I’ve enumerated the low port, got tmp user creds, authenticated with that, pulled all the files I can. I’m hung up on the base64 encoded string in RU****ml, I feel like I need to make sense of that to then connect via LP although can’t get that to resolve to anything. Spent lots of time playing with chef to try and make something out of it, no luck. I’ve moved over to a windows box and redone my enumeration bc I heard it might help viewing some files - hasn’t yet.
As for the higher port, connecting via telenet I can’t read any of the files though I’ve got some good information as to what is running on the host (LP) . I keep trying to view the files listed at the bottom of co****ml although can’t.
Still confused as to what service is running on the high port and if I should be trying to connect to it using an actual service instead of telnet. When searching google for the banner of the high port all that comes up is pastebin post with answers I don’t want lol PM nudges would be appreciated.
(Quote)
same here. i even ran it through SQL Server, since it can natively decode base64, but it still ends up being a bunch of gibberish
If you base64 decode the first password hash it actually does look like a password (complex but still a password). After trying all combinations of overcome usernames and passwords without a match I realized that the hash needed some special handling to turn into a valid password. Don’t know if @VbScrub did this intentionally but I was tricked by it initially.
Finally rooted the box. Shout out to @Radixx for nudges, really appreciated. I’ll try and summarise my nudges here for others to visit and move along.
Initial foot-hold
Enumerate, download files, carefully read them. You’ll get something that can be used again to enumerate the service, and now you won’t be that extra unwanted guest in the system.
User
You need 3 very important pieces of information from all the files you gathered in the last step, to move forward. One of them may seem very insignificant but it is the most important one. You’ll have to move through the dark but this “Insignificant” piece of information will guide you to the destination. Once you reach your final destination, assemble all the pieces together, and get the user flag.
Root
Once you have the user, enumerate the service again, download all files. You might see an empty document but it is not empty, it has important data flowing through it. I used a windows machine for this step. Assemble all the pieces together and enumerate the other service now, because now you can. At this point you’ll need to find, one readable and one non-readable file to get the root. You will need to spy on the non-readable file to get the information you need to reverse the other readable information.
Shell
PS. I love you.
NOTES:
There will be no shell, till you get to root, so don’t even try.
The machine has all the information, no need for the guess work. Keep digging.
Aaand thats a wrap… got root. for people who don’t have much experience working with windows in pen-testing or laid off a bit in windows vm(like me) , it might be a bit of a challenge. Has anyone done it purely on linux machines? if yes, dm me. i did it mostly on linux, but had to jump to windows.
Awesome box, finally rooted in Intended way. No shell required till the root smb is enough and need to windows OS in some parts. Thanks for the hints and this box @VbScrub.
(Quote)
same here. i even ran it through SQL Server, since it can natively decode base64, but it still ends up being a bunch of gibberish
If you base64 decode the first password hash it actually does look like a password (complex but still a password). After trying all combinations of overcome usernames and passwords without a match I realized that the hash needed some special handling to turn into a valid password. Don’t know if @VbScrub did this intentionally but I was tricked by it initially.
Yup, i found what i needed for that hash, i’m just waiting for visual studio to finish installing now :))
This box is not “Piece of cake” at all. It’s more easy/medium box.
Imo, the admins should reset the user rating after the unintended method got patched.
Box is a bit CTF but it’s a great introduction to windows RE.
If you PM, please tell me what you have done so far or I cannot help you.
USER: completed.
ROOT: found the exe file, but not sure on how to use it, since I have not a shell on the machine (I took user flag through smbclient…)
furthermore, I have not found the high port, even after nmap/masscan… any hint?
how did u make that with smbclient. I already found some credentials on the Template, but idk where to use those credentials, can u help me out
What about, you connect to open ports with these credentials.
smbclient \\\share -u
I think it works. replace for the target ip and for user you found.
USER: completed.
ROOT: found the exe file, but not sure on how to use it, since I have not a shell on the machine (I took user flag through smbclient…)
furthermore, I have not found the high port, even after nmap/masscan… any hint?
how did u make that with smbclient. I already found some credentials on the Template, but idk where to use those credentials, can u help me out
What about, you connect to open ports with these credentials.
smbclient \\\share -u
I think it works. replace for the target ip and for user you found.
Actually its capital -U
smbclient \\\\{ip}\\share -U {user}
@JungleManJack said:
Looking for some help, been at this a while:
I’ve enumerated the low port, got tmp user creds, authenticated with that, pulled all the files I can. I’m hung up on the base64 encoded string in RU****ml, I feel like I need to make sense of that to then connect via LP although can’t get that to resolve to anything. Spent lots of time playing with chef to try and make something out of it, no luck. I’ve moved over to a windows box and redone my enumeration bc I heard it might help viewing some files - hasn’t yet.
As for the higher port, connecting via telenet I can’t read any of the files though I’ve got some good information as to what is running on the host (LP) . I keep trying to view the files listed at the bottom of co****ml although can’t.
Still confused as to what service is running on the high port and if I should be trying to connect to it using an actual service instead of telnet. When searching google for the banner of the high port all that comes up is pastebin post with answers I don’t want lol PM nudges would be appreciated.
Thanks!
Go back to the files you got.
Research them.
Check all possible paths.
Don’t make assumptions.
@kan3k1 said:
Hey I am having issues on the last step.
I managed to get H* L* .exe, the empty file and H* _C* _B* .xml, but when trying to run it with mono:
“Please ensure the optional database import module is installed”
I am using Linux probably that’s why I am having so much issues with running the exe
When I execute the script in an online compiler, where do I place RU_Config.xml? Do I create another window in the online compiler and paste in the username and encrypted password? Or if I did this in visual studio, do I just have the xml file in the same directory on Windows explorer?
