@adidibra said:
I did not mention numbers of poc. I have taste all of them found in the public db. I do not think there is another way to privesc
Sorry, when you said “neither” I read that meaning two.
There is a public POC which allows privesc.
anyone not seeing the thing running on its designated port? have reset the box multiple times already
c:\Users\Administrator\Desktop>hostname && whoami
hostname && whoami
BUFF
buff\administrator
Nice to do an easy box after spending time in ProLabs. Thanks @egotisticalSW for a fun machine.
Hi all! I am confused on how to go about gaining root access I already own user sh**n but no idea on elevating privil,I’m a hardcore novice I need an hint please.
Ok managed to get a meterpreter via an php payload. problem is that binaries are getting snacked away before they can develop their flavour 
Make sure Use the Last version of 64 bit PLINK.exe … i was trying so hard in last 3 days, just ended nothing just because of PLINK.exe
is nc supposed to be on this box? it was yesterday …now…gone…
@cnmprfx said:
is nc supposed to be on this box? it was yesterday …now…gone…
Thats a strong indicator someone put it there and it went after a reboot. Also, nc is pretty rare on Windows boxes.
got it…oh well…it was good while it lasted…time to find a new way to get a good shell going
Can I get a nudge on root? I’ve got a reverse powershell and nabbed the user just fine. I’m now attempting to get root but I’ve been going for 6hrs and hitting a wall. I’ve got plink on the box and a reverse tunnel setup fine… is my next step to run some python scripts for buff-over-flow against the cloud product? I’ve ran both but don’t get any output so I think I’m doing something wrong. I feel like I’m so close… maybe :neutral:
ROOTED it!
@NetSecMeh, I feel your pain. I came across two exploit scripts. Turns out I needed the version level of the one and the methodology from the other. And for the methodology I used, I needed to keep it simple.
Rooted! Thanks to @TazWake for taking a look over my methodology and confirming that I was on the right track for root.
User is very easy if you have some experience. For root, I had to learn some new tricks. The thread here already contains all necessary info, I honestly don’t know what tips I could add that aren’t in here yet. For both root and user you can use publicly available exploits. Just make sure you understand what they are doing. Unfortunately, for me root was a bit hit & miss… In the end it just worked, but I ultimately don’t know why my first few tries didn’t work out and even after having rooted the machine, I can’t replicate the attack with 100% success rate.
i root’d this about a week ago and just had the chance to write some code to make it easier to root. If someone is stuck at root, please reach out. I’d love to beta test my code.
Type your comment> @NetSecMeh said:
Can I get a nudge on root? I’ve got a reverse powershell and nabbed the user just fine. I’m now attempting to get root but I’ve been going for 6hrs and hitting a wall. I’ve got plink on the box and a reverse tunnel setup fine… is my next step to run some python scripts for buff-over-flow against the cloud product? I’ve ran both but don’t get any output so I think I’m doing something wrong. I feel like I’m so close… maybe :neutral:
You are close. I put print("worked so far 1") and incremented it within the python script to see where it fails, might help you.
Total newb question: I cannot find p**** on the victim box to initiate the p*** f*****. Is it something I have to keep digging to find the proper directory or should I find a way to upload it from Kali?
@squirrelpizza said:
Total newb question: I cannot find p**** on the victim box to initiate the p*** f*****. Is it something I have to keep digging to find the proper directory or should I find a way to upload it from Kali?
You can upload it.
Finally rooted. Want to give some help for those who are stuck. Feel free to message me, I won’t give spoilers.
User: Start small with simple enumeration, it’s an easy box so nothing fancy, look for information given to you. How can that info be exploited?
Root: Now you can move around the box, move any tools you need to use onto the box. Get yourself a better shell. Do some priv esc enumeration. Check common places on the machine for interesting things. Do some more enumerating. Once things are set up correctly, find how to exploit.
derhund88 saved me with what he said above. Make sure the tool you use is 64x!!! I used *****.exe that came with my vm from /windows-binaries and I was stuck on the box for a couple days just because of it. Download the latest 64x version and use that.
Feel free to respect if I’m able to help!
Tip for those stuck on root that think they’re doing everything correctly: watch in wireshark to make sure stuff is getting sent as it should, and then just wait longer than you think you need to. I kept thinking it wasn’t working, but I just wasn’t waiting long enough. I would have rooted this box in a couple of hours if I would have just been patient. Instead I spent way longer, haha.
Rooted using p****. I’ve seen this technique used on other boxes with Linux but I never thought to do this on Windows. Had some curve ■■■■■ that helped me learn. PM for hints if you need it.
User: Enum the web app and Google for the exploit
Root: Use your temporary shell to get a regular shell with a windows command line download tool. It is native to both windows and linux, and dont forget your -o flag! From there Google the exploit for the strange exe file, find the hidden port, do a p*** f****** and execute.
I’m going to need some help I think. I’m not getting anywhere with the privesc portion.
So I got the user and upgraded my shell to a more stable connection.
I have been working to use a "P*** F****** using p64.exe", which I am under the impression that it connected correctly targeting a service that looks to be vulnerable ce found in the typical user location.
Using google, I have found multiple exploits. I have tried all of them with a reverse shell both x86 and x64 version, or just executing a CMD on the computer, but nothing seeming to work for me. I have been bashing my head all day for this - “trying harder”, and taking breaks - but I think at some point, you just don’t know what you are doing wrong for it. Makes me question the stability of this privesc for this box, especially after reading some of the comments on this. I would like someone to PM me. I think I need some sanity checks for the commands I am running, and maybe point out where I have a disconnect.