Finally got root on this and I’ve gotta say I really enjoyed the root priv esc. Props to the maker of the box (I’ve tried making my own boxes and its hard to find stuff as interesting as that without it being really obscure and impossible to find).
Big thank you to the people in this thread that gave just enough hints to get me on the right track. Someone asked for less esoteric hints, so for anyone else who’s stuck here’s some tips hopefully without spoiling:
USER
Scan ports and look at one that is a key part of Windows network user management. No credentials required to perform some queries against that. Search through the information there and you’ll find a password that won’t work for the user its associated with, but think about how lazy some admins can be with their default passwords. Once you have credentials that work, look at one of the higher ports for a place you can use them.
USER2
Keep looking around with your existing creds and as others have hinted, look for files/folders that are not immediately visible. Its not in some really obscure location or anything, so don’t worry about exploring every single directory tree.
ROOT
Once you’ve got user2’s creds, look at what this user can do (which I did by going back to enumerating group membership from the source of our original creds, although others have hinted at an easier way). Now just search online for a trick that can turn this group membership into something more. There’s a great blog post that explains it all and even gives code examples, although I had to tweak their example a bit to get my code to compile (I’m a complete noob with C++, so if I can do it anyone can). Don’t get caught up chasing some other exploit related to this D** service like I did at first. Focus on the group membership rather than the service in general when searching.
Also, if multiple people are attacking this part of the box at the same time you can kind of trip over each other because it looks like the D***** command you use to get your DLL in place seems to remove previous entries and replace them with the path to yours. So if someone else does that while you’re in the middle of restarting the service to get it to pick yours up, it won’t work. So if you’re sure you have everything correct, give it a minute and try again (and maybe keep checking the status of the service to see if other people are trying to restart it).
Lost after getting into m* via rct using the creds i got from enumerating. Tried a few diff metasploit modules and none of them are getting me anywhere. Dug around the rct commands and found i couldnt run them all and none that I could make use of. Been stuck here for a few hours now. Any tips/advice anyone can give?
Edit- Figured it out got user flag although im not sure why it wasn’t working w/ metasploit modules. I was trying to get wm access using the me account as i had the creds. Ended up finding a github project for w*m that signed me in.
Guys stuck in a dead end it seems. I got the user names list from the victim, but not sure how to proceed further, right now trying brute forcing, not confident enough if this will work.
I could also need a hint…Got the correct username / password and a service where i can use them…But there is nothing interesting to find…read about hidden files but i do not get it
Maybe someone can help me:) Thanks in advance!
So I used el and ls*h and user accounts along with the juicy strings. I have been trying to use an evil script with all the accounts but can’t. Am I missing something?
I got some help via discord. Wrote a bash script to try all the users. I needed to give it more time run. Plus MSF runs faster and gave me the nudge I needed.
ROOOOOOOOOOOOOOOOOOTED man, I knew where I needed to be just about the whole time, and continually struggled with one part. Hint for myself for the future \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ ← make sure there are ENOUGH OF THESE
Hey - I’m still nooby in some (many) areas. For this box, I’m pretty sure i know the vuln, and what needs to be done to privesc, which is to create a type of windows library file (trying to be vague here), but I don’t have the knowledge to do this. I’m guess i need to install Visual Studio, with Desktop Development for C++ or maybe Universal Windows Platform Development? or is there a better easier way? I don’t really have the 22GB spare VS needs, but i’ll delete some ■■■■ if needs be. I found a blog that had a poc skeleton code, but tbh I can’t determine what programming language it’s in…doh!
Thanks in advance
I just got user and second user shortly after! No exploits or brute-forcing needed, just thorough enumeration!
Not sure if this is a spoiler, but going through the PayloadAllThethings windows guide will give you useful ideas. It would be nice if there was a handy transcript like this for everything…
after a about a year away, i realize i have forgot so much! could anyone give me nudge in the right direction. I have got user creds but am stumped now… thank you in advance …
Edit: Got user, I was transposing the password wrong…doh…
Now stuck, trying to upload a enum script but antivirus is catching it…grrrr
