# Hackthebox.gr Virtual Lab (FREE)

(Ne0_) #21

Please don’t post solutions / walkthroughs.

I STRONGLY recommend everyone to read this: https://www.hackthebox.eu/en/home/rules
Especially Rule 7.

I think it’s not fair to participate in such an awesome learning experience, that is - on top of that - offered for FREE and then shit all over their rules.

(DamaneDz) #22

These kinds of rules must be written in the front page !
A hacker won’t go to the rules page and read all the rules !
anyway i deleted my video from my youtube channel and from my mediafire
Good Luck in whatever you do

(ch4p) #23

Cheers for that! ch4p here from Hack The Box.

Let me just state, that you are free to post solutions and walkthroughs on Retired machines.

We will retire one every time a new one is released to keep always 20 machines that will count for points. The retired ones will be available but not give points to solvers.

Regards to all and happy hacking!

(ch4p) #24

DamaneDz now that Popcorn is retired you can post your video.

(DamaneDz) #25

Those walkthroughs and solutions gonna be posted on your website ! or twitter !

#26

None of the above methods are working now.

“In order to generate the invite code, make a POST request to /api/invite/generate”

I used Python requests package to send POST request to
https://www.hackthebox.gr/api/invite/generate

Simple.

#27

#28

How do I escalate privilege on Windows 2012 R2 (Build 9600)?
I’m working on OPTIMUM machine and I have owned the user (which was easy)

When I try to use getsystem, I get

[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)

Also when I try hashdump , I get:

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

A hint to approach this problem would be great!

Thanks

#29

I haven’t done OPTIMUM myself, but here is two great links for Windows priv esc
http://www.fuzzysecurity.com/tutorials/16.html
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/

(Ne0_) #30

Yeah, PrivEsc is a bitch on those machines.
There’s a machine that’s very similar to Optimum (in the way you get a shell) - don’t remember the name rn - but you will have even LOWER privileges than on Optimum.

I’ll just leave this here, maybe you can give me a tip on how to get system once you’ve figured it out.

#31

I read both the articles. It helped to increase my knowledge. But unfortunately didn’t solve the purpose. I’m still unable to perform Priv Esc.

Found an exploit though, but it’s not working as expected.
I’m not able to run powershell using -executionpolicy bypass rule

#32

Try with "powershell.exe -Executionpolicy bypass -Noprofile -File "path\to\script.ps1"
Or you could use iex and load the script in memory and execute, that usually works around the executionpolicy if i remember correctly…
Edit: Take a look at this: https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf
Go to the Testing Methodology section.

#33

Did the exact thing for many times… No luck whatsoever

I get no output when I run it.

#34

Try with iex and load > run from memory

#35

I just tried running PS on Optimum without problems.

I got reverse meterpreter shell.
Uploaded script straight to disk(no memory tricks)
Ran from meterpreter: Powershell_execute “Import-Module C:\Users\kostas\test\script.ps1; Invoke-XXXXX”

#36

Although I’m getting the following output and it stops:

[+] Command execution completed:
__ __ ___ ___ ___ ___ ___ ___
| V | | | | || | | |
| |_ || || . || | | | |
|
|
|
|||_| |___|___|___|

               [by b33f -> @FuzzySec]


[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[!] No valid thread handle was captured, exiting!

#37

I haven’t gotten a root shell on optimum yet.
But someone on Slack told me you have to modify the exploit, he did not say which, but im conficent it’s this one.
If anyone else has rooted optimum, please chime in.

#38

I’ve modified the exploit as needed (at least it’s the right way)

Change payload from .ps1 file so that it executes our exe to get a reverse shell as admin

#39

Use Python requests to send POST data to “/api/invite/how/to/generate” you will get the code in response.

#40

any hint on haircut after founding exposed.php