Official Intelligence Discussion

I’m stucked at user. I enumerated all I could from the upload folder. I only found a user and a password, but I dunno what I can do with it.

Found user. Thanks @BlueBeard. There’s more on those documents to read.

Root : I have little knowledge about AD tools. I can see traffic, but no way to get ping back. Any hint ? I’ll try hard in wireshark to see something useful.

ok got user…that took me entirely too long! Great fun getting there, though! Thanks to the comment by @dylvie I decided to revisit the trove of docs and found what I needed. On to root!

Damn, this box is cool.
Got everything I need for user, I think, including a specific automated script.
Now, let’s find a way to use this properly to get a shell …

Hi! I’m kinda stuck at user, I think my enumeration skills are not the best…

Could someone give me a hint? I have a list of valid users, tried fuzzing with some tools and SecList but found nothing :frowning:

Edit: nvm, just needed to check all I get and not be lazy :slight_smile:

One of the best box I’ve done so far. I hope it’ll get inserted into the AD Track. Several techniques, several tools, a real need to dive into Active Directory specifics that teaches you many things… All of which make that box very hard if you don’t have a lot of AD knowledge, but it’s definitely very, VERY, worth it. Thanks a lot for that box @Micah, that was well-designed and really enjoyable !

User part is divided in two steps. The first one is smart enumeration, you have all the docs you need, query them. The second part is trickier, you pretty much have to query yourself.

For the root part :

@hadrian3689 said:
b) From there, just remember that we are dealing with AD and L**P. The rest was just intense googling based on those kinds of attacks. No shell required.
Underrated hint :lol:

What a unique box it is! For me was actually an hard box, given my lack of knowledge of AD

User: basic enumeration + the use of a specific tool will lead you to the first flag.
Root: As I state before, the uniqueness of the box is that you’re never required a shell. Anyway the root part is the combination of several AD techniques (hope not to spoilt, but I used impackets tools).

Thanks for the box!

Got the user hash via s**, but was wondering, can you get a proper working shell on this machine? If so, can I get a nudge for it please?

Type your comment> @donchan91 said:

Got the user hash via s**, but was wondering, can you get a proper working shell on this machine? If so, can I get a nudge for it please?

I don’t believe so (at least until the very end) but this box is no shell required. But that doesn’t mean you won’t find anything useful in s*b

Just rooted this machine and I really Loved! I Learned so much! There is really no shell needed here, just simple tips:

  • For user flag, enumerate everything, look into the website, the files and enumerate them, just look into the file names and you will understand, a simple python script will solve.

  • for root… Impacket have everything you need, use google and be happy.

You will probably hit some time syncing problems, not much of a problem, just google about this and you will be able to root the machine with no problems

After 2 days of reading… lots of errors on commands… losing my way into AD (with bloodhound even breaking my VM) and all other dead ends that I can think of…

Evil-WinRM PS C:\Users\Administrator\Documents> whoami
intelligence\administrator

OMG… this box was a lot harder than I thought (for a medium box)… Maybe because I know only the basic of windows pentesting (trying to improve here)… but learned a lot through several different sites, blogs, and other stuff…

The basic enumeration (find the “hidden” files) is easy… get to the user is also pretty straightforward… on the above messages in this forum you’ll find all you need… just pick the line/docs you have in front of you and follow it to the end…

But from there to 2nd user (and then root) was ALL new to me and I still don’t understand how some of the tools (site below) work… just copied some and change the names, pass, etc accordingly and put to run… after several different dead ends, I finally got it… I’ll now wait for this box to go retired and see ippsec walkthrough to understand what I could’ve done better/different… he also explains a lot why he’s doing this or that ^^

Either way this a very good reference, if you want to learn more about impacket tools (it helped me a lot to understand the tools on a box like this one): http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html

Good luck :slight_smile:

