Official Escape Discussion

Rooted the machine. But only because of some subtle hints in this thread. Please PM me if you can tell me HOW I should be able to find out this machine was vulnerable for this attack? User to administrator that is. Would really like to know how I can implement it in my enumeration going forward.

I had the same issue so I switched to parrot (as I had it in spare) and it worked!
Donā€™t know why.

1 Like

Oh great! I will try with Parrot thanks mate!

Okay, I started yesterday with this box. It was easy to get shell access as the sql_svc user, but now iā€™m stuck. Iā€™ve gained a shell with Evil-WinRM.

Can somebody give me a little hint? :slight_smile:

Check some sql logs

Ran certify.exe, then went to request a cert and it threw an exception saying a file was missing.

Run winPEAS to find another user. You will need to think, given the machine, how to capture credentials. Hope I havenā€™t given away too much, not intendedā€¦

can someone help me with ce****y.exe ,im trying to run it to create a cert but i get this error

To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.
Note: There is some performance penalty associated with assembly bind failure logging.
To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

in case someone say why not to remove that ā€¦ simply i cant with out admin priv

Didnā€™t work for me, had to run ntpdate ip address of target

Try certipy

Is HTB Pwnboxes down? Canā€™t get it to open, even trying different servers and different levels of access.

Thank you! Great hint!

I think this retired machine is broken. I followed the official writeup but I got an error while trying to get TGT: