Access

Finally got root! I had to retrace my steps. I hate when i miss simple things like an important an option.

I enjoyed this box, learned some cool stuff about r***s

Have been trying to read root.txt, tried various options. Some nudge is appreciated.

guys it’s normal that the machine is always reset, it will be 10 times that I enter t—

I finally got root…not sure if it’s the best way though…would anyone want to chat about how they went about it?

Also if anyone wants any pointers PM me.

Can anyone help me with PM ? fcrp isn’t give me anything. i read the first file in Ba**** but i didn’t open .z which is in En** i think im wasting my time with wrong wordlist…

@Sixpon said:
Can anyone help me with PM ? fcrp isn’t give me anything. i read the first file in Ba**** but i didn’t open .z which is in En** i think im wasting my time with wrong wordlist…

If I recall, I did not have to crack the password, it was obtained via another file.

Removed by request - Arrexel

■■■■! Thought I was DM’ing. Yup im an idiot, a tired idiot.

Got the root flag using r**** and >.

Do the math. Even though I don’t think that was the intended way as I did not get a root shell.

Out of ideas. I have limited user shell. I see that r**** is the likely command used to gain root. So far, I r**** its o***** to external sources. But I can’t find the correct syntax to run as admin. Could someone PM me?

@avoidy said:

@Sixpon said:
Can anyone help me with PM ? fcrp isn’t give me anything. i read the first file in Ba**** but i didn’t open .z which is in En** i think im wasting my time with wrong wordlist…

If I recall, I did not have to crack the password, it was obtained via another file.

Thanks for answer, i think i find the password before. i tried it for bruteforce in t***** but i’m not be able to open z** anyways. I’m using unz** and it doesn’t help me. I don’t know much tool. Any suggestion for tool or open .p** file?

7za x myfile.z**
If I remember correctly its due to the zip file being encrypted with aes so you get an invalid sequence with z**.

For the p** file, depends on your system, if on windows simply import or open in outlook. If on a linux OS then install and use “readpst”. - It worked for me.

Hopefully this ain’t no spoiler but some help.

@avoidy said:
7za x myfile.z**
If I remember correctly its due to the zip file being encrypted with aes so you get an invalid sequence with z**.

For the p** file, depends on your system, if on windows simply import or open in outlook. If on a linux OS then install and use “readpst”. - It worked for me.

Hopefully this ain’t no spoiler but some help.

Very thanks! i learned a lot thanks to you.

Hello guys,
I got local user access. It was not so difficult.
Now I am stuck on PE. I have discovered "Z*****s application, probably service too. Is it right path?
I would appreciate, If you give me a hint.

@c0uldb3 said:
Hello guys,
I got local user access. It was not so difficult.
Now I am stuck on PE. I have discovered "Z*****s application, probably service too. Is it right path?
I would appreciate, If you give me a hint.

There are plenty of tips on this topic about PE process so that you can get on the right path :slight_smile:

Hey, can anyone help me for this situation? I found a service named ZK**** . and i searched for it. i used this command ics Z*5 and it gave me some information. But i don’t know how to proceed my steps. I’m trying to rs but i didn’t manage to use it. I’m very sad with services and tools which i don’t know what is it. You can also pm me if your answer is including spoilers.

ok… got user flag… stuck on the runas command… any hint? i’ve already checked every single page of this box here… i’ve read runas docs… tried almost every combination but no results… what i can’t see?

@Sixpon said:
Hey, can anyone help me for this situation? I found a service named ZK**** . and i searched for it. i used this command ics Z*5 and it gave me some information. But i don’t know how to proceed my steps. I’m trying to rs but i didn’t manage to use it. I’m very sad with services and tools which i don’t know what is it. You can also pm me if your answer is including spoilers.

@cptUP said:
ok… got user flag… stuck on the runas command… any hint? i’ve already checked every single page of this box here… i’ve read runas docs… tried almost every combination but no results… what i can’t see?

The only hint I can give to both of you is: Users are lazy and apparently really hate retyping their passwords or in this case, the admin! :smile:

Finally rooted. This machine will force you to go back to the basics. Can’t believe how lazy I’ve been. Here are my spoiler-free hints:
Limited Shell

  1. Enumerate the available services using manual and automatic methods.
  2. Learn to open files from a “low level” point of view. If using Kali, you already have the tools to do this. Nothing needs to be downloaded nor will you need any commercial software.
    Root
  3. The privilege escalation was the best and most excruciating part. There are many considerations for enumerating the Windows OS. Collect EVERY fact of data. Enumeration is key to finding an essential fact regarding this machine.
  4. Using the discovered fact from above, you will use it in conjunction with a built-in Windows tool.
  5. The kicker: You must privy yourself on the expected output for each option/parameter this tool provides! Go to Microsoft’s page and review the examples and READ THE DESCRIPTION for each option/parameter available to the tool. Understanding this tool COMPLETELY is essential. Test the tool in your own environment, and note the general behavior. This will help you formulate a plan and see the whole picture (versus what you are observing on the target…).