So I’ve created a list of possible usernames from low port enum. Mixed them up, first initiallastname, first.last, first with each other last, first 3 of each name. Using smae as creds plus the rock. No luck on G********.py. Any hints?
evil
but I still haven’t got a pass/hash
I’ve done Monteverde and Forest and feel like I should have gotten it by now.
maybe you need to find a tool to extract those without pass
usually use Ge********s.py for that…ran in bash loop with all my user combos for nada
then i guess u got the wrong combination of user naming convention… the right one not in yous list…
@TKnight said:
Rooted this (check and double check those usernames ). Anyone up for me DM-ing to test my understanding of how/why the final technique works?
For the user: As already mentioned, for the user, enumerate the site in searches of possible users of an AD, after that assemble a list with possible formats of AD users and search on google, attack on AD, another legal tip, this machine is very similar to the forest.
For Root: After logging into the machine with the first user, use a little enum program in Windows w **** S it will give you good information to get new information and later get root.
I have a user inkl. password for an initial foothold but the cannot connect.
A well known tool keep hitting me a “::ReceiveTimeoutError” message.
A nudge in the right direction would be great.
If you’re trying to use the Evil tool - yeah that service seems to randomly die on this machine every now and then for some reason. Even resetting the machine doesn’t always fix it. Only workaround I found was to change my VPN to use a different region’s servers
Hi everybody, thank you very much for the hints on this forum. I am fairly new in penetration testing, and, this is my first Windows machine. Great learning material. Finally managed to get the user flag. Will continue for root tomorrow.
For the initial foothold: As others have pointed out, if you already have some creds and want to use something evil but it keeps failing, you may need to switch your vpn. I spent hours trying different tools before I stumbled upon a relevant hint, switched from AU to EU, and voila.
I’ve hit a brick wall. I have 3 sets of credentials however only User 1’s credentials are usable. User 2 has an expired password. User 3’s credential were found by some veg but don’t work for evil deeds, I don’t know if they are invalid or if I’m using them the wrong way.
For the user: As already mentioned, for the user, enumerate the site in searches of possible users of an AD, after that assemble a list with possible formats of AD users and search on google, attack on AD, another legal tip, this machine is very similar to the forest.
For Root: After logging into the machine with the first user, use a little enum program in Windows w **** S it will give you good information to get new information and later get root.
Any questions, you can call me …
@hannibal47 said:
Hi everybody, thank you very much for the hints on this forum. I am fairly new in penetration testing, and, this is my first Windows machine. Great learning material. Finally managed to get the user flag. Will continue for root tomorrow.
For the initial foothold: As others have pointed out, if you already have some creds and want to use something evil but it keeps failing, you may need to switch your vpn. I spent hours trying different tools before I stumbled upon a relevant hint, switched from AU to EU, and voila.
Hi, I am on the same page. But if it is true what’s going on? I using VIP account and the behaviour of box should be the same. @admiinistrators, something to say?
On more thing: With this evil I cannot execute any exe I upload to the box. Not sure if it is an evil problem or something expected.
I’ve hit a brick wall. I have 3 sets of credentials however only User 1’s credentials are usable. User 2 has an expired password. User 3’s credential were found by some veg but don’t work for evil deeds, I don’t know if they are invalid or if I’m using them the wrong way.
Can anyone give me a nudge?
I just managed to get to the root (finally!). From User 1, whose credentials are usable, you will get the creds of another user that you can use for evil deeds. However, be very careful with how you pronounce their identity. Then, you can use a snake to ‘interrogate’ that user - this time, you will get even more information. Lastly, the snake is very cunning, it has the tool to accomplish the final task.
Rooted. Since the box is rated as highest CVE for user, I initially spent hours reading CVE’s for every service I could find, only to have that not come into play at all. oh well. After that, was pretty clueless where to proceed. Found @VbScrub comments in the forum and then watched his youtube videos, which I would highly recommend to anyone who is new to AD hacking like myself. I got root with only linux tools, so this one was very satisfying and I learned so, so much. Thanks, @egotisticalSW and @VbScrub, good stuff!
i have user shell but priv esc is not working. I enumerated several ways and also have an option but it does not work. It has to do with generating some dollars if you know hat i mean.
If anyone is experiencing clock skew problems and are using VirtualBox basically the virtual machine syncs its clock with the host and this causes the time to revert back once it’s been manually changed within seconds. To fix this you need to stop your vm from syncing with the host by either running
I got the user flag and found default creds for s**_ler via wAS.exe. Tried using those creds in winrm and it would just bring back an error. Can someone help?
UPDATE -
Got into user 2. Thanx @HomeSen. Stuck at finding root
I got the user flag and found default creds for s**_ler via wAS.exe. Tried using those creds in winrm and it would just bring back an error. Can someone help?
Double-check the username. AFAIK the author had a typo when storing those creds
). Anyone up for me DM-ing to test my understanding of how/why the final technique works?
thanks