Nest

Thank’s @syn4ps

They are acutally great tools and to be honest I discovered them lately.

What I did to decrypt the password is to write the decrypt function in python using PBKDF2.

But it seems to me that it does not give the same results as the .NET Rfc2898DeriveBytes function.
Even though Google told me they are similar.

So I am wondering if it is possible to implement the decrypt function in python and if so, how?

@gor00 said:

Thank’s @syn4ps

They are acutally great tools and to be honest I discovered them lately.

What I did to decrypt the password is to write the decrypt function in python using PBKDF2.

But it seems to me that it does not give the same results as the .NET Rfc2898DeriveBytes function.
Even though Google told me they are similar.

So I am wondering if it is possible to implement the decrypt function in python and if so, how?

Have a look at the source code - I am away from my box so I cant check, but I seem to recall there was more than one step.

rooted box was really good @VbScrub

I’ve found the dg password and used the “abilities” granted by it to browse the L folder, and to read the contents of the l***.c*** file. What I cannot figure out is how to exfiltrate the executable in order to examine it further…

None of the SMB entry points available to me put me in a location where I can browse back up the tree to the L*** folder.

Hoping someone can give me a nudge in the right direction, 'cos I think I’m close to the finish line.

Type your comment> @paddanada said:

I’ve found the dg password and used the “abilities” granted by it to browse the L folder, and to read the contents of the l***.c*** file. What I cannot figure out is how to exfiltrate the executable in order to examine it further…

You already have the executable in the user’s folder where you got the d****g password file from

@VbScrub said:

You already have the executable in the user’s folder where you got the d****g password file from

Oh, good grief… I knew I was probably overthinking it, but I didn’t realise it was by that much. Thank you.

edit: got root - thanks @VbScrub for the fun (and brain-mashing) box, and the tip. Learned a ton during this one.

Finally Rooted.

For someone that has never programmed before, this was pretty difficult, especially reversing.

Thank you to @BINtendo and @T13nn3s for the nudges.

oh before I forget, F U @VbScrub , Thank you for the valuable skills I picked up!

Finally rooted.

Very nice box even though I lost a lot of time because I forgot about some technics like the n** s****m.

Thank you @VbScrub

Finally Rooted. Definitely not easy. I had just gotten done Obscurity before I tackled this box and I’d say this is more in line with that box difficulty wise. Very, very CTF-y with a few rabbit holes and a small splash of real world. I learned 1 thing I think I can take with me to other boxes, the rest I already knew or was pretty much specific to this box.

Not really sure of any other advice/hints that haven’t already be posted here.

Definitely fun and a good challenge. Thanks @VbScrub !

Spoiler Removed

Thanks @VbScrub
This was the first HTB machine I tried, and took me about 5 hours effort all in, although I did have to read through 10 pages or so of this before I clicked I was looking in the wrong place (… is not where I should have been, mean of you)

I wouldn’t have got to the end if it wasn’t for people here drawing attention to the empty file. For those that have completed it, would you mind saying how you would enumerate /all/ files in such a way as to find such a duplicity?
And for those that do engagements, if you had a two week engagement, would you actually have been looking for a file like this?

Type your comment> @menorevs said:

Is this allowed?

YouTube

I’m gonna say almost certainly no lol you’re not allowed to post spoilers, so why would you be allowed to post a video showing everything you’re doing?

@coldpenguin said:
And for those that do engagements, if you had a two week engagement, would you actually have been looking for a file like this?

I worked in Windows network/server admin for about 8 years in many different organisations and never saw anyone actually use this “feature”. Most don’t even know it exists. There are plenty of tools out there that can help you locate files with this feature though if you did want to be thorough and check for this kind of thing. You’ll find them with a quick google search easily enough

for any help just pm me

got the user thanks for the help @menorevs

ROOTED! Shoutout to @Ezza, @MarsG and @TazWake on the nudges and patience. picked up on a few new techniques! @VbScrub Great box homie. it was frustrating but learned more goodies. keep em coming!

Rooted! Thanks for the hints everyone, I had to do a bit more code editing than I expected but that’s ok. I think I may have done a couple of things the hard way…

I had hoped to be able to accomplish this entirely using CommandoVM (Windows) but I was unable to get the D**** password without using Kali. Could someone message me how I could have done it with Windows? e:got it, thanks monorevs

There were definitely parts of the box that I got frustrated with for a while but I managed to figure out most of it myself I think. If anyone else is struggling message me and I’ll try help.

Type your comment> @GlenRunciter said:

could someone please help me with the VB reversing? it’s driving me insane

I am struggling too with that…

Type your comment> @TazWake said:

@drset said:

Ok, got user, I’m trying to get ROOT. I have the debug password and I used it to access the extra options, didn’t get anything new from that, only a couple of paths that I already had.
I also have the exe that connects to LP. Used a d******r to see what it does… aaaand I’m super lost … help plz?

Read more. When you say you didn’t get anything new, that might mean you haven’t used it to enumerate enough. Loot is available.

I was able to get it, having just been focused only able to access the one port. Server keeps getting knocked down, I overlooked it at first. Thanks mate!

@VbScrub said:

@coldpenguin said:
And for those that do engagements, if you had a two week engagement, would you actually have been looking for a file like this?

I worked in Windows network/server admin for about 8 years in many different organisations and never saw anyone actually use this “feature”. Most don’t even know it exists. There are plenty of tools out there that can help you locate files with this feature though if you did want to be thorough and check for this kind of thing. You’ll find them with a quick google search easily enough

So while I haven’t seen many admins hide loot in this manner, there are lots of attacker/attack groups who do. You can execute from this place so its a good home for “evil.”

As you say, while it is a bit awkward finding it over the connection method in this box, if you have an actual shell on the victim a recursive search will uncover it and there is no reason why redteamers/pentesters/whatever shouldnt put that in their enumeration tool kit. Even if you dont find loot for the pentest, you might uncover evidence of previous attacks which is equally valuable.

@acidbat said:

Type your comment> @GlenRunciter said:

could someone please help me with the VB reversing? it’s driving me insane

I am struggling too with that…

It doesn’t need to be a full on gdb analysis. It might be easier to use some of the tools previously mentioned to decompile the sample and look at the statements. There is only one bit you need to extract.