Type your comment> @dvargasj said:
Hey! I’ve been stuck on the last step of root for a few days now. Can someone help me? Thanks!
The short answer is pick the right thing to target and target it properly. Ideally, you’ll update with the path to the thing you want it to run and then just start it.
Type your comment> @TazWake said:
Type your comment> @dvargasj said:
(Quote)
The short answer is pick the right thing to target and target it properly. Ideally, you’ll update with the path to the thing you want it to run and then just start it.
How do you start it if you do not have rights to do so? I get access denied using net or wmic 
Type your comment> @syn4ps said:
How do you start it if you do not have rights to do so? I get access denied using net or wmic
I have the exact same problem…
If someone could throw a nudge for the trigger part, it will be very appreciated.
@syn4ps said:
How do you start it if you do not have rights to do so? I get access denied using net or wmic
@Crafty said:
I have the exact same problem…If someone could throw a nudge for the trigger part, it will be very appreciated.
If you dont have the rights to do it, you might be in the wrong user account, the wrong service or maybe there is a problem with the tool.
First you need to find a thing you do have rights over.
Then its a registry tweak. I dont know what you are trying to do with net or wmic.
Then its start it up.
Then it should be shell dance.
Type your comment> @TazWake said:
@syn4ps said:
How do you start it if you do not have rights to do so? I get access denied using net or wmic
@Crafty said:
I have the exact same problem…If someone could throw a nudge for the trigger part, it will be very appreciated.
If you dont have the rights to do it, you might be in the wrong user account, the wrong service or maybe there is a problem with the tool.
First you need to find a thing you do have rights over.
Then its a registry tweak. I dont know what you are trying to do with net or wmic.
Then its start it up.
Then it should be shell dance.
Rooted! thank you @TazWake
EDIT: So yeah for root, after a first enumeration, try to check on which s****** you can do G*t-S*****e but this can be automated. Then, it is trial and error. There are at least 6 that allow to escalate.
I’d be happy to learn a more effective method if it exists though.
Thanks to the creator!
Hi,
Need help for initial foothold. I have the ad…n.php and see the Header error…Figured that i must bypass this with the internal IP found, try with Host param without success…Totally n00b for webstuff so if u have some tips/ressources to share in order to learn , that will be really appreciate !
Very funny way to root. For those who stuck, just reach out to me.
Really interesting so far, but struggling with root. I can get a connection back but it is unprivileged… probably because of being a **** sv*. Other than that cannot find a way to start anything. Any nudges forward would be great.
Edit: Well that was very silly. Note to self - stop permissions are not equivalent to start permissions! Thanks s1m00n.
A nice feeling after rooting this box! I’ve been weak on acl:s but this box has forced me into learning this topic at least a little bit more.
Curious to know if anyone managed to go from user to root by executing fine grained commands instead of a LOT of trial and error resulting in a painful amount of Access denied.
I spent way to many hours on root.
Anyways…
Thanks @TRX for this machine challenge 
Finally done it)) Thx to @TazWake for help and @TRX for this machine. As for me - its not so clear how to get what should be modified without a lot of noise to security and system admins.
Type your comment> @tang0 said:
I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.
Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated. Possible causes are: .... And a bunch of other stuffAny nudges? Feel free to PM, i can share what i have, in more detail.
getting the same error now… any nudges?
Can someone confirm that c****d.php is supposed to b there or is that left over from someone else?
Type your comment> @0x40404040 said:
Type your comment> @tang0 said:
I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.
Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified logon session does not exist. It may already have been terminated. Possible causes are: .... And a bunch of other stuffAny nudges? Feel free to PM, i can share what i have, in more detail.
getting the same error now… any nudges?
nvm… got user
Type your comment> @TheUndergrad said:
Can someone confirm that c****d.php is supposed to b there or is that left over from someone else?
No, it’s mine
Anyone for a nudge with root ? I try to run payload via some writable services with h***or account but my sessions (meterpreter) are always killed. Am i on the right way ?
Thanks
If anyone could give me a nudge to root it would be highly appreciated. Lost after the user flag and trying a bunch of standard windows privesc
Nice machine in general, with some annoying inconveniences.
Both user and root archs are excellent, especially the root part.
However, the root part should be doable in several ways, but I think the author blocked some of these ways to only allow the intended way, which wasted a lot of my time trying to figure out the working method to exploit this arch.
At the end, I wrote a python script that would root the box remotely, so that I can do my extended testing and properly understand what was going on.
Done and Dusted! Thanks to @TRX for a nice set of challenges. I love these types of challenges were the info is right in front of you all the time. Great to see challenges that steer you down techniques to practice / learn.
Very cool box, i enjoyed every part
For user:
For root: