Official Support Discussion

Look up how you can enumerate usernames from a specific SMB share. You can use a tool called CrackMapExec to do that. You can get RID of the UserInfo file if you got a password from it, because it is no longer necessary.

1 Like

Even if you have creds and can use them on rpc*****, not all accounts allow login via other means (e.g. evil-winrm). rpc**** is useful for gathering some info but in this case did not get me the info I needed to proceed further .

Somebody can give me a Hint?
I think I have the password? starts with nv********…?
than I thought the username is support but since evil-winrm or **a* is not working I guess one of these things is wrong?

Can i dm you? I am one step towards getting root access but it just keep loading without result. If i can dm that would be great

I don’t really get how these mashines get rated “easy”.

I have a valid username and password now, however too low privileged to do (execute) anything.

Do I have to use that user to do horizontal privesc?

user flag:

  • scan for ports, identify interesting services for windows hosts
  • there are things shared to the public, there is something very interesting
  • revert what’s already built
  • revert the build logic
  • you should be able to access a forest now, there must be a leaf that’s useful
  • you should be able to login to the domain now using the named user of this challenge

root flag:

  • take your dog for a walk, knowing your group and your privileges
  • do some google search aimed for AD, resource-based, obj takeover
  • follow the guide until a point that you need a tool for windows, but you have equivalent methods in linux

You can just DM me, you don’t have to ask.

The username of the user you found should be a good hint on what to look at next.

I’m having trouble leveraging the reversed credentials into taking over/finding useful info on the s* account. I can take a look around and even get myself a ticket for the first acct, but all attacks (everything impacket and cme) using it seem to fail. Am I headed in the wrong direction?

I have found some interesting strings in UserInfo.exe but I dont know what to do next, any guidance would be much appreciated.

thanks a lot ! my first enumaration was not complete ! didn’t have 445… I was surprised but I thought it was a choice from the author…

:fire: :package: thank you

I have username. Which password list have to use for bruteforce? Any Idea?

Got Username but no idea if I need to brute-force to get password or I need to enumerate more to get password. Can anyone give any hints what I should be doing next

Why cant we download tye ovpn file and for those who already downloaded it we cant play the machine? Under maintenance?

it’s not on release arena anymore, just use your lab vpn :smile:

1 Like

Have username but no password… anyone willing to DM a hint?

you forgot a step between using bloodhound and logging in. How do you recover the second password is the question. :slight_smile:

Hello everyone,

I’m stuck right now … !
I used nmap to scan the machine … I get many port open …
From the scan result, I start looking to these services.
The interesting one is the share: //ip_address/su*********
I found many files and got the interesting one !
Using dnSpy, i disassemble the file and got A key (ar****) and an encrypted password (0Nv32PT****).
I used the function getpassword() to decrypt the password (final result= nvEfEK1********).

I’m i missing some thing or i’m i decrypting incorrectly the password ?

PLZ some Hints !
Thnx :slightly_smiling_face:

Hello ghosty ! You’re on the right way ! Did you try to connect to a service with it ? Normally there are other clues in the files you got.

1 Like