Official Intelligence Discussion

Type your comment> @acidbat said:

Hmm, so I got a user and a password after a lot of web enumeration.
The 2 combined does not stick to anything at the moment …
Obviously I am missing something …

There’s more enumeration you can do. Delve deep into any files you can download!

Fun box painful if you (like me) use wrong version of a tool but fun. Thanks ARZ101 for help on the last part!

Type your comment

Fun and challenging box.
Thank you @Micah for creating this challenge for us.

Sooo Ive been at it for days.
I’ve got user and the hash/password for the owner of the script. But can’t for the live of me get a shell on the box. Can someone drop a hint? I tried all the packts I can think of.

Type your comment> @Eren said:

Someone give a hint here please

Just got user. So the Web Server gives you all of the information you need to get access. Access will be granted through another channel.

Hint For User: Wow, there sure are a lot of PDF files. I wonder if there’s any way to see who created them…

got user… that part was straightforward :wink: on to root now ^^
dm if help needed

I got User, but I’m a bit lost when it comes to root. I don’t have much AD knowledge. I believe I found the file that will open the way to root, but I don’t know what to do with it.

Type your comment> @PrivacyMonk3y said:

It’s enumeration of what you know. Scripting is a plus.

I’ve got user but I’m a bit stuck. I read the script and I think I have ideas but I’m not able to pull anything off. Playing with python and dumped loads of info just not sure what’s important.

Been stuck for a couple hours. Anyone got a nudge?

Look at your NMAP results and see what is open to us. Also, think about the script you found. Think there’s any way to point it to us? I hope this RESPONSE helped you out :wink:

No events in RESPONSE, wireshark show’s box visit my 80 port, but nothing happen

I’m stucked at user. I enumerated all I could from the upload folder. I only found a user and a password, but I dunno what I can do with it.

Found user. Thanks @BlueBeard. There’s more on those documents to read.

Root : I have little knowledge about AD tools. I can see traffic, but no way to get ping back. Any hint ? I’ll try hard in wireshark to see something useful.

ok got user…that took me entirely too long! Great fun getting there, though! Thanks to the comment by @dylvie I decided to revisit the trove of docs and found what I needed. On to root!

■■■■, this box is cool.
Got everything I need for user, I think, including a specific automated script.
Now, let’s find a way to use this properly to get a shell …

Hi! I’m kinda stuck at user, I think my enumeration skills are not the best…

Could someone give me a hint? I have a list of valid users, tried fuzzing with some tools and SecList but found nothing :frowning:

Edit: nvm, just needed to check all I get and not be lazy :slight_smile:

One of the best box I’ve done so far. I hope it’ll get inserted into the AD Track. Several techniques, several tools, a real need to dive into Active Directory specifics that teaches you many things… All of which make that box very hard if you don’t have a lot of AD knowledge, but it’s definitely very, VERY, worth it. Thanks a lot for that box @Micah, that was well-designed and really enjoyable !

User part is divided in two steps. The first one is smart enumeration, you have all the docs you need, query them. The second part is trickier, you pretty much have to query yourself.

For the root part :

@hadrian3689 said:
b) From there, just remember that we are dealing with AD and L**P. The rest was just intense googling based on those kinds of attacks. No shell required.
Underrated hint :lol:

What a unique box it is! For me was actually an hard box, given my lack of knowledge of AD

User: basic enumeration + the use of a specific tool will lead you to the first flag.
Root: As I state before, the uniqueness of the box is that you’re never required a shell. Anyway the root part is the combination of several AD techniques (hope not to spoilt, but I used impackets tools).

Thanks for the box!

Got the user hash via s**, but was wondering, can you get a proper working shell on this machine? If so, can I get a nudge for it please?

Just rooted this machine and I really Loved! I Learned so much! There is really no shell needed here, just simple tips:

  • For user flag, enumerate everything, look into the website, the files and enumerate them, just look into the file names and you will understand, a simple python script will solve.

  • for root… Impacket have everything you need, use google and be happy.

You will probably hit some time syncing problems, not much of a problem, just google about this and you will be able to root the machine with no problems

After 2 days of reading… lots of errors on commands… losing my way into AD (with bloodhound even breaking my VM) and all other dead ends that I can think of…

Evil-WinRM PS C:\Users\Administrator\Documents> whoami
intelligence\administrator

■■■… this box was a lot harder than I thought (for a medium box)… Maybe because I know only the basic of windows pentesting (trying to improve here)… but learned a lot through several different sites, blogs, and other stuff…

The basic enumeration (find the “hidden” files) is easy… get to the user is also pretty straightforward… on the above messages in this forum you’ll find all you need… just pick the line/docs you have in front of you and follow it to the end…

But from there to 2nd user (and then root) was ALL new to me and I still don’t understand how some of the tools (site below) work… just copied some and change the names, pass, etc accordingly and put to run… after several different dead ends, I finally got it… I’ll now wait for this box to go retired and see ippsec walkthrough to understand what I could’ve done better/different… he also explains a lot why he’s doing this or that ^^

Either way this a very good reference, if you want to learn more about impacket tools (it helped me a lot to understand the tools on a box like this one): No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA

Good luck :slight_smile:

Type your comment> @Krose said: > Just rooted this machine and I really Loved! I Learned so much! There is really no shell needed here, just simple tips: > > * For user flag, enumerate everything, look into the website, the files and enumerate them, just look into the file names and you will understand, a simple python script will solve. > > > * for root… Impacket have everything you need, use google and be happy. > > > > You will probably hit some time syncing problems, not much of a problem, just google about this and you will be able to root the machine with no problems Got user. Agree with what @Krose stated. Same steps led me to user. Hoop root will do the same. :blush: