I found the domain, groups and users. I have bruteforced for passwords but just nothing!
Anybody who can PM me about the tool I need to use to find a password? I am lost atm…
Try to use other tools if you cant find valid user/pass combo.
ok, AV on the box is a real b#tch. I’m not sure if my attempts to bypass AMSI will crash the entire thing.
The password should be exposed or captured somewhere, but the question is: where 
I also used Apache Directory Studio if i missed something in the LDAP, but found nothing suspicious…weird. Any nudge how to find valid passwords ?
Update: If you hit a wall, use a different tool
Ok depends on the tools, too. Found a way in.
but how dude?
Found some interesting files but am ultimately stuck…
My normal windows tricks aren’t working.
Any nudges on root would be appreciated.
@theGent said:
Found some interesting files but am ultimately stuck…
My normal windows tricks aren’t working.Any nudges on root would be appreciated.
I think i know what files you mean coz i found them as well, now i’m trying to find a way to decode them.
It’s 3 AM and I am obssessing over the ■■■■ box and cant sleep.
im stuck just with a K** _ **R_C****T_***OKED
Fyi user access doesn’t require any brute-force or password cracking, just a little real-world thought process when it comes to how devs implement account creation sometimes. From there just look through normal files and you should find what you need for user shell.
If anyone is working on the A**** TC.d** for root, could use a pointer there, not very familiar with the underlying system
Would appreciate some help on PrivEsc. I suspect its got to do with A**** but not sure how to proceed. Anyone who could PM me with a pointer?
That took some playing around but user owned 
On to the Admin!
<3
Type your comment> @g3of0xx said:
Would appreciate some help on PrivEsc. I suspect its got to do with A**** but not sure how to proceed. Anyone who could PM me with a pointer?
Yes, you’re on the right track. There’s another service hosetd on the victim that will help/is needed for root. You can enumerate that service manually to gain more info.
Spoiler Removed
Rooted! Root was fun!! PM me for nudge!
I hope this not really connected to azure because …
For user:
No impacket required
No bruteforce required but it can help speed up the process if u are thinking right
suppose u are lazy and cannot think of a good password
Hints:
- User: Basic enumeration, then think about lazy password practices. It’ll only work with one tool.
- Root: You’ll see the area of interest quickly. Some googling and some slight tweaking will get you this quickly
Overall a nice quick machine, learned something new at root, and user gave me another thing to add to my standard checks
Type your comment> @clubby789 said:
Hints:
- User: Basic enumeration, then think about lazy password practices. It’ll only work with one tool.
- Root: You’ll see the area of interest quickly. Some googling and some slight tweaking will get you this quickly
Overall a nice quick machine, learned something new at root, and user gave me another thing to add to my standard checks
share those checks please, not for this box but for learning