@bigFish43 pm!
…
Rooted!
Thanks @egre55 for the awesome box! I really liked the story behind each step to getting root! I also want to thank @SanderZ31 and @VbScrub for giving me a nudge on the foothold which got me.
Feel free to PM if you are struggling on this one! 
Can anyone pm me please ? EPL***D*****.cpp compiling is ok, won’t execute on victim but works on my attacker windows. Can we debug this on victim machine ? Thanks.
I’m really not great at Windows enumeration. Can anyone point me at some good resources for learning how to enumerate commonly exposed Windows services?
I know I can go and watch Ippsec videos but I don’t learn through videos as well as I do through text resources.
Type your comment> @VbScrub said:
Finally got round to trying to get root on this and was successful fairly quickly (once I’d rewritten one of the PoC tools in VB of course). Pretty much just look at what your account is allowed to do, google it, and you’ll find some examples and code to help.
I don’t really agree with people saying that needing to use VS is a problem. The free version will do everything you need.
At the end of the day HTB exists to help you learn/practice real world hacking techniques, and if one of those techniques requires you to install a completely free piece of software on the world’s most common desktop OS, I don’t think HTB should feel like they have to avoid that.
In a real world pentest, you can’t expect your customers network to be tailored specifically to the OS and tools you prefer using. If you’re attacking Windows machines, I think its perfectly reasonable to expect you to have a Windows machine and be willing to use a free tool like VS. If you don’t like that then maybe stick to attacking the Linux boxes
I wont tell you i disagree, because me too I think that noone should be scared to use windows or linux depending on the environment you are approaching.
But tbh it’s a manner of fact that here the sources simply do not compiles on some platforms and this may represent a steeper slope for someone (like me) who’s used to compile snippets of code if needed but are not so accustomed to spend hours debugging compiler issues…
Can I ask for a gentle nudge re initial foothold?
I’ve got some usernames and workstation names from PC**, tons of useless fluff from rd.y and other i**t scripts.
Just want to confirm before resorting to remote bruteforcing passwords (which I assume isn’t needed), that you can indeed get something useful from r****t anonymously (looks like you can’t bind to L or S** without creds).
Windows boxes aren’t exactly my forte and I feel the attack surface is quite narrow, so any tiny hint on what tool or approach would work best would be appreciated. Happy to discuss what I tried so far in DM.
Edit:
Thanks for the hint SanderZ31! Indeed the cool tool missed something and my eyes missed it as well. At least I’ve got 20/20 hindsight
so, crack on…
Can I ask someone for some tips??? I have the .cpp file I need to compile, but for some reason I cannot make it to work. A lot of errors while compiling.
I’m using VS2019, but I’m not even sure how to compile a .cpp file to an exe, I built a solution, built new empty project/solution, but still having issues.
Any assistance would be really appreciated
Thanks!
Stuck on foothold for days now. Have found some usernames but no creds. Have read about generating a list and flags to use with rC*** but dont know how. Would really appreciate a nudge.
EDIT: Got User! Thanks to @bmacharia and @SanderZ31
Stuck at source compiling stage. One source I found is buggy, throws different types of errors. I found another source on G***** which compiles fine but it doesn’t work on box, no errors or warnings. I have no clue, what’s going on with this. I started this box on Monday, and very desperate at the moment. Any nudge?
EDIT
Rooted!!! Bundle of thanks to @SanderZ31, @nemeth and @Botelho. It would not be possible without you guys help and community nudges!
I got a list of usernames but can’t figure out the creds. Would somebody give me a nudge? Thanks
Type your comment> @returnz said:
May sound pretty noob, but I can’t even access the user list! I’ve tried the regular enums, anon logins etc. Even the l–p search gave nothing special. A nudge would be helpful at this point…
There is another very common service that might show you some protocols, but you have to call it by it’s name…
I’m not able to get a foothold on this box.
I’ve got 6 usernames, no password and no idea how to proceed.
Tried various things against the 3-headed-dog and anonymous listing of all brazilian-dancers - but there was none.
I don’t know how to proceed and i’m feeling that i missed something obvious.
Please nudge me…(PM)
Thank you.
Can someone please pm how to get shell on this box… I have usernames and password, i know how it works and why so short, i know how to make it work again, can list pesky domain shares with nothing in them. Tried getting shell with imp****s tools but all are access denied. With what do i get shell here ?? Please PM me any hint, thanks!
@ntroot said:
Can someone please pm how to get shell on this box… I have usernames and password, i know how it works and why so short, i know how to make it work again, can list pesky domain shares with nothing in them. Tried getting shell with imp****s tools but all are access denied. With what do i get shell here ?? Please PM me any hint, thanks!
If you can connect to a share, there is a client tool which you can use to enumerate various bits of technology which relate to the box.
From here you can find some credentials which give you a more stable bit of access via Evil.
If anyone is willing to PM a nudge regarding escalation to root it would be very much appreciated. Three days of looking at the same things with no progress tell me I may be over complicating it. Many thanks!
@11o said:
If anyone is willing to PM a nudge regarding escalation to root it would be very much appreciated. Three days of looking at the same things with no progress tell me I may be over complicating it. Many thanks!
I put it off for a long time because I thought it would be super hard. It turns out it isn’t.
Enumerate your account. Google the things it can do and one of them takes you to a page talking about how you can use it to privesc. Follow the advice there. (Unlike me who misread it and spent four hours trying to work out what was going wrong)
@TazWake, thanks for the advice, I’ll give that a go. It sounds (and definitely feels) like I’m in a rabbit hole at the moment.
i need a nudge in rpc*** part
Anybody else getting a “result was WERR_INVALID_NAME”?