Control

tuzz · April 8, 2020, 2:47pm

thx for redirecting me to right path for root @qwas2zx9 user part was fine. but root part was instructive at least for me.
last night i got root. but shell dropped after. then cant get access again.
i tried harder, shell dropped again before i got root.txt. But getting root.txt was not enough for me. So i decided to open an another shell so finally i got a persistent shell. Thx @TRX for the box.

qwas2zx9 · April 8, 2020, 11:34pm

Type your comment> @tuzz3232 said:

thx for redirecting me to right path for root @qwas2zx9 user part was fine. but root part was instructive at least for me.
last night i got root. but shell dropped after. then cant get access again.
i tried harder, shell dropped again before i got root.txt. But getting root.txt was not enough for me. So i decided to open an another shell so finally i got a persistent shell. Thx @TRX for the box.

No problem, welcome @tuzz3232

K0S1m1ng · April 10, 2020, 1:52pm

Hello All,
So I have been a bit stuck for a couple days now on the foothold/user. Was able to get the H creds with s*****. However I have been trying to upload with the same tool and manually and can’t find anything write accessible. Any possible nudges in the right direction? Starting to pull hair out

tkuczyn · April 10, 2020, 6:00pm

I got user, I’m a bit stuck on root. Very fun so far, but hard.

PM me if you need a hint on the initial foothold or user.

holsick · April 10, 2020, 8:51pm

So far super fun and a really hard challenge for me. Havnt gotten the flags yet but managed to finally get a stable shell.

Having fun figuring out how to escalate and feel like my windows knowledge is leveling up.
I have creds for the next user but cant seem to figure out the trick to get around protections yet. Dealing with some elements I havnt really dealt with.

So far the path has been pretty awesome though.

EDIT: Got user. That was really cool. Onto root

chicxulub · April 10, 2020, 9:17pm

Edit* Got user. Working on root. Sniper experience definitely helped with user on that one.

fdsSec · April 10, 2020, 9:55pm

Rooted
Many thanks to the creator
Feel free to PM if you need help

K0S1m1ng · April 11, 2020, 9:03am

Just got User finally! Thank you to @tkuczyn for the hints. This is a great box and I think this is the most I have learned during a User flag attempt. Ok on to root.

Feel free to PM for any User help.

zaphoxx · April 11, 2020, 3:42pm

hi, can someone give me a nudge regarding root. I’m pretty clueless at the moment even where to get started. just send me a pm; thx

eagle005 · April 11, 2020, 8:06pm

Hello , can some one give me a nudge on priv esc i am stucked at root part any nudge will be helpful. Right now i am clueless for root part…

watashiwaojsn · April 12, 2020, 4:30pm

Took a couple of hours to get the user.txt. now onto root.

Tips for the initial foothold/user:
Never trust the tool. Do manual confirmation.

rwu · April 12, 2020, 5:15pm

@parteeksingh , if you look at the history of the user, you will see some of his past activities which should give you a hint.

encroachdcs · April 12, 2020, 5:31pm

Type your comment> @FDS said:

Rooted
Many thanks to the creator
Feel free to PM if you need help

@parteeksingh said:
Hello , can some one give me a nudge on priv esc i am stucked at root part any nudge will be helpful. Right now i am clueless for root part…

@Al3xCh3n said:
Just got User finally! Thank you to @tkuczyn for the hints. This is a great box and I think this is the most I have learned during a User flag attempt. Ok on to root.

Feel free to PM for any User help.

HI! I have enumerated it through Nmap and directory search. Now lost and not able to go furhter. Please suggest how to proceed further.

K0S1m1ng · April 13, 2020, 3:56am

Ok I think I am stuck on root now. I have found the history of the user and can manipulate s******* from via the r*******, but not sure where to go from there and go maybe use a nudge.

UPDATE: Finally got root with some help. (Thank you @FDS for the nudge!)

Feel free to PM for any nudges or help.

watashiwaojsn · April 13, 2020, 4:04pm

Hmm, on the last step to root, I could manipulate the value and got a reverse shell. But cannot escalate the priv. Is this only me?

edit: rooted. Thanks @Al3xCh3n for nudge!
Guys, don’t be lazy like me. you’ll have a lot of useless connection backs with h***** priv lol

chiefgreek · April 14, 2020, 8:06pm

Hi, I’ve got shell as i*** but am trying to I-C as H but I only managed to get one password using s***** for M****** this doesn’t work as a cred for H. Seen others found two using s***** . I can’t decrypt the hashes either.

Edit - got it with hashcat …always find john doesn’t work

nebulousanchor · April 14, 2020, 9:53pm

Rooted. Wow pain in the ■■■■ finding the right piece at the end.

BluePhish · April 16, 2020, 4:45pm

PS C:> whoami
nt authority\system
PS C:> hostname
Fidelity

Rooted the box after what seemed like an age.

User: After you enumeration its pretty straight foreword stuff.

Root: Massive pain and i think i got lucky with the route i picked. Didn’t need the code signing way…just mixed and match old and new! Shell is quick to die so type fast or just smash and grab!

paddanada · April 17, 2020, 4:41pm

Hi, friends.

I got the user flag a couple of days ago, but have been stumped on how to approach root since then.

Enumeration has proved tricky, because as a user (H), I don’t seem to have permission to do an awful lot. I found the previous commands hinted at in this thread, and I think I understand what access I have over a certain hive, but not sure what to do with it yet. I thought I’d found a service to poke at, but it seems I can only start it (not stop, or restart) so it looks like another dead-end.

Any links to articles to read up on, or breadcrumbs to follow would much appreciated!

pwnshell · April 17, 2020, 6:56pm

Hey, I got initial foothold and got some passwords using S**i. Create a powershell script to get reverse shell as other users, not getting reverse.

Can someone give me a nudge on user…!!