Rooted !
Initial Shell and User are ■■■■ for me :’)
Root is pretty straight forward if you do what your boss says
Thx @0xdf and @sabebarker for enumerating ideas. @Wtfitsaduck for pointing me why my exploit didn’t work although it should be working.
I’ve learned a lot from this.
Special Thanks to @MinatoTW & @felamos for creating the machine!
Hints on forum are enough to own the Box
Hardest in medium boxes for me
After such frustratingly long failed attempts, finally owned the sniper machine 
Really enjoyed doing this one, definitely got more comfortable with windows environment now !!!
My two cents: A lot of failed attempts were just because of my resistance to switch environment from kali to windows, but eventually when I did it, everything became much simpler.
As always happy to extend a helping hand to those in need 
Can anyone assist me with the initial foothold? I believe I know what to exploit and how, but can’t seem to quite get a shell.
Hi, I’m completely new to these CTFs, can anyone give a hand so I can solve this challenge. I’m at LFI foothold and stuck here for one day.
Hi tupi,
Welcome to htb.
It’s been a while since I completed this one but you essentially have to make a listener on your device, then using the lfi you found get the page to call a script to progress you further.
I struggled here for a while but if I could give you a hint, don’t use a http or https listener. Instead think of other protocols that allow file access.
I also distinctly remember that only 1 script seemed to work and I had to Google alot to find one that worked.
This one had me stuck for a bit, finally got it though.
User: Google RFI, exhaust all possible options for pulling this off. How can you check it’s working? Once you have it working, what’s the next step?
Root: you’ll find an interesting file. Keep enumerating until you find another. Don’t blindly copy what’s on the internet. Think about what it’s doing… might be simpler than you imagine.
I’m still stuck with changing to chcontext, can’t get interactive shell to run p***l to do that. Any help ?
@tupi said:
I’m still stuck with changing to chcontext, can’t get interactive shell to run p***l to do that. Any help ?
Have web shell but its not good for the purpose.
Has anyone used Nis***g for root? It worked for me to get a shell on my local vm, but putting the file on sniper doesnt give me a shell back 
Type your comment> @VbScrub said:
Type your comment> @pipi said:
(Quote)
when you say it gets clobbered, do you mean the file disappears when you drop it into that directory the boss mentioned? That’s fine, that is what is meant to happen. Again not very intuitive or realistic, but I guess it is meant to simulate the boss collecting the file. So yeah, if you have your C** file setup correctly, drop it in there, wait for it to disappear, then a few seconds later your payload should be executed (it did take about 10 or 15 seconds if I remember rightly and I thought maybe it hadn’t worked)
That’s what I did and nothing happens Locally it works perferctly though
EDIT: nevermind, it was the AV
EDIT: rooted
Hello,
Just got user.
Can someone explain me why privesc from initial webshell to admin using a juicy vegetable fails ?
Thought that seimpersonate privilege were 100% successfull, and I should be wrong…
Need some help please. Have webshell for days. every rev shell i try fails. privesc to next user fails. i have RCE but nothing is landing. my eyeballs hurt from reading…anyone willing to pm and i can share what i tried, maybe get some guidance? thank you
edit: thank you everyone who sent me a message. @slyf0xDD you were a major help. looks like i was on the right track but missing crucial parameters for this type of situation.
on to root.
Rooted, Thanks everyone for the helps.
Type your comment> @BINtendo said:
Need some help please. Have webshell for days. every rev shell i try fails. privesc to next user fails. i have RCE but nothing is landing. my eyeballs hurt from reading…anyone willing to pm and i can share what i tried, maybe get some guidance? thank you
edit: thank you everyone who sent me a message. @slyf0xDD you were a major help. looks like i was on the right track but missing crucial parameters for this type of situation.
on to root.
Any chance someone could send me a hint for this too? I’m stuck in the exact same place!
Finally rooted.
Nice machine.
The foothold is pretty straightforward. Click everywhere on the webpage, you gonna find something pretty crunchy !
For user, think real life scénario.
For root, Follow the story dude ! Everything is clear and explained !
Nice job to the creator, enjoyed this VM even if it was hard for the root part.
Learned new tools and new techniques.
stuck on root. i’m able to compile and drop the c** file in the correct spot. think my payloads are failing. I’ve made manual ones, listed ones, ones generated from scripts…im not sure why it’s not firing. I even tried the payload that gives me the shell for user C****. nothing. could use some help. thank you
finally
PS C:\users\Administrator\Desktop> ls
ls
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
-a---- 4/11/2019 8:13 AM 32 root.txt
Root.
Not so hard but need some time to think.
Rooted
Very nice approach, frustrating at some point if you don’t know what you’re doing.
Feel free to PM
Type your comment> @juanpablito said:
Hello,
Just got user.
Can someone explain me why privesc from initial webshell to admin using a juicy vegetable fails ?
Thought that seimpersonate privilege were 100% successfull, and I should be wrong…
Depends what error message you are actually seeing. But if I remember rightly I think the juicy veg was blocked on this machine (either AV detects it, or the maker of the box added a software restriction policy to block the hash of that file). But I think it tells you that in the error message. If you’re seeing the tool actually start to run but then fail, it could just be that you were using an invalid CLSID with the veg. I’ve had to try like 4 or 5 different ones before getting it to work on some other machines.