Hi, I have found the Ch credential as T*r. I have no Idea what to do with it though, I know the tool but I have no Idea what to do with it or where to start. Assistance would be much appreciated.
@H8des said:
Hi, I have found the Ch credential as T*r. I have no Idea what to do with it though, I know the tool but I have no Idea what to do with it or where to start. Assistance would be much appreciated.
You need to crack it. This has been discussed a lot on this forum. Check the early pages.
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
is host working on your side?
Rooted. Thank @VbScrub for the Box. Not exactly an easy one. Enumeration, code review, disassembling, reversing… easy just looking back at what you have done. Maybe a medium level.
Type your comment> @malwarepeter said:
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
is host working on your side?
Try to active the box from the site
I get root just now (Thanks to @applepyguy for supporting me).
Here are my hints:
- user: just enumerate and look for all possibile file to get infotmation about all
- root: starting from user folder , check for hidden file and use a new service to get root
Is the file D**** M*** P******d.txt is suppose to be blank?
Having issue debugging the .exe file , Can anybody help me out please?
You’ve excluded some data either side of that - possibly because it looks junk. It isn’t. If you’ve cracked the hash, the whole output is the password. The first and last character are the same.
@TazWake
You were right! Thank you so much!
Rooted. Feel free to PM for help. Don’t bother unless you iterate what you’ve already tried and why and where you’re stuck.
There’s some interesting opinions here about this box. Firstly, it’s entirely doable to complete it in Linux only (which I did), and I don’t think people who disagree really have a leg to stand on. I also think it’s probably accurate to rate it as a medium and not an easy box, which comes down to two reasons for me. One being that it’s a Windows box and not a lot of people are as comfortable or familiar with Windows as they are Linux (myself included). Obviously this on it’s own doesn’t make it rated medium difficulty, but what does is this fact paired with some of the interesting Windows and .NET oddities that I would guess a large majority of users aren’t familiar with.
In saying that, i LOVED this box. We need more Windows boxes like it in the future. The fact that all it relies on is heavy enumeration and no exploits is amazing, and I think this is a good thing in that it doesn’t encourage the “exploit-hunter” tunnel-vision and mindset.
The trick with the 0 byte file is so obvious for anyone who knows about it, but again, not many people are that familiar with Windows. Learning that alone is worth it’s weight in gold for this box.
As much as I would never touch Visual Basic of my own volition, the way in which you get exposed to it in this box is perfect. You’re not forced to write a single line, but you definitely need to read a fair bit of it and understand some of the absolute basics in order to get what you need from the code to progress.
And lastly, the exposure to reverse engineering is great for not only those who haven’t done it before, but even for people with some experience. I myself have a fair bit of experience with disassembling and reverse engineering and ran into a few roadblocks which taught me new things. I’ll definitely keep the ILSpy tool in my toolbelt for future use.
Thanks for such an enjoyable box, keen to see more in the future @VbScrub
Anyway, everything you need to complete the box is in the 35 pages of comments in this thread. Anything commented by @TazWake is gold. I’ll still leave my hints anyway, since sometimes a minor variation in wording can help.
Initial Foothold: Yes, only one port is open, but that’s really all you need. Literally just enumerate and read everything and you’ll be in in no time.
User: More enumeration and reading will get you creds, but you’re going to need to decrypt the password. Find the program that would have done this and look through the source code. It’s alot easier to do this using an IDE like Visual Studio Code. Copy the functions you need into an online compiler and use them to crack the password.
Admin: This is really a more convoluted iteration of what is done to get user credentials. You’ll need the content from a file that is masquerading as a 0-byte file. There’s plenty of comments in this thread on how to do that. Lastly, you’ll need to look deeply inside. Use ILSpy.
. > @MalwareCat said:
In saying that, i LOVED this box. We need more Windows boxes like it in the future. The fact that all it relies on is heavy enumeration and no exploits is amazing, and I think this is a good thing in that it doesn’t encourage the “exploit-hunter” tunnel-vision and mindset.
The trick with the 0 byte file is so obvious for anyone who knows about it, but again, not many people are that familiar with Windows. Learning that alone is worth it’s weight in gold for this box.
….
Thanks for such an enjoyable box, keen to see more in the future @VbScrub
@MalwareCat Totally agree with you, I loved this box also ! Thanks a lot @VbScrub And not so “easy”, it was a “medium” box for me 
Question on root:
I got Administrator credential hash.
I assume bruteforce for SHA256 is not the proper way to get admin cred. I can see the EXE source codevia ILSpy, and got some plan that might involve “patch”, but not sure if root requires EXE patching as the proper solution or another simpler workaround is involved.
Can some1 please hint at pm ?
@obi0ne said:
Question on root:
I got Administrator credential.I assume bruteforce for SHA256 is not the proper way to get admin cred.
It isnt.
I can see the EXE source codevia ILSpy, and got some plan that might involve “patch”, but not sure if root requires EXE patching as the proper solution or another simpler workaround is involved.
You can get the clear text for the creds from the information you can find on the box. I certainly don’t recall seeing anything related to patching anything to solve this box.
@VbScrub is the creator and very active here so may be able to help more.
Type your comment> @obi0ne said:
Question on root:
I got Administrator credential hash.I assume bruteforce for SHA256 is not the proper way to get admin cred. I can see the EXE source codevia ILSpy, and got some plan that might involve “patch”, but not sure if root requires EXE patching as the proper solution or another simpler workaround is involved.
Can some1 please hint at pm ?
No there’s no brute forcing required.
If you want to patch the EXE you can do that - it wasn’t the exact intended method, but I have seen some people do that and make it work for them. An easier way is to do something similar to what you did for the user flag part and just copy paste the code and tweak whatever you need to get it to decrypt your input
Rooted
Notes
One of the most thorough boxes i have done. Everything is on the box, however i used my windows machine for decryption work both for c**** and a****** users. Even for de-compilation work i used windows machine, it felt easy as i have windows background as well as tools.
I loved the decryption routine mr. creator, the way you used the concepts for the journey of this box. I am planning to use that module for my own encryption usage i hope you don’t mind that(you are the one who shared it… lol). It definitely was a interesting box, was not easy as it involved lot of enumeration, decryption using a particular module, de-compilation, hidden critical piece of information using certain methods not lot of people remember or don’t care much now(they have forgotten about those alternative river streams) even if they know about it fetching could be a challenge for some but not for me . Then that high port service also a twist in the story and how to deal with it get the things you need, lot of enumeration was needed to reach to the critical point which was not too far from where you normally when you connect using telnet to that port.
Loved the box. Windows priv escalation has always been interesting, i hope you come up with more boxes like this to practice.
Thanks
Rooted !
DM if you stuck
A really lovely box with lots to learn for beginners in the user phase and still something that I could take away from the root phase. I don’t know if I’d qualify it as easy, though, at least for the root flag, it does take a bit of knowledge of the inner workings of the NTFS alternate streams which isn’t necessarily common knowledge (ok, maybe just for me, but then again, I come from Linux so what do I know about Windows?).
Fun box that gave me something to ponder and something to learn, never boring and never dependent on brute force. Just like it should be.
A great thanks to the author: what a beautiful puzzle with hints at every step. Looking back the hints are really obvious, I guess that’s why the author marked this as “easy”. A small advice that I learned the hard way: do not browse too much, everything’s within hand’s reach. I spent too much time going through unnecessary folders when just a few folders up or down had everything I needed.