Same here. If someone can DM id appreciate.
so I have a hash and user , but cant seem to crack it anyone give me a nudge if the hash is even useful?
Just with one of the users you have access
Can someone DM me I’m having trouble transferring the .zip file i found
is the machine working for EU servers?
i got Destination Unreachable
Just wait for sometime people are restarting it quite a few times
the place I found it helped me understand how I could download it
got user that was fun, very tricky rabbit hole if i didnt come across i clould have got user sooner was fairly simple!
if anyone could give me a nudge on priv esc would be good, thanks!
Just pwned it right now. Big thanks to @respawn for his guidance, as always.
His advice here is golden. Especially the one about “If your commands aren’t working and you feel they should, do them faster.” Priceless advice.
My two cents:
1) User → Careful when enumerating users and spraying passwords. Stuff like unintended uppercase can hinder your progress. Also, MSSQL you allow you to do “just enough” to get to the next part. It is essential for user, but you won’t be able to do much with it.
2) Root: AD all the way. Nothing extremely fancy and everything is on hacktricks. To reduce your time of research, pay attention to the json/txt file you are eventually going to get, it will enumerate a specific vuln for you, reducing your time loss by thinkering with unintended ways to pwn the machine.
All in all, amazing learning experience for Windows boxes, which are my weakest suit. 10/10 gratz to the creator!
6 Likes
Could you please give me a hint where to start i tried to enumerate every service but it seems that all of them need valid creds for keep going
Can someone PM me I’m stuck on using a tool for privesc
Is foothold just a username enum and password spraying excersice basically, or am I missing something?
no password spraying , just guessing its an easy guess.
ar you talking about the sa account ?
if you have the username from a certain tool to bruteforce you can easily guess the password
Don’t really sure i understand the tool you are talking about but the one i used give me 7 usernames
1 Like
yes thats kerbrute , now guess a password for one of the usernames to go in to sqlserver
3 Likes
Rooted, Nice box, I enjoy a bit of AD! Owned Manager from Hack The Box!
Thanks for help and nudges @Slayfon, @hetaquoc and @0xffffff
I liked this box because i had to solve lots of errors and update my programs. And i learned new attack vectors related to user and root. I figured out that there is a program with same version and same name but different features.
Even if you are using correct version of mssqlclient.py you may still have been using a crippled mssqlclient.py. This may be the reason why you stuck there as i did. You can DM me for more info about how to check and solution for this problem.
3 Likes