Arkham

Rooted

Finally rooted, though the easy way, so need to revisit some other writeups to get the full shell method. I found this a super tough box, over 16 hours of work. I did rabbithole for quite a few hours of that trying to do some unneeded evasions, oh well! :slight_smile:

I was finally able to figure out how to “buttle” my way to a reliably get a reverse shell, and get user.txt. I have found his downloaded, archived local backup file that contains a picturesque reminder for Batman. I can now perform some minor things as Batman, but they mainly seem limited to aspects of various tools that can list or download files from the Users share. I do not seem able to execute anything as Batman. Or at least, I do not see how to do that.

I have also hit the limits of my msfvenom knowledge I have so far been unable to get anything to actually run on Arkham.

I agree with @BobHaddock that this is a “super tough box” and I have spent many hours over the last 4+ days figuring things out.

I could dearly use a nudge or hint in the right direction.

Edit: This box is going to have me committed to an asylum soon.

Wohoooo finally, at the fourth shell… SYSTEM!!!

Very very good & fun machine. But dude, the blind RCE and the privesc part to achieve the privileged shell were… haaard! Lots of new/refreshed knowledge with all the try & error.

PS C:\Users\Administrator\Desktop> Get-Acl root.txt
Directory: C:\Users\Administrator\Desktop

Path Owner Access
---- ----- ------
root.txt BUILTIN\Administrators NT AUTHORITY\SYSTEM Allow FullControl...

PS C:\Users\Administrator\Desktop> whoami
nt authority\system

Finally! What an exhausting box, super happy with it and had a lot of fun (when I wasn’t pulling me hair out.) Giant thanks to @watashiwaojsn for all the help, if I could give more than one respect I would!

Hello,

I am able to encrypt and send a PING request and was able to see the request and the reply in wireshark. However, I has not been able to escalate this vulnerability to a rev shell.

Could someone please guide me on this part?

PP

Type your comment> @pp123 said:

Hello,

I am able to encrypt and send a PING request and was able to see the request and the reply in wireshark. However, I has not been able to escalate this vulnerability to a rev shell.

Could someone please guide me on this part?

PP

If you can ping, you can live off the land of the target to request additional tool/s onto it from you, by the same means you’re calling the pings (and hence the tool/s).

I’ll be damned if I can see any way to get from Batman to Administrator in any manner. Batman seems to be the least-capable localgroup Administrators member ever.

I don’t see any “easy” way either that has been mentioned.

Can any body help me with this box i got access to the files but don’t know how to decrypt it.
this is my frist box on hackthebox. please guide me

I am still stuck at B-----, one of the members of the Administrators localgroup. I still cannot see how that user can either move to a more privileged shell, nor any means of otherwise accessing the root.txt file which I assume is in \Users\Administrator\Desktop. I can repeatedly and reliably go from reset box, to interactive powershell/cmd as B-----. U-- and D------- seem to be blocking any means of privesc or even getting a meterpreter session going. (Again, likely me being ignorant of Windows tricks).

I have been stuck at this point for a few days and trying (now basically just throwing) different approaches.

I could REALLY use a hint or suggestion, please. (here or pm)

Update: Finally got root.txt the easy way (#facepalm). Thank you @BobHaddock, @ompamo, @senn!

Please anyone who is online help me out with decrypting the backup.img I have tried lots of wordlists even custom made from “cupp” tool but no words seem to crack it please help me someone kind enough to ping me. Thanks

Found sec*** from to***** file. Also, there are some uri in face but does not work.

Can anyone give a nudge on where to look for ?

delete

got it NVM.

Hi! I have somes issues executes command as another user (command seems killed).
Anyone have same issue ?

Edit found solution

Type your comment> @christrc said:

Hi! I have somes issues executes command as another user (command seems killed).
Anyone have same issue ?

Edit found solution

i am stuck at the same spot, mind sharing any blog post about it?

hi everyone, Can some one help me? I don’t know how to get rce I have the secret but I don’t know how do it

Managed to finally root before the box retired. Big thanks to @ompamo and @raiden99 for their much needed insight.

Good box if you are preparing to AWAE/OSWE

hi guys, getting this error while working with python
binascii.Error: Incorrect padding - tried few things on google - even wrote exact code as in ippsec videos still this error persists

not able to move further due to this… is there something wrong with my python? can’t fig out that too :frowning: