Official Support Discussion

Very fun box! Shoutout to @Velosior for giving me hints to privesc. :slight_smile:

Feel free to pm me for any nudges!

Ping me on a DM for more assistance :slight_smile:

1 Like

For people having issues with evil-winrm, restart your vpn with openvpn --mssfix 1000 --config lab____.ovpn and it will work. I kind of forgot what exactly this does but it has somethign to do with packet size and fragmentation. After doing this I no longer recieved the HTTP Time out exception from evil-winrm. Note that this might slow down your connection.

Anyone able to give me a nudge? I was able to obtain the User & password, enumerated the *a service and got the second user. This one was able to access SMB, but as read-only. Can not find a way to get a shell, with psexec or the evil binary.

Sent you a pm

Help i am stuck, i did the dnspy stuff, found the user and password. did find more users with sid like su***** but now i dont see how to continue. i did not find more passwords or how to continue. no login success with evil.

Anyone knows how to solve this issue when I use the tic*** via ps*****py, there is an error message
“[-] [Errno Connection error (SUPPORT.HTB:88)] [Errno -2] Name or service not known”?

You should look at what comes across the wire when you run the command from your machine

Hello, I am trying to run the UserInfo.exe but I get a connection error. Can anyone help me?

└─# ./UserInfo.exe ./User.exe.config -v find -first a
[*] LDAP query to use: (givenName=a)
[-] Exception: Connect Error

Looking for a little nudge if people don’t mind…

I’ve used dnSpy and found the protected function with the “encrypted” password in there and a username. I’m not sure how to run that code to decrypt the password… I’ve tried it in cyberchef but frombase64 is not working and the code itself looks like it is doing some more funky stuff. TIA!

For someone that’s never came across dnspy before, could someone happen to have a good resource on how to use this tool for examining the UserInfo.exe file?

Have you tried running the program and see what comes across the wire?

Hey, yeah that wasn’t working for me before but I managed to get it to run now. So I have a long / confusing-looking password now, and a couple of usernames, but they’re not proving useful yet… I’ll keep poking around. Thanks.

Look at the structure of what you captured off the wire and remove certain leading characters and you should be fine. If you need more help just DM

anybody tell me how can i upload my two scripts on remote machine

Still battling away here with privesc… anyone able to share a nudge or a DM?

I know which vulnerability to exploit… but the tools I’m trying so far are just generating errors. I wonder if this is because the evil shell I have does not do a good job of storing imported modules in memory… I’ve tried putting all the commands into a single script, but I still get a flurry of errors generated. I have had other kind nudges suggesting that the attack ought to be possible using mostly standard windows tooling, but I’m hitting a wall trying to make things work.

Would love a nudge or DM if there is a kind soul out there… or maybe a link to some further reading on the tools that I should try using!


i was able get the creds from the user on the file and using them i enumerate all users of the box. now i think i should target a specific user but don’t know how to get his pass/hash. appreciate a nudge (:

Hi bro , I got the username and password from userinfo.exe also.But, what dose this mean “And the missing cred for my evil friend.”?

Think about the creds you got from the exe. What service can you enumerate with their creds?

I am stuck after scanning the ports, I try to connect via samba anonymously but I get an error