Type your comment> @Krose said: > Just rooted this machine and I really Loved! I Learned so much! There is really no shell needed here, just simple tips: > > * For user flag, enumerate everything, look into the website, the files and enumerate them, just look into the file names and you will understand, a simple python script will solve. > > > * for root… Impacket have everything you need, use google and be happy. > > > > You will probably hit some time syncing problems, not much of a problem, just google about this and you will be able to root the machine with no problems Got user. Agree with what @Krose stated. Same steps led me to user. Hoop root will do the same. :blush:

> @JulianoPL said: > After 2 days of reading… lots of errors on commands… losing my way into AD (with bloodhound even breaking my VM) and all other dead ends that I can think of… > > Evil-WinRM PS C:\Users\Administrator\Documents> whoami > intelligence\administrator > > OMG… this box was a lot harder than I thought (for a medium box)… Maybe because I know only the basic of windows pentesting (trying to improve here)… but learned a lot through several different sites, blogs, and other stuff… > > The basic enumeration (find the “hidden” files) is easy… get to the user is also pretty straightforward… on the above messages in this forum you’ll find all you need… just pick the line/docs you have in front of you and follow it to the end… > > But from there to 2nd user (and then root) was ALL new to me and I still don’t understand how some of the tools (site below) work… just copied some and change the names, pass, etc accordingly and put to run… after several different dead ends, I finally got it… I’ll now wait for this box to go retired and see ippsec walkthrough to understand what I could’ve done better/different… he also explains a lot why he’s doing this or that ^^ > > Either way this a very good reference, if you want to learn more about impacket tools (it helped me a lot to understand the tools on a box like this one): http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html > > Good luck :slight_smile: I got the first user and I know the path to root… But the user I have does not have the right permissions to do it, and the t****t of s*****t user is uncrackable to the knowledge of kali wordlists. So basically I am stuck on the second user. Any hints?

That may be the first Windows box I’ve enjoyed. Just a super amount of fun and got to learn some new skills. Thanks!

EDIT: Solved it, after doing some more research on the error I saw that I missed a step. Once I executed that everything worked - rooted! All need some help. I’m trying to run a command going after root (near the end), but I am getting a specific authentication error message and I’m stuck on getting past it. Need a nudge on how to work around it - i’ll send the error message in a DM

I suppose there are more files besides 2 easy to notice. Do I need to write my own script to find others or I can just google a way to do it? I’m not good in scripting :expressionless:

Type your comment> @bestrocker221 said:

I got the first user and I know the path to root…
But the user I have does not have the right permissions to do it, and the t****t of s*****t user is uncrackable to the knowledge of kali wordlists.
So basically I am stuck on the second user. Any hints?

Not sure what your stars mean, but the hash you need to crack is inside what is probably the most famous wordlist, so if you can’t find it, either you have a wrong hash… or the wrong user :slight_smile:

@KingaZ said:
I suppose there are more files besides 2 easy to notice. Do I need to write my own script to find others or I can just google a way to do it? I’m not good in scripting :expressionless:

Time to learn then !
That is light scripting, it’s basically creating a wordlist that fits the filenames you have access to. There are a few caveats but if you take your time and think about it you’ll make it work :wink:

I’ve got user hash :smile: > @dragonista said: > (Quote) > Time to learn then ! > That is light scripting, it’s basically creating a wordlist that fits the filenames you have access to. There are a few caveats but if you take your time and think about it you’ll make it work :wink: I’ve got a user hash finally :slight_smile: … but for the person who has no experience with any coding language it would make ages

Rooted. Damn this was a tough box. If anyone needs a nudge, let me know. Wrote my own python script to help with yanking the “files”. Happy to share it. Thanks to the creators! This simulated a lot of real-world scenarios.

Finally got root! I ended up having to do the last step to root about 60+ times because it just wouldn’t work, wouldn’t work, wouldn’t work, it worked… with no change in command, just checking my time again and again… This box was way more frustrating than it had any right to be to be honest, but I learned a lot about AD.

Help please : ( Clock skew too great ). I have this hash : d170…d621. I used nt****te and also set-ntp to true but I got always the same message.