Just rooted the box. I feel this is a medium box. Some tips:
user: you need to fish to get something and crack it using the cat
root: not that easy for me, find some unusual directories and look for something that may use that. this needs a lot of connecting the dots
Can someone give me a hint for user foothold. i have identified L** on the **load.ph but cant seem to exploit it.
thanks .
hi guy search for config file on the mail server
Maybe you should look for other potential users? And a CVE against the service youāre using to exploit those users?
I can perform the Python script exploit, but nothing appears with impacket or responder.
Tried multiple ways of executing with different parameters, nothing ever comes back.
Edit: I just watched a walkthrough, and read another - Iāve performed the exact same things - and I get no results returned. Something doesnāt appear to be working.
This one root took me awhile. I was thinking in regards of user execution context and spent way too much time trying to exploit the initial foothold user. This box is working just fine. For user I suggest checking your url syntax. To collect a hash you need to reference a samba style share that doesnāt need to exist.
PS - Please cleanup after you leave otherwise it is confusing to people that get a foothold and are already an admin 
stuck in empty mail box for ad*** 
same. Well, at least we are in the mailbox haha
I have a question, although I am a newbie, but I started by deciding to scan the ports of the machine, and no matter what flag I use (-Pn, -sV, -p-, -sX, -sU, -sN, -sA ), it it still says that all 1000 ports of the first are closed, although apparently this is not the case, what am I doing wrong?
@LostChance verify your vpn connection, and check if you typed the ip address of the target correctly, it should work
I am stumped here. I have identified the L**. I have used it to reveal h**********.ini, I have decrypted the Adm** hash. But the other password for the mssqlce db I cannot decrypt.
My question is how do I gain a foothold? I canāt figure out how to get my reverse shell. I canāt even use thunderbird and get into the mail server. I have used all three of the given names and common usernames.
Am I down the wrong rabbit hole here?
Iām stuck at that part nowā¦
Try taking a walk on the SMTP sideā¦
May I ask how I can properly do the enumeration for the privilege escalation?
I have a session via evil-winrm but it is extremely broken.
As for winpeas, none of the versions work. They all crash at some point and kill my session. Before that they only produce broken output.
When trying to use evil-winrms Invoke-Binary feature, I only ever get Error: Check File names. Loading ps1 scipts also kills the session
I will try to do it manually for now, but I have always had these issues and am wondering what I am doing wrong.
Im having issue finding out the correct syntax for the L** portionā¦ how do i determine the file location and how to traverse to itā¦ relatively new
What worked for me was reading:
how do people create office 365 A1 accounts for mailing?
A good tip here would be:
For determining the location, look up relevant CVEs for the software being used. You should quickly come across the location of interesting files.
Then for how to traverse, try to use your L** to reveal the code for the do******.php script. It should help tell you where you are in the file system.
Then put those two together.
Thereās one particular file from hMailServer that would be nice to get your hands on. Youāll have to refer doc and guess a bit (I found a forum post listing the full path where it was installed since I couldnāt be botherer to install it myself and see) then experiment with arguments to get it.
winPEAS.bat ran ok for me