Edit: Doh. wrong button!
■■■■, that root part got me fiddling with the code for hours. After reading enough articles, I realized that you don’t need to mess with the code. You just have to know how to execute the code and how it works!
Definitely expanded my knowledge with A**** and how vulnerable it is once the account has been compromised.
Hints:
USER - think how sysadmins create a new account in a lazy way. Now use that cred somewhere. Look for creds again. Use that creds somewhere.
ROOT - Once you found who you are. Google is your friend. There’s a lot of POC in the wild. Do a lot of research.
@c0met said:
ROOT - Once you found who you are. Google is your friend. There’s a lot of POC in the wild. Do a lot of research.
Yeah this is an issue now. Since this box went live there are now a lot more scripts and tools for this specific exploit (I even made one myself). So when people say “you don’t need to modify anything in the POC” its potentially misleading depending on which one you’re using.
FWIW the original POC on a fairly well known blog was po******* code and definitely did need one small part changing to work on this machine.
@VbScrub There is one that is ported to v******t that doesn’t require changes. But the changes came in the form of a parameter.
So yeah, YMMV on what poc you found.
Anybody willing to give me a nudge? Not the greatest with AD stuff…I’ve found and tested creds and can login to SL but there’s no Gs.xml like people are talking about…Where can I go next?
EDIT:
Managed to get user
No idea how to get root working…every ps1 attempt is riddled with errors like:
Missing closing ‘}’ in statement block or type definition.
The string is missing the terminator: '.
The splatting operator ‘@’ cannot be used to reference variables in an expression.
Anybody willing to give me some guidance on the root process? I have all the pieces, just can’t seem to get it to work
Edit:
Got root
Ditched PS1 scripts and used the uploading of 2 files method
Got User on here by reading through the hints. I mostly got stuck on where to find the second user creds. Learnt about S*B Tooling which was nice…
nvm
thanks @TazWake for the tip about reviewing and reusing the info I had already gathered in order to get user (i legit had to walk away from my laptop for a few days when i realised how dense i’d been…).
I’m now doing the root dance trying to get a script working but my queries seem to be returning results in tabular form. So I make “$myvariable = query that thing and return this info”, the query works, but when i do $variable.thing I get:
Thing
=======
a result i'm interested in
which is why i guess the next step in the sequence is failing because it’s reading the table heading info as well? Is there a way to query such that it just returns the values I need?
Edit - nvm… RTFM, padds, rtfm…
Edit 2 - mods, that middle section I’ve written might confuse others reading this thread; happy to delete, but didn’t want to break any rules/etiquette in doing so… let me know?
And rooted.
Once I got past the usernames thing, it wasnt too bad a box. Lots of learning on the way from user to root
As always - anyone wants a hand, just send a PM
One of the things I learned was to walk away from the screen for an hour when you get wound up.
Rooted
Foothold: Think about lazy admins admins…
User: Enum…and Enum some more.
Root: Very cool exploit, shows some dangerous ways to exploit A****.
Thanks for this box.
Rooted !
Enjoyed this box.
This thread has a lot of nudge, just read.
User : very funny and easy, i like it a lot , just bash tick
Root : not so hard reading nudge there, i had no piece information which give me pain, so when you think to have find something interesting, make it useFull 
Are you getting an error importing the .d*l file? I’m stuck on this part.
I’m stuck on root 
Could not load file or assembly…
I’m currently stuck on the same issue. 
edit: figured it out. read the directions on the post from where you get the download carefully.
@daronwolff said:
Are you getting an error importing the .d*l file? I’m stuck on this part.
I’m stuck on rootCould not load file or assembly…
but now I’m getting a SQL error… “…A network-related or instance-specific error occurred…”
Edit: and again, just have to slow down and read. Finally got root. Way easier than it seems, once you slow down.
is BK**EY relevant ?
-Guys, I’m having this issue:
add-type -path "C:\...\**.d*l ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-Type], BadImageFormatException
+ FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.AddTypeCommand
I’ve even checked with a friend and we have a similar POC and it works for him but not for me.
I’ve tried:
- Creating the file using
echo $something > myscript.p*1 - Using p*****ell to download the p1 file
- Running p******ell v1.0
- Restarted the machine
- Switched to different connection server
but not successful results.
I know that my code is correct, the problem comes in the line add-type -path
Any suggestion?
Sent you a pm.
There’s a separate PoC that utilizes two files, that worked much better for me.
@daronwolff said:
Guys, I’m having this issue:add-type -path "C:\...\**.d*l ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-Type], BadImageFormatException + FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.AddTypeCommandI’ve even checked with a friend and we have a similar POC and it works for him but not for me.
I’ve tried:
- Creating the file using
echo $something > myscript.p*1- Using p*****ell to download the p1 file
- Running p******ell v1.0
- Restarted the machine
- Switched to different connection server
but not successful results.
I know that my code is correct, the problem comes in the line
add-type -pathAny suggestion?
Thanks a lot man!
I was very close but I really needed a hint!
Rooted!
Type your comment> @doug2484 said:
Sent you a pm.
There’s a separate PoC that utilizes two files, that worked much better for me.
@daronwolff said:
Guys, I’m having this issue:add-type -path "C:\...\**.d*l ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-Type], BadImageFormatException + FullyQualifiedErrorId : System.BadImageFormatException,Microsoft.PowerShell.Commands.AddTypeCommandI’ve even checked with a friend and we have a similar POC and it works for him but not for me.
I’ve tried:
- Creating the file using
echo $something > myscript.p*1- Using p*****ell to download the p1 file
- Running p******ell v1.0
- Restarted the machine
- Switched to different connection server
but not successful results.
I know that my code is correct, the problem comes in the line
add-type -pathAny suggestion?
Can someone PM me for help with root? I can explain what i have done. (Yes i read these forums, windows boxes are my weakness). Thanks!