Cascade

rshackleford85 · April 2, 2020, 3:51am

got root with some helpful PM nudges from @critlize and @Pomps200 thanks guys! I was so close. it was right almost looking me square in the face

davihack · April 2, 2020, 3:55am

Funny one!
For user 3 everything is under your eyes don’t struggle to enumerate or overthink.
Sometimes an accurate whoyouare question can help you a lot ! Keep it simple.
The rest is straightforward

Feel free to PM

Hack The Box

AwkwardUnicorn · April 2, 2020, 5:25am

Anyone able to throw some hints at me RE the sencond user?

I have some… information… that I am unable to decipher… was it a rabbit hole?

comradecereal · April 2, 2020, 7:07am

Well Done VbScrub… another great box, I learn a lot as always… keep up the great work mate!. PM me if you need hints

TeRMaN · April 2, 2020, 9:23am

Hi guys, i found hex password, it belongs s*****t user. I tried so many tools and researching but i cant crack this password. Do i on the right way, need to find something else?
Edit: Rooted.

kalitkd · April 2, 2020, 9:32am

Type your comment> @TeRMaN said:

Hi guys, i found hex password, it belongs s*****t user. I tried so many tools and researching but i cant crack this password. Do i on the right way, need to find something else?

for Linux on github there is a good tool
just remove the commas

mitoOo · April 2, 2020, 10:44am

i’m spending to much time to query info from p , , got password length , setup my cr**pc to a custom characters password length , spent soooo much time for bruteforcing users’s passwords ,
i don’t think that it is the intended path , any help ??

pwnshell · April 2, 2020, 2:06pm

Somehow i got user rt pass after some ls*h. Decoded it, can’t login with evil. SB gives the shares…but nothing relevant found.

Any hints please PM me…Thanks…!!

VbScrub · April 2, 2020, 2:17pm

@rootsh3llz said:
S**B gives the shares…but nothing relevant found.

You didn’t look hard enough then

Malfurion · April 2, 2020, 2:50pm

Type your comment> @VbScrub said:

Gotta say whilst I see the good intentions behind this dynamic flags thing… it seems to be causing way more hassle than its worth

Agreed

pkaiser · April 2, 2020, 3:43pm

Got the user’s flag and absolutely loved the way to it.

Off to root now. Do not ping me for help, please. Make sure you use the default tool (mentioned here about a million times already) for enumerating one of the services and READ EVERY SINGLE LINE CAREFULLY. It is there. Either read it line by line OR grep for “what you’re looking for” (think here - what you’re looking for? a username??? don’t think so) …

Yeah, I know. Another useless comment…

ComandanteRed · April 2, 2020, 4:12pm

I need a nudge for user.
I found Mr T. password and enumerated a different service on a lower port with it.
On this different service, I found a windows file for a particular service, which seems to contain an entry for password in a particular format, but cant seem to be able to do anything with it.
Is this a rabbithole?

pwnshell · April 2, 2020, 5:40pm

Got two users till now… can anyone help with RE part for third user…very new to this RE…so all clueless now…!!

thammarit · April 2, 2020, 5:58pm

Such a great and amazing Windows box !!!

I really enjoy boxes where I get to learn new stuff, and this box did lesson me lots of new things and knowledge. All clues the creator of this box @VbScrub hidden along the road can’t be overlooked. They all make sense and will definitely force you to research thoroughly how to make good use out of them.

Thank you @VbScrub for creating this quality box. Looking forward to the next one.

Feel free to PM me if you require any help on user or root

AwkwardUnicorn · April 2, 2020, 6:52pm

Anyone able to hold my hand a little through the RE process? I’m struggling a little here. Can read the files, and understand what is happening (mostly) bu I’m not able to put the pieces together to run something that would benefit me based on information I’ve pulled…

corpnobbs · April 2, 2020, 9:35pm

Anyone still getting Incorrect Hash errors when submitting the user.txt for s*****h user? I just reverted and still getting the error, plus the hash didn’t change after a revert.

TazWake · April 2, 2020, 9:42pm

@corpnobbs said:

Anyone still getting Incorrect Hash errors when submitting the user.txt for s*****h user? I just reverted and still getting the error, plus the hash didn’t change after a revert.

Hopefully, people are reporting these glitches to HTB itself.

3zculprit · April 2, 2020, 10:40pm

Hey @VbScrub whenever I see a box from you, it always wreaks of puzzles, manual enum, a sense of connectivity and .VBS getting involved somewhere. Also, when I see you putting an exe file I always turn to Telerik JustDecompile (Download Trial File). It’s a free tool that lists out the entire code of exe and gives you an option to export .SLN project to debug in Visual Studio. Just wanted to put the info in open.

For the box, it’s a ladder, take your time to climb. Once you are about to become root and failing, just think what did you do to get the initial foothold.

Nice box in total!

tavi · April 2, 2020, 10:59pm

Each step of leveraging access on the box felt like a real-world scenario while combining Active Directory elements. Enumeration was the key.

Lessons learned:
- if stuck, go back to the enumeration to connect the dots
- if enumerated a specific service as an lower-privileged user, don’t forget to enumerate it again with the newly accessed user

I have huge respect to VbScrub for creating this machine . Be sure to checkout his youtube channel to learn more about windows and active directory offensive security.

Hints on discord/ telegram.

MahatmaCrond · April 3, 2020, 1:25am

If you need root hint, PM me.