Official Scrambled Discussion

Official discussion thread for Scrambled. Please do not post any spoilers or big hints.

It was over 6 months ago that I made this machine but hope you guys enjoy :+1: I won’t be giving out any hints but if you think you’ve found unintended paths or just want to discuss any part of it after you’ve completed it then feel free to send me a message

3 Likes

Any nudge ? I found something to interact but can’t figure out what it accepts

did you ever figure out how to interact with that thing?

If you’re getting stuck like I am, the author has a great YouTube channel going over how certain protocols works.

3 Likes

I miss the clue. No clear path ahead.

I found something on that service, got lucky after trying a bunch of random commands I guess. Not sure what to do with the output. Try fuzzing commands with a little script. (There may be a non-alpha character in the command too.)

Can’t figure out how to Interact with that thing :skull_and_crossbones:

if you’re still trying to get the user flag then don’t worry about that yet :slight_smile:

3 Likes

Just rooted. This was a fun box. It’s always fun to learn new wrinkles in tools/techniques when certain situations break them.

1 Like

Just finished the box! Very interesting for my first windows box. Had a lot of trouble just getting my tools to work :clown_face: :woman_facepalming: .

1 Like

I need help on this one,

I can’t figure out how to get going. So far I’ve got:

  • Open port for salesorder app.
  • Database running ms-sql.
  • NTLM disabled.
  • Use debug on tools.

I just can’t glue it together on how to get my foothold.

You can Follow that famous enormous AD pen testing Mind-Map, it took me little far in foothold

Any tip for that enormous AD Mind-Map? :smiley: I found some, but I already done most of the things against that AD protocols

Hello any nudge for this machine ?
I have k******* user but i can’t find the password and i m stuck.

Looks like there is a way to reset it but don’t see smtp server if a mail is required, i also tried some basics smb,ldap, kerberos (asrep, looking for spn etc…) enum but nothing relevant…

foothold:

  • web enum reveals a user, guess what the user uses as pass,
  • what did the lucky child receive to visit charlie’s chocolate factory? you maybe able to use it to sneak in via a special service as well (though i think this part is very hidden)

pe:

  • find a doc and a clause, find a storage with all the goodies,
  • some technique used from the previous machine could help here as well.
  • remember the interesting port that runs a service app? you should try to find what’s running behind it since you are inside now.
  • i know most people would be tired by now, but try harder, there is still more dirty work to do. skin the application to its bond and understand how each blood vine is connected
  • a popular attack on java objects can be helpful, yet in a different language
1 Like

I think I’m getting it. I already got the user’s flag, I believe it’s something in that crazy door and I’ll have to look in that app inside IT

  • web enum reveals a user, guess what the user uses as pass,
  • what did the lucky child receive to visit charlie’s chocolate factory? you maybe able to use it to sneak in via a special service as well (though i think this part is very hidden)

There’s no guessing required and that part you said was very hidden is very strongly hinted at if you explore and read everything you find :slight_smile:

finally rooted Nice machine @VbScrub thank you :smiley:

1 Like

Hello, I’m stuck and me head hurt, I kind of a n00b regarding windows, please help me.
I’ve got the first 2 password but I really have no clue how to get foothold onto the machine (tried every impacket examples). I’ve watch the video and it seems I’m missing 2 elements to be able to fabricate what the lucky child received (as stated by meowmeowattack). I’m really trying not to give up any details aside from what has already been discussed (and thank you for that). I mean I’m desparate for a shell or anything, I’ve done the THM series on windows prior to that but each time they gave credential and commands are made from within the machine… Tried RDP and to configure kerberos and maybe I didn’t not go far enough (I’m able to get a ticket with kinit tho).
I just need a finger pointing me in the right direction I guess, I’ve more than a 100 tabs right now opened for research purpose… :x