Resolute

Do you guys have an enumeration script you like to run on windows… like LinEnum.sh??

Resolute

User-1

• Enumeration skills needed. Think about what protocol may give you more juicy information.
• Then, look for a port that you can get a shell from. Try to look for every port.

User-2

• You need to spot a juicier user among many. (I used BH to quickly review them)
• Enum deeper to look for sensitive data (The idea is a bit similar to User-1 path)
• Then, get a shell under the context of this user.

Root

• You will enjoy the ride for this privesc.
• Again, if you ran the BH, you should already know why the User-2 is juicy.
• Just Google about who he is and the related exploit.
• Exploitation is not that hard. Couldn’t find the blog post that has the exact steps, but there is a really good one that would be enough for you to follow along to escalate your privilege. (I can def point you to this if needed)

Happy to assist any mates. PM me :]

Got root.
That was fun :D!

Big thank you to @egre55 for making this box

I completed root the easy way but thought that was cheating so I went back and did it the proper way which was a good learning curve.

Happy Hacking everyone and also a big thank you to everyone that gave me nudges for the Proper way (I’m a noob learning the ropes)

Type your comment> @t4l0 said:

Finally got it! Root was really hard for me (i’m not a windows guy ;)). But i have to admit that once you got all the pieces together, It’s pretty straigth forward.

Fun Box! Thanks.

For me, it wasn’t like easy or hard. I relied more on thinking how I found the user2 password and how that (avoiding spoilers hopefully) was generated. If he can do that, he might have high privileges on the system so I could try and access the system in a different way but relying on what the user last did; or so what my thought process.

How are you guys running bloodhound on this? It keeps kicking mine out saying malicious script.

I need a small nudge for user2. I have not managed to run any enum scripts as it gets picked up by the AV.

Got it. Big thanks to @jaccostraathof with getting root!
Machine got a medium rank probably because of privilage escalation.
Now for some hints:
User1: Run your scripts, really. Even those four enum on Linux and then you will see things, that you shouldn’t see (at least according to sysadmins),
User2: “If you want to keep a secret, you must also hide it from yourself.”
Root: See who you are, learn from it and google it.

I got root via both methods… but I am confused on how the ms** module worked.
Can somebody help me understand how that module works by just using user2’s creds?
Thanks

Type your comment> @up2nogood said:

How are you guys running bloodhound on this? It keeps kicking mine out saying malicious script.

There’s a remote python version you can use.

I also just rooted this box using the more difficult way people were talking about. If you’d like some hints, feel free to DM me!

hey guys i m facing issue stopping and starting the service .
used s* stop d** which show stop pending and when I view the state again it shows running without me starting the service.
I m not so good with windows and m stuck with getting the root only because of this.
Had success with transferring the d** file to windows but got stuck as stated above.
I’ve read the comments and nobody seems to have this issue, makes me wonder what m doing wrong here.
Can someone please help me out stuck for 2 days on this

Type your comment> @prahar said:

hey guys i m facing issue stopping and starting the service .
used s* stop d** which show stop pending and when I view the state again it shows running without me starting the service.
I m not so good with windows and m stuck with getting the root only because of this.
Had success with transferring the d** file to windows but got stuck as stated above.
I’ve read the comments and nobody seems to have this issue, makes me wonder what m doing wrong here.
Can someone please help me out stuck for 2 days on this

Remember that sc.exe and sc are two different things

However, rooted thanks to @scipher

@nardin thanks for the rply buddy
but niether of them worked for me
And when I used sc.exe it would show the state as follow -
STATE : 3 STOP_PENDING
and after a few seconds the state will revert to running
It is basically not allowing me to stop the service as r**n user

Type your comment> @prahar said:

@nardin thanks for the rply buddy
but niether of them worked for me
And when I used sc.exe it would show the state as follow -
STATE : 3 STOP_PENDING
and after a few seconds the state will revert to running
It is basically not allowing me to stop the service as r**n user

Full path to sc.exe is important too - but by the looks of it that is not your issue.
Could be others starting and stopping it at the same time as you (guessing)
There is also an query option you can run that shows you what state it is in.

Root - I can’t figure out why my lisr isn’t working after my D in**. I’ve done a start and stop and i can’t seem to obtain the escalation. Any nudge would be appreciated!
PM me and I can show you all the commands I’ve run.

Thanks!

Finally rooted!

This is my first windows box, so lots to learn, however once the knowledge/tools were acquired, the box itself is not too complicated.

This is really all enumeration.

Root took me a while to get working correctly, mainly because I was doing i******t wrong.

I (think) I did it the manual way. I wasn’t able to find the correct MSt module. Would someone who used it mind letting me know which one it is?

Woohoo! rooted in 2 hrs 22 minutes! That is my fastest one yet! Great box

I’m stumped with root and could do with a nudge, I’m sure I need to somehow craft a dll that a service can read. I’ve found a walkthrough of the idea that modifies mb but I’m struggling to even get to a point where I can build it dll in Visual Studio. I’m struggling to workout where I can get some of the .h files that are required to build mb

Pm if you need a nudge

Finally rooted my first windows box! Really cool privesc to system.
Thanks to @toroflux for getting me on the right trail.