Finally rooted! Thanks for this one @VbScrub this box was so much fun! The best hint I can give is don’t overlook ANYTHING, that’s the lesson I learned from this one lol my last easy box, time for some mediums 
Disassembly of that executable can be done via a simple tool on windows.
Hint : Ispy or Dspy
I cracked the encrypted password for admin from high port but cannot login with the password. Have been stuck for 2 days now after having password. Not sure if I missed a piece of information on the way. Can someone pass over a hint?
@boxbox said:
I cracked the encrypted password for admin from high port but cannot login with the password. Have been stuck for 2 days now after having password. Not sure if I missed a piece of information on the way. Can someone pass over a hint?
When you say you cant login, what do you mean?
You should be able to map to the filesystem share if you have the correct password.
I get logon failure when mapping to filesystem share. I initially decrypted by guess and check and then to double check decompiled the file to decrypt again. Same password but still doesn’t work. Very curious what I missed/did wrong
@boxbox said:
I get logon failure when mapping to filesystem share. I initially decrypted by guess and check and then to double check decompiled the file to decrypt again. Same password but still doesn’t work. Very curious what I missed/did wrong
Chances are you’ve got the wrong password. If you decrypted the admin password with a guess I’d be truly amazed if you got it correct.
If you want to PM me I can be more specific but if you are getting a logon failure, it implies the password is wrong.
Type your comment> @TazWake said:
@Gh0stBl4ck said:
I managed to enumerate some directories, but I only get access denied, I tried to upload scf but always access denied, I’m trying to make my first machine.
Could someone help me?You dont need to upload anything. This is not an easy box, you might want to practice on some others first, unless you understand Visual Basic.
If you want to do this box 99% of it is enumeration. No exploitation is required. You need to access the service with the right client and read everything you can.
I understand, I do not understand visual studio, but is it possible to finish the box only with enumeration?
I found several directories and even some .txt files, but I can’t download the files or open them.
Could you guide me? I will be grateful.
Type your comment> @Gh0stBl4ck said:
Type your comment> @TazWake said:
@Gh0stBl4ck said:
I managed to enumerate some directories, but I only get access denied, I tried to upload scf but always access denied, I’m trying to make my first machine.
Could someone help me?You dont need to upload anything. This is not an easy box, you might want to practice on some others first, unless you understand Visual Basic.
I understand, I do not understand visual studio, but is it possible to finish the box only with enumeration?
I found several directories and even some .txt files, but I can’t download the files or open them.
Could you guide me? I will be grateful.
No you can’t finish the box with only enum.
If you cannot download them your probably using the wrong tools.
I got user.txt,But I missed what to do next. I found Empty file and H*****P.exe、But I can’t find password hash from them.
Tnx @VbScrub for machine, it 's not green machine 
the frustrating part is finding the right file in smb directory but “++” can help you to find what you don’t see. It was a great exercise to learn a little bit of VB, root is simple, reverse and go back.
Type your comment> @menorevs said:
Type your comment> @Gh0stBl4ck said:
Type your comment> @TazWake said:
@Gh0stBl4ck said:
I managed to enumerate some directories, but I only get access denied, I tried to upload scf but always access denied, I’m trying to make my first machine.
Could someone help me?You dont need to upload anything. This is not an easy box, you might want to practice on some others first, unless you understand Visual Basic.
I understand, I do not understand visual studio, but is it possible to finish the box only with enumeration?
I found several directories and even some .txt files, but I can’t download the files or open them.
Could you guide me? I will be grateful.
No you can’t finish the box with only enum.
If you cannot download them your probably using the wrong tools.
So, I already found some files in .txt only that I can’t download using the standard Linux commands and I can’t even open them to read, I’m trying to do this for days and I don’t leave the same place - ’
I will be grateful for any help and thanks again for answering my previous questions.
Snagged root! Thanks for the help Forum!!!
Plenty of hints already from plenty of people better than I, but I will say this, after getting User, when you’re going for Root, don’t go crazy…the process is similar you just need to get some new data. Don’t stress trying to get the new program to run. Take it apart and get what you need and get out. @VbScrub, Thanks for the fun! Sometime I hope my VB-foo is as good as yours!
You can use online editor and use only a “part” of the VB code.
Type your comment> @MentalForklift said:
Ok, throwing in the towel and asking for help…
I realize there are 20+ pages of help before this, and I’ve read through them all. I’m somewhat familiar with windows so from what I can see that made it a bit easier on me so far. I actually feel like I’m close to opening up the whole box. Here’s what I know, what I have, and where I need a nudge:I enumerated everything I could find with the initial foothold, I gained access to the lower service.
I found the historical record the target visited in the files of a popular, free, editing program.
That led me to find out I had more access to the machine than I though, so then I found files of the user’s project.
I read through the hints on seeing data in files that look empty (but from what I gather I don’t need that until the next step)
So like most I’m stuck at the project…I am somewhat new to reversing, but luckily have some visual experience with the syntax used. After reading through it seems the variables may provide all the information I need. Thing is, using the online compilers I can’t seem to fix all the errors. So changing gears…I read in other posts that people were able to “crack” everything without having to use the custom basic script at all.
Can’t I do that too? I mean, as I said the variables have all the info I need from what I can see…so before I chase the white rabbit to its hole can someone let me know if I can do this without using the program at all?and if I’m way off let me know, but so far this has been fun, and I’m looking forward to getting user so I can move on to the part I think I know more about…
EDIT: Should clarify, when I say I think I have everything I need for the User step it’s because I really do… I have the output of the program I’m working through, the one that contains what was encrypted. So now it’s just a matter of reversing the process.
