Json

rizemon · January 19, 2020, 6:36am

nil

knuijsting · January 20, 2020, 6:43pm

Need some help. I want the upgrade Empire shell > meterpreter.
Anybody that knows this, please give me a pm.

VbScrub · January 21, 2020, 1:33am

Got user thanks to the tips in this thread, but man getting root is not proving to be as easy as everyone else suggests it is.

I’ve found SO MANY things that should be useful (encrypted passwords, salts, IVs, secret keys, plain text passwords, base64 encoded passwords, etc etc) but nothing that’s actually useful yet

EDIT: Got root, but did it with the potato tool everyone else mentioned. Feels a bit too easy, and I’m assuming there’s a more interesting priv esc to do with what’s running on port 21. But after finding even more useless credentials and config files, I’m still no closer to getting that

EDIT 2: OK after reading other people’s write ups, I feel stupid for not thinking of how to exploit something to do with the port 21 service that I’d already looked at and had been thinking about. One of the other write ups also had a fairly simple technique that I should have thought of too.

Overall, quite an interesting box with a lot of rabbit holes and also a lot of different ways to get root (I’ve seen 4 so far).

Suzuya · January 21, 2020, 8:44am

i got this error
{“Message”:“An error has occurred.”,“ExceptionMessage”:“Invalid format base64”,“ExceptionType”:“System.Exception”,“StackTrace”:null}

can someone help me?

Suzuya · January 21, 2020, 11:58am

can someone help me?

i use ys*********.jar… pls mesage for help.

xolan · January 22, 2020, 2:57am

finally got this rooted, plenty of hints in here (+ strong google fu) to get this done. if you need a nudge pm me where your stuck and what you’ve tried!

mankydan · January 22, 2020, 6:35pm

If anyone is having any issues generating the payload, check what version of j*** you’re running, maybe try running using a much earlier version than default.

igaralf · January 23, 2020, 6:43am

are you guys using the j*** version of the tool or the e**?

pentestjo · January 23, 2020, 10:02pm

I have been battling ys****.n** to get a working payload and nothing works! Back to the white board…

ShadowMoon12 · January 24, 2020, 2:58am

Able to use ys*******.n** to get ping to work but not getting any joy from next efforts to move a useful file over and execute for a shell. Have tracked with tcpd*** but not seeing anything to help me. Would appreciate a nudge if anyone is willing to offer one.

elderhacker · January 24, 2020, 3:35am

finally root

ShadowMoon12 · January 26, 2020, 9:47pm

Type your comment> @igaralf said:

are you guys using the j*** version of the tool or the e**?

I have been using the e** - able to get a ping but am stuck on moving to a useful next step

Nathlul · January 27, 2020, 5:16am

C:\Windows\system32>whoami
whoami
nt authority\system

Learned a bunch from this. Very interesting machine.

unmesh836 · January 27, 2020, 5:43am

Type your comment> @dr0ctag0n said:

Type your comment> @gomeznap said:

Type your comment> @x000 said:

@gomeznap said:
I was able to get command execution on the target but I’m not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

Try Meterpreter!

Thanks for the comment!

I tried a couple different meterpreter payloads and they never connect back to the exploit handler. Is the anything special I have to do on a windows machine to run the executable once its dropped on there or should I just be able to run it with a command like “payload.exe”?

sometimes, especially with blind RCE like this box, it helps to create some random folder somewhere on the remote machine to save it to in order to make sure that you have correct permissions. I tried my payload several times from typical directories and it wouldn’t work until i created a newC:\tmp folder with a mkdir command before sending the file. I think it was preventing me from outputting into the directory but without a shell you can’t see the errors or if the file is created.

You should be able to run it by just sending the full path as a command. for example C:\tmp\payload.exe

This worked for me, though initially I had trouble about how blind RCE is working, but once I executed commands one by one, everything got clear.

unmesh836 · January 27, 2020, 5:54am

OK. This machine was ‘Hard’ for me. Had no idea about y********.n** . So had to struggle a lot. But once I executed commands one by one, got the idea on how to use the tool. Struggled for root as well as again had no idea about Vegetable everyone was using. (There is one comment which clear specify the name of the tool, had it not been there, no chance I could have known it). There is IPPSEC video where he use this Vegetable.

So my hints are:

For User:

Observe login request carefully.
Learn how de-serialization works.
Draft payload carefully. As it is blink injection, will require lot of trials (You will not face a single error)
Escape the characters carefully whenever required (It gave me lot of trouble)
Make sure all your work is performed under temporary directory, so make one first

For root (Using vegetable):
Watch the IPPSEC video, you will get in-depth idea on how to use that vegetable

If I have spoiled lots of things in excitement, please remove the comments.

If anyone needs any help, PM
If anyone knows how to get root using FTP, please ping me.

ahsu123 · January 29, 2020, 3:14pm

Hi guys Im stuck on the y**… tool using the payload in a* * / a****** B******

I’m getting “Unable to cast object of type ‘System.Windows.Data.ObjectDataProvider’ to type ‘Newtonsoft.Json.Linq.JObject’.”

I’ve been using j* * * . N * * as the formatter and Tried the two gadget chains that have that formatter but have been getting similar error not sure what I’m doing wrong plz help thanks!

VbScrub · January 29, 2020, 3:32pm

Type your comment> @ahsu123 said:

Hi guys Im stuck on the y**… tool using the payload in a* * / a****** B******

I’m getting “Unable to cast object of type ‘System.Windows.Data.ObjectDataProvider’ to type ‘Newtonsoft.Json.Linq.JObject’.”

I’ve been using j* * * . N * * as the formatter and the two gadget chains that have that formatted not sure what I’m doing wrong plz help thanks!

That’s normal. Ignore the error and see if your payload actually got executed

piolug93 · January 29, 2020, 10:10pm

What mode i must use in y*l.n**, im use formatter json.net and class ObjectDataProvider? Im stuck in this moment. I’m must get RCE at this stage for get user flag? I use enpoint //tn, it’s correct for attack ?

TheBandit · January 30, 2020, 9:47am

Type your comment> @zelensky said:

Type your comment> @Isyber said:

anyone used ys******l on kali, if you managed a way to do that on kali please PM me

Same here! I am looking for a way to construct the payload without resorting to setting up a Windows VM (is compilation required too?). Please PM if anyone knows how to do it in kali.

Hello,

Yes , it’s possible using wine and installing mono in wine as described below:
https://askubuntu.com/questions/841847/mono-package-for-wine-is-not-installed

You must do the installation on GUI , so don’t try it in console

Read carefully , you don’t need to install mono using apt install

HTH

piolug93 · January 31, 2020, 11:03am

Hello im have problem with get shell, server get from my server files and in next step i can’t run it on the server. Anyone has any tips to get shell? Im talking about user part.