Forum Discussion

Xat's avatar
Xat
Icon for Bronze II rankBronze II
17 days ago
Solved

Human Connection Challenge: Season 1 – Windows

After the other Human Connection Challenges, I'm now completely stuck on Machine 1 of the Human Connection Challenge: Season 1 – Windows lab.

I found the obvious hidden credentials the the:

Spoiler

IMLUser via the web

But I can't find anything on the 

Spoiler

SMBClient or RDP
SMB: I can read the 'C' share, but there are no useful files (I can find), and I can't write anything. No other shares are readable.

RDP: Cannot login with the IML user (not in the remote users group).

Any hints?

help & support
  • Al13nz's avatar
    Al13nz
    14 days ago

    Hi Xat I feel your pain, I got very frustrated with this one too, but it's a good example of how easy it can be to fall down several rabbit holes! I don't know how much to give away but sometimes it pays to get 'Brutal' with all exposed services (some of the enumeration you've done might be a breadcrumb to other viable accounts too).

  • Xat's avatar
    Xat
    Icon for Bronze II rankBronze II
    12 days ago

    This lab! StefanApostol is obviously an evil mastermind. I think some of the level 9s I've done were easier.

    steven  / Al13nz any change for a hint on "What is the Host 2 token found in C:\Users\Administrator\Desktop\token.txt?". 

    All the other machines have been solved. Just can't escalate privileges on Machine 2 😅

    • Al13nz's avatar
      Al13nz
      Icon for Bronze II rankBronze II
      12 days ago

      Xathave you got to a point where you've got a shell/meterpreter session running? If not, have a dig around some of the other sqlmap cmds that could be a useful way to get the foothold. As steven says the exploit suggester will help you priv esc when you've got the shell up

    • steven's avatar
      steven
      Icon for Silver I rankSilver I
      12 days ago

      Xat check out the exploit suggester in metasploit and then try, try, try :)

      • Xat's avatar
        Xat
        Icon for Bronze II rankBronze II
        12 days ago

        You're a super star. All done! Lesson learned: I need to use metasploit more... I was hand crafting exploits.

  • Xat's avatar
    Xat
    Icon for Bronze II rankBronze II
    13 days ago

    Al13nzsteven  you guys are amazing, thanks! Rabbit hole for sure. I solved it in 2min after your hint!

  • steven's avatar
    steven
    Icon for Silver I rankSilver I
    14 days ago

    Xat the answer is simple: imagine you know a well known user on the system (no, it's not IMLuser, it's the other one existing on all windows ...) and you want to try to find the password.

    the keyword for your google search is: windows password spraying attack

    • Al13nz's avatar
      Al13nz
      Icon for Bronze II rankBronze II
      14 days ago

      Funny thing about Microsoft is they don't add lockout policies by default to certain 'Built in accounts' ;p

  • Al13nz's avatar
    Al13nz
    Icon for Bronze II rankBronze II
    14 days ago

    Hi Xat I feel your pain, I got very frustrated with this one too, but it's a good example of how easy it can be to fall down several rabbit holes! I don't know how much to give away but sometimes it pays to get 'Brutal' with all exposed services (some of the enumeration you've done might be a breadcrumb to other viable accounts too).

  • Xat's avatar
    Xat
    Icon for Bronze II rankBronze II
    15 days ago

    stevenAny hints? Spent another fruitless hour with countless interactions with SMB/RPC/RDP.

  • KieranRowley's avatar
    KieranRowley
    Icon for Community Manager rankCommunity Manager
    15 days ago

    I'm going to leave it to the community to reply to your question, but I did not know that you could hide spoilers in this forum, so thank you for that!