you haven’t got user yet, you need to enumerate quite hard on this box. There are good techniques for searching for what you need and it helps a lot if you have a powershell shell.
Thanks TazWake, already rooted this machine, lot of enumeration
Rooted! That was a fun box and I learned a lot doing it. It was interesting being that root was the exact same as user. If you get one, you have the other too.
The hardest part was the ‘hashes’. If you’re struggling with that, read the file more and read up on the class you see.
Took some time off this box after getting stuck on a reverse shell part. Found my reverse shell issue was just an issue involving slashes (so mad I had the right way about it but just making a stupid mistake wasted hours and caused me to try alternate routes). After that it is pretty simple.
Running the script, I’m able to view the host file, run basic commands, ping myself, download files from my hosted web server, but not able to write to a file or execute scripts directly from memory. I’m using PS for commands on the box, as CMD output was unreliable. I’m searching for a writable directory to save my shell binary but am not finding anything. I’ve tried diff variations of temp directories, but not seeing any indications from script output that files are saving. Any nudges on writable directories or course correction to gain initial shell?