Resolute

Type your comment> @ladygodiva said:

Type your comment> @viks said:

getting this error while i try to add a dll. via dns cmd , can someone help here ?

DNS Server failed to reset registry property.
Status = 1722 (0x000006ba)
Command failed: RPC_S_SERVER_UNAVAILABLE 1722 0x6BA

If you get this error it means that you are not paying enough attention to the path of the share you are typing.

No it doesn’t mean that. It means the D** service is not responding to RPC requests. i.e. the service is probably not running at the moment.

At the point you run this command, the path you specify doesn’t get validated or anything like that so the only RPC service in question is the call from D**c** to the D** service. I got this error several times, then it eventually worked once other people had stopped attacking the machine, even though I changed absolutely nothing in my command.

TL;DR the service was probably in the middle of being restarted by someone else, or is just in a mess because of other people’s attacks. Wait a while and try again, or reset the machine.

Hey, my D** payload is all the time detected by the AV, or i really missed something. I can see in the logs that of smb******.py that the server connect back, but it seems that my payload is never executed. any hints ?

As said before everyone seems to want to exploit it now , the service is all the time restarted. Hard to isolate the issue.

Need a sanity check: I’m still on my way to foothold. I got the users and the password. I can see the very high port and I also know how to get in. But I tried with m**** and ml**i. It just doesn’t work.

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1

Do I still miss something? Any hints?

use evil

Type your comment> @DonDon69 said:

use evil

I did. And I get the above error. But it should work with one of those two users, right?
even if I try wr* login with mas***t it doesn’t work. And yes I used quotes on the password.

@TestUserx said:

Giving up on root for this one, the dll loads and does everything, i get a connection in m********t but it doesn’t seem to react to any input.
Tried re-doing the dll to add the user to local and domain admin, the changes take effect, albeit only for one minute, but i still can’t read the root flag. Even made a dll to copy the root flag from the admins desktop to the user’s desktop. still no go
Thanks for the help, @TazWake

Two things maybe an issue here.

  1. If other users are attacking the box at the same time, you may find they are changing it while you are changing it. This created carnage for me.

  2. Make sure you are using the hostname in the commands.

still working on connecting to w**r* rechecked the port
and after restarting my VM, I get this error, when I try to login

error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header. Headers: {“Server”=>“Microsoft-HTTPAPI/2.0”, “Date”=>“****”, “Connection”=>“close”, “Content-Length”=>“0”}
Body: (404).

Error: Exiting with code 1

the strange thing is, when I use scanner/w****/w****_auth_methods it tells me that 10.10.10.169:4**** Does not appear to be a W**R* server
while nmap tells me that it is

is there something wrong with my VM or something else? Can someone help me check (per PM)

Got Root :slight_smile:

What an interesting exploit, thanks to egre55 for the box

@theonemcp said:

is there something wrong with my VM or something else? Can someone help me check (per PM)

I found the evil version worked well once you had credentials. There were other tools which worked better to get those credentials.

Type your comment> @TazWake said:

@TestUserx said:

Giving up on root for this one, the dll loads and does everything, i get a connection in m********t but it doesn’t seem to react to any input.
Tried re-doing the dll to add the user to local and domain admin, the changes take effect, albeit only for one minute, but i still can’t read the root flag. Even made a dll to copy the root flag from the admins desktop to the user’s desktop. still no go
Thanks for the help, @TazWake

Two things maybe an issue here.

  1. If other users are attacking the box at the same time, you may find they are changing it while you are changing it. This created carnage for me.

  2. Make sure you are using the hostname in the commands.

I finally managed to get root yesterday after switching to another server and re-generating my openvpn profile.
Thank you for the nudges @TazWake

I am stuck can anybody pm me some hint or where to start.
i will be happy to hear anything
thank you

@sirgalahad said:

I am stuck can anybody pm me some hint or where to start.
i will be happy to hear anything
thank you

Run a tool to scan the open ports. Nmap is a good one to try.

I am stuck at the D** part, I see the server connect to my SB share in the logs. The D** is well sent bu never executed. My nc is never triggered. I tried to debug, tcpdump and with a windows VM without AV : work. Also when i try to upload my D** to the server with evil the length stay at 0 all the time, but it work with others files. If i try to upload nc.exe the file is suddenly deleted after two minutes. So i guess the AV is doing a great job. Any hints for a working technique without ms**om ? Thx

Type your comment> @DonDon69 said:

I am stuck at the D** part, I see the server connect to my SB share in the logs. The D** is well sent bu never executed. My nc is never triggered. I tried to debug, tcpdump and with a windows VM without AV : work. Also when i try to upload my D** to the server with evil the length stay at 0 all the time, but it work with others files. If i try to upload nc.exe the file is suddenly deleted after two minutes. So i guess the AV is doing a great job. Any hints for a working technique without ms**om ? Thx

Same situation here

@DonDon69 said:

I am stuck at the D** part, I see the server connect to my SB share in the logs. The D** is well sent bu never executed. My nc is never triggered. I tried to debug, tcpdump and with a windows VM without AV : work. Also when i try to upload my D** to the server with evil the length stay at 0 all the time, but it work with others files. If i try to upload nc.exe the file is suddenly deleted after two minutes. So i guess the AV is doing a great job. Any hints for a working technique without ms**om ? Thx

@NFire0111111 said:

Same situation here

To paraphrase the hints already in this thread, create your payload (paying attention to key components such as architecture. The venom works normally.

Serve up your payload (check the paths etc).

Modify the victim - names matter. Make it call your payload, dont try to move the payload onto the box.

Stop then start.

Things which often go wrong:

  1. Not serving up the payload correctly
  2. Not reconfiguring the victim correctly ( names matter)
  3. Not restarting it properly (names still matter)
  4. Other people attacking halfway through your attack (if the update it after you, but before you restart, they get the shell)

Type your comment> @TazWake said:

@DonDon69 said:

I am stuck at the D** part, I see the server connect to my SB share in the logs. The D** is well sent bu never executed. My nc is never triggered. I tried to debug, tcpdump and with a windows VM without AV : work. Also when i try to upload my D** to the server with evil the length stay at 0 all the time, but it work with others files. If i try to upload nc.exe the file is suddenly deleted after two minutes. So i guess the AV is doing a great job. Any hints for a working technique without ms**om ? Thx

@NFire0111111 said:

Same situation here

To paraphrase the hints already in this thread, create your payload (paying attention to key components such as architecture. The venom works normally.

Serve up your payload (check the paths etc).

Modify the victim - names matter. Make it call your payload, dont try to move the payload onto the box.

Stop then start.

Things which often go wrong:

  1. Not serving up the payload correctly
  2. Not reconfiguring the victim correctly ( names matter)
  3. Not restarting it properly (names still matter)
  4. Other people attacking halfway through your attack (if the update it after you, but before you restart, they get the shell)

i think to understand why it happens :smiley:

Got User. Big thanks to @TazWake . I’m still new to HTB it seems. Why I still didn’t learn to check if a dor is actually closed and not just asume? … lost a lot of time with this. But i’m learning (this time) at least I hope so :blush:

EDIT: found the password for r*** but I don’t know if it is the intended way. I found info deep down logged in c :astonished:

rooted, all i was doing was right. just work on it when nobody is in the box

Rooted nice box! feel free to PM if you need help.

PS: You have to be very quick on typing your commands for root