foothold needs a bit of creativity not wordlists, i created a little bash script to get the combination right. After that user was walk in the park using s**** or mount shares, you will get whats needed there to connect as right user and get the flag using e***-w***
root- you need to have slight understanding of windows and AA* and how it connects/syncs with on Premise A*, there is nice github by guy F*xt ,even video on youtube too that will lead you to find how you can get root. I was stuck at one point where i was trying to connect to wrong instance of SQL to get the exploit to work, i connected with @VbScrub he guided me about the SQL instance and that is it.
Hello, I found the exploit that everybody talk about, because I had some trouble with the string, I did the first part manually, but now I have the error “Bad Data”. Can someone help me on this ?
Finally got user, if you did to, PM me as I was to share notes. If you need help let me know. Interesting approach but got it in less than 2 hours. Working on root next.
So i got first user credentials, enumerated and got second user creds. For the life of me i can not get E***-***rm to connect. Not sure what I am doing wrong here but would love if someone could give me a hint of what I am doing wrong.
couple of tips:
User: mmm easier than I thought, but then you need to do some enumeration to be able to login
Root: Once you google what you think, most likely you’ll know that it what you need
but for, it was frustrating to be able to make it work, i did stupid mistakes
READ WHAT WRITTEN on the internet, and try it with all options *
Right, here we go! (still on user)
First time for me to try a machine that didn’t already have a Walkthrough, and I’ve worked out some things so far. But there seems to be something missing in what I’m doing.
I have the usernames, including usernames that have actually logged on, as well as the Domain names, and the password criteria.
Something must be staring me in the face, but I can’t see it… which is usually the case with the boxes that I worked through so far with the Walkthrough for company (to help me when I’m lost)
Am I missing something, I’m currently running a script attempting to log in with all enumerations as mentioned in attempt to give me access. I’ve read through the whole of this forum, some excellent tips along the way but then I get to this page and still a little stuck.
FOOTHOLD: rpcclient, smb_login(msf) with some unused options, enum4linux, smb and enumeration…
USER: winrm, basic enumeration (AD groups, programs…)
ROOT: extract the right data with the right tool (Google) and use them
Rooted. Credentials for foothold are obvious AFTER you actually find them. An earlier comment to focus on the users that don’t have logonCount: 0 actually threw me off the trail for some time until I looked more closely. Once user obtained, rooted with off-the-shelf code.
User: Basic enumeration and think of an IT worker who doesn’t care about security.
Root: List the user information and look at the groups that the user is in. Then search on google for privilege escalation.
Rooted! Relatively easy box, fell into a rabbit hole for a short period of time because first couple of google pages told about some overcomplicated way to root, which I’ve tried to replicate.
User was extremely easy to get, root in the other hand was a bit tricky if you are used to old habits, got to try new things. Thanks to @hasky and @Solarstorm for the nudge in root.