root access is p0ssible.
thx for help, @TazWake
Can someone please give a me a small nudge, I am having problem getting admin access to the high port site. Thanks.
whooh! this machine! windows machine really gets me, behavior of Out-Default really does new to me. and finnaly rooted… i need more practice on windows machine… because for me, this machine is indeed hard, but maybe it is easy for anyone out there… i really learn a lot from this machine, thanks @cube0x0 for the machine!
I think I’m stuck and need a little nudge… Found a site, got myself admin, sent messages to all users but nothing’s being read/followed. Even logged in as all users, but can’t find anything. From the hints I gather there’s some user simulation going on, but I fail to trigger it. Source code doesn’t show any (other, useful) vulnerabilities like LFI, stored XSS, SQLi, RCE…
If mail is simulated, then I guess I just don’t have a clue how to get creds to be able to send mail…
@serkoon42 said:
I think I’m stuck and need a little nudge… Found a site, got myself admin, sent messages to all users but nothing’s being read/followed. Even logged in as all users, but can’t find anything. From the hints I gather there’s some user simulation going on, but I fail to trigger it. Source code doesn’t show any (other, useful) vulnerabilities like LFI, stored XSS, SQLi, RCE…
If mail is simulated, then I guess I just don’t have a clue how to get creds to be able to send mail…
A targeted password spray might help. You’ve got a list of potential targets and probably a couple of ideas for what a password might look like. There are tools which automate this really well.
is the powershell session supposed to be extremely slow? Like… 1 command every 5 minutes and 5 minutes just to connect? Or should I reset or troubleshoot something on my side?
have no clue for initial foothold any nudges would be appreciated
@blackaugust said:
have no clue for initial foothold any nudges would be appreciated
It really depends where you are. This is a hard box, so there is an expectation that it will need multiple exploits and tweaks to existing code/software to progress.
For the initial foothold, enumeration is genuinely the key (it always is, so I appreciate this often unhelpful).
Find all the services running. Log in to one. Gather as much information as you can use this to spray a different service. Get the creds. Log in. Use that - and the box name - to develop the next stage of attack. Attack every user. Get something useful. Crack it. Use it to get a session. In that session work out what the restrictions are, bypass them. Enumerate a lot more. Get loot. Use loot.
This was a great machine and kudos to @cube0x0 for creating an interesting challenge. I have definitely learned a lot by doing this machine and also made a point of doing it 100% from Linux using Powershell, which once I got past a small hurdle was a really good experience.
If anyone is stuck DM me and happy to help.
I am having issues getting a response from friends over the *** service. Tried different r********r configurations, curated a pretty long list of addresses, the bait works when I test it on myself but noone is falling for it so far.
I know other have experienced similar issues but I’d appreciate some help troubleshooting my setup, if someone didn’t mind giving me a nudge?
TIA
Edit: nevermind, needed more enumeration
I have p**** s**l execution on the target, although extremely limited. I tried executing a widely available enumeration script on the target. It executes successfully, although with a lot of errors. I checked how it obtained some basic information about the system, and it does not use any bizarre techniques (native modules, as one would expect.
However, when I try to replicate that same section manually, I get errors. Has anyone experienced similar issues?
TIA
I already obtained Reel2 user flag and when i submit it , the machine told me that the hash is incorrect. what is this problem?
anyone help me please…
@KarimReda said:
I already obtained Reel2 user flag and when i submit it , the machine told me that the hash is incorrect. what is this problem?
anyone help me please…
Possibly an issue with the dynamic hashes. They should be changed when the box is reset but it doesn’t always work.
You might be best getting in touch with HTB over Jira, explaining what the problem is and seeing if they can fix it. You may need to re-pwn the box to get the new flags though.
Hey Guys… I have gotten into some kinda social media blog where there’s bunch of users… found a hint about the weather… maybe it has something to do with passwords… is bruteforcing the way to go… can anyone gimme a sanity check… should I bruteforce o** or something else
@Shad0wQu35t said:
Hey Guys… I have gotten into some kinda social media blog where there’s bunch of users… found a hint about the weather… maybe it has something to do with passwords… is bruteforcing the way to go… can anyone gimme a sanity check… should I bruteforce o** or something else
A targeted password spray could be very effective.
Hi guys, can I PM anyone for sanity check… I think I am lacking a specific user… I hv got bunch of usernames and generated passwords …can help identify what I am missing.
@Shad0wQu35t said:
Hi guys, can I PM anyone for sanity check… I think I am lacking a specific user… I hv got bunch of usernames and generated passwords …can help identify what I am missing.
The structure of the names and passwords matters.
Its also worth using a tool designed for the thing you are targeting.
OK so far I’ve tried not to follow the various hints that are currently being given but to
try first what i think might be the ‘reasonable’ exploit (line 26 in that same file that
the error is given us plus the “cleaning” method on the same file).
In addition, I’ve tried sending, just like @TazWake mentioned, a url with the phrases/words i do believe are relevant for all users (brrrrrrrrrrrrrr).
Other than then, I’m currently trying to see other path.
Does the 1st vector i’ve mentioned is the way here ? or the “spraying” ?
Lttle by little… after a whole week… user and then root
Thank you for the ride @cube0x0, I learnt a lot (again) 
Pm me if needed !
got user. took probably longer than it should have. spent more time social networking than i probably should have. tried to do some enumeration for privesc but a break is much needed. I assume it’s something with the files of the current user.