Finally made it to the end… too baffled and too disoriented to know how. I just know, I could not have done it without the help of @Chr0x6eOs and @pramos.
Once I recover I will give a hint or two…
Thanks for an amazing machine!!!
After an ungodly amount of hours trying to get root and not understanding why it wasn’t working, I was finally able to learn what my problem was due to the help of @rholas . Much thanks for your insight!!
For everyone else, make certain that you pay close attention to your code and syntax and don’t make a stupid mistake like I did. Not paying close attention to your code and what you intended can make the difference between an easy escalation and a weekend of your life gone.
If anyone is willing to PM for a discussion on how to switch users, i would really welcome it. Have not been able to get the commands to work, and i want to make sure im on the right path
Edit: Nvm, got it, just needed to try harder lol
i need help with the initial foothold. any nudges would be appreciated! PM me for details… <3
Ignore me, im making progress now…
I’m stuck on root privilege escalation. I think I discovered the way ( malicious c**) but doesn’t work.
Any nudges would be appreciated PM me.
Update:
Finally I get the root. Wooohooo!!
For me work create the malicious file by hand.
Really good box, very realistic.
Hint initial shell: If you find a vulnerability, but you can’t seem to exploit it, see how to do it on a Windows machine.
Hint user.txt: Enumerate and you will find creds, use those with the powerful seashell to get a shell.
Hint root.txt: Enumerate again, you will find some documentation file. Search this for vulnerabilities. Also do what the “CEO” tells you to do and you will get your reverse shell as administrator.
Looking for tips on migrating from i** to c****. Anyone up?
Of course, just as you post you get it 
[Update] Got admin! I spent so much time only to find our my windows powershell script to serve files on my dev box was corrupting my file when I would download it…doh!
Type your comment> @gr1mland said:
Looking for tips on migrating from i** to c****. Anyone up?
Of course, just as you post you get it
Did you watch Ippsec video about Arkham?
would appreciate nudges on migration i** → C***. Have some creds and working ps but cannot get right commands.
please PM me.
Can I get a hint as to where I might be able to upload something as the first user? Even a one-liner that finds places a user can write would be great. Thanks in advance!
Update: nevermind, I found something 
FINALLY got the user flag on this thing.
Wow that was hard work.
I spent so long trying to switch from user I*** to user C**** and even though I’ve got the user flag now I still don’t actually have a full shell as C**** lol I don’t understand how you guys have managed to launch one. I ended up writing my own program that impersonates the user and reads a file’s contents as them (so I could get the user flag). Trying to use this method to actually launch a new process just resulted in the new process still running as the I*** user though 
I really don’t understand what’s going on. I can easily launch a new process that gets another reverse shell on a new port. Works fine. But as soon as I try to do that with alternate credentials, it seems to launch the process without error but I never get a connection back to my reverse shell listener.
EDIT: Figured out a way around it, not actually launching a new process but a new… “something” that I can connect to remotely after a bit of trickery with some ports. I’m not sure if that’s what everyone else did but I assume so.
Type your comment> @VbScrub said:
FINALLY got the user flag on this thing.
Wow that was hard work.I spent so long trying to switch from user I*** to user C**** and even though I’ve got the user flag now I still don’t actually have a full shell as C**** lol I don’t understand how you guys have managed to launch one. I ended up writing my own program that impersonates the user and reads a file’s contents as them (so I could get the user flag). Trying to use this method to actually launch a new process just resulted in the new process still running as the I*** user though
I really don’t understand what’s going on. I can easily launch a new process that gets another reverse shell on a new port. Works fine. But as soon as I try to do that with alternate credentials, it seems to launch the process without error but I never get a connection back to my reverse shell listener.
EDIT: Figured out a way around it, not actually launching a new process but a new… “something” that I can connect to remotely after a bit of trickery with some ports. I’m not sure if that’s what everyone else did but I assume so.
I was in the same boat but between the batman video from ippsec and c# - PowerShell remoting from a Windows service - Stack Overflow
I was able to get shell from the non-user user to the other user.
Rooted this box.
Took me two days to get a shell - I way over complicated this!
Less than 30 minutes to escalate to user, not sure if it’s the intended way, but I’ve used this technique before. Happy to share with others.
Got root in less than ten minutes, luckily I found a file that corresponded with the gaffers message and I’ve seen this type of command execution in the Mitre Att&ck Framework.
As always, happy to give nudges if needed. PM me.
Hi all,
Someone can PM me please i’m currently block on the enumeration and i can’t find the [I/R] with all tools used… Thank you for your help
I really hate Windows boxes; but I took this one. Thanks to plackyhacker for the help on user. The c** file really felt like a self licking ice cream cone. Feel free to message me for help.
Finally got root!!
Thanks to @plackyhacker and @SackOfHacks for user.
Here are my 2 cents:
foothold:
as someone has stated before, if it equals something, you can always change it. Plus, google for a different vector to launch the exploit. It’s R**, but a bit different.
user:
enumerate the user files. With what you find, powershell to the rescue. Ippsec Arkham video will help.
root:
enumerate again. Follow the boss directions. Google for a exploit with specific type o file that you will find. After you figure out what to do, pay attention to what command you issue at your payload and test with a windows box.
PM for any additional nudges.
Great box! Really learned a lot on this one for the actual execution of the different steps.
Finally got root.
User was hard, but for all the right reasons and I really enjoyed it 
Root was hard for all the wrong reasons :neutral:
- Very unrealistic
- Takes 10 seconds on google to find a pre made script that generates a perfect payload for the file you find with no alteration or understanding required.
- Relies on you taking something in the boss’ note very literally. Which I didn’t… I thought it was just a bit of fluff at the end of the note, not a direct instruction, so spent hours looking for somewhere else I could put the malicious file.
But overall I still like the box because of how fun and challenging user was