Last Active


  • My head is spinning from that privesc. Foothold is just, well, foothold 101. Great box. May have been too much for me to absorb it all at once. I'll need to try it from scratch again. Just not this week.
  • Got user. To be honest, I've never, ever, dealt with R*** at that level, so I was doing my field study while at it. But I probably spent 8 to 10 straight hours searching anything that would get me the foothold. Any exploits, CVEs, patches, versions,…
  • Rooted. I got the foothold two different ways. One being the all things thingy, as expected, and the second one from a certain tag that I have absolutely no idea why it works, but it does, straight to a reverse shell even. Using a few ifs. Can someo…
  • Rooted. Whilst the foothold and the users were a good teaching, I think the root was a bit on the CTF side of things. After many enumeration scripts returning nothing, how on Earth should that path be visible? I was out of hairs when I tried someth…
  • I think the machines user flag was the fastest I've ever got. The nmap scan lasted longer than that. It's a really nice entry level machine, it doesn't get more by-the-book than that. The privesc gets cloudy, but when you actually read the exploit …
  • (Quote) Took me 2 days to realize that my bazillion root payloads weren't working because I was using single quotes (') on their creation. As soon as I used double quotes (") it worked.
    in Sniper Comment by crash0 March 2020
  • Type your comment> @3xxu5 said: (Quote) Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn't work it means something's wrong.
    in Forest Comment by crash0 March 2020
  • Rooted. Really fast machine, straight forward to the point. It was the fastest user flag I've ever got, just minutes. I've found only one rabbit hole during privesc. I was one command away from getting root but "Access Denied" no matter w…
    in Forest Comment by crash0 March 2020
  • Rooted. Really fun box. I did most things from one tool. There's one account that doesn't do anything, but it got some time from me thinking it had to do something. User1: OSINT, then think like a company/bank and how their login would be. Requir…
    in Sauna Comment by crash0 March 2020
  • Rooted. Really fun and chill box. It doesn't matter where you are on this machine, the path is always as clear as daylight. Foothold and User: Basic Windows and AD enumeration skills. Just read the outputs. Then go back to your enumeration once aga…
    in Resolute Comment by crash0 February 2020
  • (Quote) Try the manual way. Nc should be straight forward. But also check the payload. If it isn't quite right, it won't reach your listener.
    in Resolute Comment by crash0 February 2020
  • Rooted. Fun box. I've done many boxes harder than this one, but if it has taught me anything it was to just write down what I've found and chill. Think with what you have. This post has everything anyone needs to root the box. Foothold: What do you…
  • Rooted. Really fun and relaxing box. Initial foodhold is the hardest part. User -> Root is really easy. Foothold: Enumerate. You'll find something exploitable, but no exploits in the wild work. So read them, understand then. Try to exploit manua…
    in Postman Comment by crash0 December 2019
  • Type your comment> @xVoid said: (Quote) ssh2john converts the private key to a format that john can crack it. You output this as a file and then you run john on it
  • ssh2john id_rsa > crack john --format=SSH --wordlist=rockyou crack when it's done john crack --show
  • Rooted. Really frustating machine, but it was a great teacher to me. User 1: What a ride. Enumerate and don't ignore anything. Scan smart not hard. User 2: Quite simple to find if you enumerated, but not so simple to actually do it. You'll take a …
    in Registry Comment by crash0 November 2019
  • Rooted. Really fun machine to kill some spare time. It was my fastest so far. Hints: Foothold: Basic enumeration User: What's on this machine? How does it work? Enumerate and read the documentation about it. Check a particular odd permission for a…
  • Initial foothold was the hardest part of this machine. User took a while, but I tried something really basic and it worked. I was overthinking. Whilst trying to get user I found the root privesc way, I just couldn't do it. But then it took only a c…
    in Zipper Comment by crash0 January 2019
  • edit: rooted This thread is full of hints already, but giving my two cents: User: Up to the first reverse shell it's really straightforward. You then start enumerating everything, you'll find your way. Read the files and learn lateral movement. Roo…
    in Vault Comment by crash0 December 2018
  • Could anyone help on the o*** file syntax? I'm really lost trying to make it work for a few hours already. I writed on it a couple of times and now I can't write anymore, only timeouts.
    in Vault Comment by crash0 November 2018
  • edit: Owned. Really fun box. I got "the" file seconds after seeing my nmap results. But I spent a whole day studying on how to deal with it. Worth it at the end. Privesc was really nice and simpler than it looks. You just need to study q…
    in Hawk Comment by crash0 November 2018
  • edit: Got root. I learned many new things, but in the easiest part I spent so many hours overlooking something. Gosh, I wish I could've seen my face when I realized. User was really easy, tho.
    in SecNotes Comment by crash0 November 2018
  • Owned the machine. User was straightforward. It was fun to do it, but not much of a challenge. Root was really tricky. It's a really small detail that I believe many and many people will overlook. The technique itself is basic.
    in Irked Comment by crash0 November 2018
  • User was really fun to get. Pretty straightforward too. I'm stuck on Root however. I've run many enum tools but I can't find any nudge as to where to look. Maybe I'm burnout, but could anyone send me in the right direction? Thanks
    in Irked Comment by crash0 November 2018
  • Got root on this one. That root.txt was a dirty move. It's not hard, just dirty. I knew what I had to do a few minutes inside the shell, but I though I was coding wrong for a many long hours. The user on the otherhand was an amazing experience.
  • Can somene help me on the priv esc? I've detected the clocky file and which script overwrites it. I can't, however, edit it. Vi won't work over the reverse shell I've got. User was miles easier than it, tbh. I'm not even sure about what to do. I'm…
  • (Quote) it's possible to not use sqlplus entirely =) You can, but it isn't necessary.
    in Silo Comment by crash0 June 2018
  • Any tips on the initial foothold? I've been studying both the DB found and how to "link" it somehow to the repository, still no clue at all. I've never had to deal with these. Damn, I don't even know that's the way.
    in Canape Comment by crash0 June 2018
  • @digitalp2k Go the old fashioned way. Get your hands dirty. It's possible to root this machine without ever touching odat, meterpreter or any of this kind. ODAT -may- get things faster for you in the later stages.
    in Silo Comment by crash0 June 2018
  • If you've got a couple of SID's and you can't proceed, you're both on a good spot and overthinking. Try simpler solutions.
    in Silo Comment by crash0 June 2018

Howdy, Stranger!

Click here to create an account.