Heist

HTB Content Machines
421

Can someone give a hint for the third user? Should i crack something a little more?

422

This box is actually practical. Believe it or not, I’ve actually had to go through a very similar process the way in which you get Administrator on this box during live testing.

423

hmmm, the question is, what do we search for in the .dmp

Time for Google, and some trial and error

424

i need a nudge please xD

425

Rooted, a really good box for developing some skills with windows.

Hints for User :
Enumerate everything and use more than one method for getting user creds. rocking with your feline friend can be very useful here.

Hints for root :
Enumerate running processes in combination with the info gathered during user. badwolf comment was useful. Remember its a windows box so you may find it easier using windows native tools within the machine along with creds rather than attempting to use these remotely.

Nugget.

426

Spoiler Removed

427

Type your comment> @MrVulneR said:

I’m Stuck , Why i can’t enumerate users using lookupsid.py script i only get the domain SID is there’s something missing or perhaps there’s another approach ?

You’re on the right track… try looking up CME

428

Heck yeaaaaaahhhh. Rooted. Super fun, tons of things to learn.

429

I need you help i’m stuck into root scalation, some hints??

430

hey guys i need a hint iam stuck pm me please

431

Spoiler Removed

432

I am struggling in user. I found 3 usernames and 3 passwords. One of them work on 445 port but each combination doesn’t on winrm. It the Hazard is the username? Or should I enumerate more on 445 port? Somebody help me plz.

433

Type your comment> @farbs said:

Type your comment> @juggydancesqd said:

3 usernames and passwords that don’t work anywhere is this to throw you off?

Careful saying they “don’t work anywhere”…

So should I enumerate a new username on port 445?

434

Type your comment> @d1gCA said:

So I’m stuck in heist to get root. So I know that the process that i need to look is fx, i found where the k.*b file is located, i dumped the f***x process but still i cant get root… can someone help me ?

I’m in the same point as you… If someone can help me just PM
Thanks in advance

435

right I have three users and three passwords (all decrypted) and various winrm tools (winrm-shell and evil-winrm) that simply do not work, anyone want to suggest working alternatives?

and yes I’ve tried all combinations of users and passwords

436

Got user on this box after about 2 hours. I found the writeups on the old box Giddy to be very helpful. Will probably wait until after the weekend for root.

EDIT: Rooted. Cool way to extract the credentials! PM if you need any help.

437

Type your comment> @phneutro said:

I’m in the same point as you… If someone can help me just PM
Thanks in advance

Ok I have found another user and pw in the dumps and I can login to the support but no more interesting info … any hint, please?

438

Hi all, i need a hint for root. I’m dumping the suggested processes with the suggested exe and searching the dumps with the suggested tool, but: what am i searching for?
Feel free to pm me.
Thanks!

EDIT: Rooted!

439

after i enter smbclient, I can’t use “ls” or “dir”. Is that normal??? If it is, how can I enumerate? PLEASE give me some help!

440

Ok at the end, I get root!! this was very useful to me as it was my first windows machine, if someone have a doubt feel free to send me a DM… happy hacking!!

Special thanks @waelaase