Type your comment> @Jumecittu said:
You can use online editor and use only a “part” of the VB code.
Type your comment> @MentalForklift said:
Ok, throwing in the towel and asking for help…
I realize there are 20+ pages of help before this, and I’ve read through them all. I’m somewhat familiar with windows so from what I can see that made it a bit easier on me so far. I actually feel like I’m close to opening up the whole box. Here’s what I know, what I have, and where I need a nudge:I enumerated everything I could find with the initial foothold, I gained access to the lower service.
I found the historical record the target visited in the files of a popular, free, editing program.
That led me to find out I had more access to the machine than I though, so then I found files of the user’s project.
I read through the hints on seeing data in files that look empty (but from what I gather I don’t need that until the next step)
So like most I’m stuck at the project…I am somewhat new to reversing, but luckily have some visual experience with the syntax used. After reading through it seems the variables may provide all the information I need. Thing is, using the online compilers I can’t seem to fix all the errors. So changing gears…I read in other posts that people were able to “crack” everything without having to use the custom basic script at all.
Can’t I do that too? I mean, as I said the variables have all the info I need from what I can see…so before I chase the white rabbit to its hole can someone let me know if I can do this without using the program at all?and if I’m way off let me know, but so far this has been fun, and I’m looking forward to getting user so I can move on to the part I think I know more about…
EDIT: Should clarify, when I say I think I have everything I need for the User step it’s because I really do… I have the output of the program I’m working through, the one that contains what was encrypted. So now it’s just a matter of reversing the process.
Thanks! I figured that’s where I was gonna have to go with this anyway. just wanna double check.
Got user, on to root. I spent probably 10 hours on the user project, and now I feel really silly. If you are stuck on the user project, you are probably over thinking it. The cake is baked, you just need to frost it. Your main focus should be to write different lines and test the result
@Gh0stBl4ck said:
I understand, I do not understand visual studio, but is it possible to finish the box only with enumeration?
I found several directories and even some .txt files, but I can’t download the files or open them.
Could you guide me? I will be grateful.
So, like @menorevs said, there are some bits you need to do more than read files on, but it isn’t much more.
First off make sure you are using the native client on Kali to access the correct port. The one most people rush on because it looks different isn’t needed yet and you can use telnet for that. You can’t do anything there until pretty much after you’ve got user.
Read everything you can access and read the things that tell you what you can access even if you thought you couldn’t.
Extract everything you can. Exfiltration for the win.
When you find the files, install a free version of Visual Studios on a windows box somewhere (or find a way to do this online, I used VS so I cant help with anyting else).
Open the files and read them.
Find out where the good stuff happens and add a statement to write out the loot. Build the program in VS and run the exe from the command line.
You have the password to log in as a user.
@snowleaf said:
I got user.txt,But I missed what to do next. I found Empty file and H*****P.exe、But I can’t find password hash from them.
This sounds like a ■■■■ answer, but for the first one, look harder. You wont get a hash from either, but you will get what you need to get the hash.
@MentalForklift said:
I am somewhat new to reversing, but luckily have some visual experience with the syntax used. After reading through it seems the variables may provide all the information I need. Thing is, using the online compilers I can’t seem to fix all the errors. So changing gears…I read in other posts that people were able to “crack” everything without having to use the custom basic script at all.
You are spot on, you have everything. The next step is more tool based than hard.
I strongly advise installing Visual Studio if you can, for sanity if nothing else.
I’ve not used an online tool so I cant comment on the problems but you should be able get away with just using the block you need and changing what it asks for. For example if it asks for an external file, you may need to change that because you cant point the online compiler at the file.
There isnt that much you need to do to get user - just make the script work, make it read the hash and make it give you output.
Can’t I do that too? I mean, as I said the variables have all the info I need from what I can see…so before I chase the white rabbit to its hole can someone let me know if I can do this without using the program at all?
I am not aware of a way people worked out the password without decrypting it. You can try to recreate the crypto settings with a tool like cyberchef, but that feels a LOT harder as you’d need to fully understand each step.
I feel really stupid asking this but I have no idea where to go from here, after searching google. I have used telnet and nc to get to the server on ports found. When i’m there, I am told I can run runquery but i always get an error every single time I want to process that command. I get a ‘invalid database config found. please contact your system admin’ message.
Anyways, I have found some interesting files but i can neither read the files nor download or upload files… I’m lost. I found the ports, got to the machine, I’m supposed to enumerate, but I can’t aside from switch directories…Please help me… im desperate…
Thank you!
@TurinGiants said:
I feel really stupid asking this but I have no idea where to go from here, after searching google. I have used telnet and nc to get to the server on ports found. When i’m there, I am told I can run runquery but i always get an error every single time I want to process that command. I get a ‘invalid database config found. please contact your system admin’ message.
Never feel stupid asking for help. Not one of us was born knowing this so we all need to learn things.
My main tip is to ignore that port. You dont have the way to do anything on it so move on.
Anyways, I have found some interesting files but i can neither read the files nor download or upload files… I’m lost. I found the ports, got to the machine, I’m supposed to enumerate, but I can’t aside from switch directories…Please help me… im desperate…
If you are on the other port, Kali has a built-in client which allows you to download files. Ignore the one you can’t make any headroom on and concentrate on the one you can.