Official Blackfield Discussion

myrtle · June 24, 2020, 7:10am

Really interesting. First time, root.txt was empty. After a reboot, root.txt gave Access Denied. Then, after waiting a few hours and trying again, I can read the flag. Then that flag was rejected. What is going on there ? In the end, I’ve switched VPN. Found a running instance and was able to extract the flag.

aswathamasam · June 24, 2020, 10:20am

i m stuck with two user creds bt they are not working with evil they are only working with smbc**** and rpc*** …any nudges to get user.txt

HomeSen · June 24, 2020, 11:49am

@aswathamasam said:

i m stuck with two user creds bt they are not working with evil they are only working with smbc**** and rpc*** …any nudges to get user.txt

Both services can be used for further enumeration You will eventually find credentials that allow you to go evil

sparrow1 · June 24, 2020, 6:27pm

Type your comment> @myrtle said:

Really interesting. First time, root.txt was empty. After a reboot, root.txt gave Access Denied. Then, after waiting a few hours and trying again, I can read the flag. Then that flag was rejected. What is going on there ?

I have the same problem on edge-eu-free-2.hackthebox.eu server.

root.txt is not accessible for some time after reboot. And when it became accessible it is the same as before reboot. I understand that flags are dynamic and it should be regenerated and different on every reboot.

HomeSen · June 24, 2020, 9:18pm

@sparrow1 said:

Type your comment> @myrtle said:

Really interesting. First time, root.txt was empty. After a reboot, root.txt gave Access Denied. Then, after waiting a few hours and trying again, I can read the flag. Then that flag was rejected. What is going on there ?

I have the same problem on edge-eu-free-2.hackthebox.eu server.

root.txt is not accessible for some time after reboot. And when it became accessible it is the same as before reboot. I understand that flags are dynamic and it should be regenerated and different on every reboot.

Please file a ticket at HTB’s JIRA, so they can see that the dynamic flag system tends to break way too often: Jira Service Management

Scarleton · June 25, 2020, 3:22am

So I got s##_####u# to be able to “observe” things they shouldn’t. S## file retrieved and useless. Can’t get to the file I need to get root and found an odd PS script. Any pointers? I feel like Elmer Fudd (even though he’s be nerfed). TIA

Roinard · June 25, 2020, 6:29am

Rooted ! Awesome box, I learned some new things

PM me for nudge !

Netool1337 · June 26, 2020, 8:45am

Great job Create ! rooted

PM for nudge.

Encomo · June 26, 2020, 12:22pm

After spending way too much time going in circles I would like it if someone can give me a nudge towards root. I could be mistaken but considering other hints here and the privileges I have I should go after an important file. However all tools I can find regarding this file don’t seem to work.
Not too many spoilers please, just a little nudge in the right direction would be appreciated.
Thanks in advance!

HomeSen · June 26, 2020, 12:32pm

@Encomo said:

After spending way too much time going in circles I would like it if someone can give me a nudge towards root. I could be mistaken but considering other hints here and the privileges I have I should go after an important file. However all tools I can find regarding this file don’t seem to work.
Not too many spoilers please, just a little nudge in the right direction would be appreciated.
Thanks in advance!

There’s also a way without grabbing that file

derco0n · June 26, 2020, 1:53pm

I’m stuck at root as well.
Learned a lot about Token’s and Privileges but I’m unable to get this one very imported file even though i have the privs i need to.
Nudges welcome. Thank you.

derco0n · June 26, 2020, 7:34pm

Type your comment> @derco0n said:

I’m stuck at root as well.
Learned a lot about Token’s and Privileges but I’m unable to get this one very imported file even though i have the privs i need to.
Nudges welcome. Thank you.

Nevermind, got it even i can’t read root.txt :
PS C:\Users\Administrator\Desktop> whoami
blackfield\administrator

Xan0er · June 27, 2020, 3:12am

Can someone help me on how to read the D** files?? I am stuck at this for more than two days.

icoNic · June 27, 2020, 10:07am

Rooted ! Need help ? Msg me on twitter @NeerajK85400479
or Msg me on Discord icoNic#0097

Arrexel

DocHobb · June 27, 2020, 9:15pm

I could use some help with this, I have the first user, but no creds and haven’t been able to pull anything useful from this. I’ve tried a lot with the three headed beast but struggling at the moment

r0kit · June 28, 2020, 6:25am

@DocHobb PM me.

r0kit · June 28, 2020, 6:27am

Rooted!

Probably my favorite box so far! Definitely a challenge from beginning to end which really pushed my skills. Learned a couple new tricks too! Thanks for the fantastic box @aas!

If any of you feel like you have hit a brick wall, feel free to PM me!

Xan0er · June 28, 2020, 4:47pm

Rooted this box finally!!! What a crazy ride it was…!!

I wanna give thanks to the HTB commmunity to help me solve this challenge. This was my first windows box which I rooted. Learnt tons of things from this single box only. @phantom01 thanks for being a great mentor to me and being patient with me.

And a big shoutout to @aas. Great box!!!

Luemmel · June 28, 2020, 7:30pm

Hey guys, someone online that can help me with root?
EDIT: root
NVM

kcaaj · June 28, 2020, 7:45pm

So… I just got finished with this box. What a box.
Loved every stage of it, except the part where I couldn’t read root.txt for maybe 2-3 hours.
No clue what happened there. Thought I was losing my mind.
protip: enum & more enum, then (ab)use