it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it
@VSOP said:
it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it
Are you sure that itās not just that your shell is unstable? I used the ānon-obfuscated anyā version of winpeas, if that is any help.
Type your comment> @Jac0lius said:
@VSOP said:
it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it
Are you sure that itās not just that your shell is unstable? I used the ānon-obfuscated anyā version of winpeas, if that is any help.
Yeah. i tried same version with you and also tried winPEAS.bat too but same issue. i used php reverse shell from Ivan Å incek. i dont know what happening
@VSOP said:
Type your comment> @Jac0lius said:
@VSOP said:
it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it
Are you sure that itās not just that your shell is unstable? I used the ānon-obfuscated anyā version of winpeas, if that is any help.
Yeah. i tried same version with you and also tried winPEAS.bat too but same issue. i used php reverse shell from Ivan Å incek. i dont know what happening
I just tested again and the shell I am using is the āminiā version from the same guy. Everything worked as should.
Getting stuck on the rev uploadā¦ When clicking update the site doesnāt respond, it just keeps loading until eventually a request time out occurs. Iāve reset the box and same problem. Any others experiencing this?
Bit tricky one, had to look into the forums and notice other players do one special thing in a subdir, to see why my ev**-***m didnāt allow me to do the privesc. Actually I still donāt understand why itās like that, happy for explanation.
Type your comment> @netbanger said:
Getting stuck on the rev uploadā¦ When clicking update the site doesnāt respond, it just keeps loading until eventually a request time out occurs. Iāve reset the box and same problem. Any others experiencing this?
had 2 vpn instances running instead of 1. Worked immediately after I disconnected from the vpn that isnāt needed ā ā ā ā
Okay, it just happened, I made a decision to ask some help on this boxā¦ I got the user flag as userā¦ Now I need to do some privilege escalation. Windows boxes are not my thing (yet). Thatās why I want to do this one.
While reading the posts in this thread, I get the idea I took a different path. So let me explain a bit.
Iāve performed a port scan and with those details Iāve decided to check the source code of the logon page. While using my Google-Fu skills Iāve found an SāI bypass which give me access as a-----n on the a-----n-page. Because itās a Windows box using a particular development language I was thinking about uploading a revā sāl and a n-.āe because of a known bāss up---- exploit in this tool. Via this way I got the user P----e and the user flag. While enumerating the directories and files Iāve found the username and password for the user on the a-----n-page, but I donāt need them because of my earlier stepā¦ And another one for P----eā¦ but not sure if I can reuse this one and if I need this on as I am this user.
Uploading winpeas.exe and winpeas.bat are working for me, but running them notā¦ that part didnāt give me any clueā¦ So i decided to see if anyone had the same issues. While reading the posts before me I started thinking that I got another user account then othersā¦ especially because I saw something about checking privileges, policies and a certain hint about āWindows I*******r is not correctly installed.āā¦
So I am thinking I walked another path and I am stuckā¦ Can anyone help me back on track againā¦
Type your comment> @eMVee said:
Okay, it just happened, I made a decision to ask some help on this boxā¦ I got the user flag as userā¦ Now I need to do some privilege escalation. Windows boxes are not my thing (yet). Thatās why I want to do this one.
Manual enumeration works well here. If you look at the hacktricks website, the steps you need are in there.
Once you find the exploitable setting, the hints might make more sense to you. Then itās a fairly easy exploit.
Type your comment> @TazWake said:
Type your comment> @eMVee said:
Okay, it just happened, I made a decision to ask some help on this boxā¦ I got the user flag as userā¦ Now I need to do some privilege escalation. Windows boxes are not my thing (yet). Thatās why I want to do this one.
Manual enumeration works well here. If you look at the hacktricks website, the steps you need are in there.
Once you find the exploitable setting, the hints might make more sense to you. Then itās a fairly easy exploit.
Okay, iāve the root flagā¦ but I used a framework which automate a lot of things and thatās nice. However I want to do it manual as wellā¦ One of the options manual I tried, but is didnāt work. Probably my windows skills which sucksā¦ can I DM you about this?
ughā¦feels like I should have got user earlierā¦comment by @anir08 set me on the right pathā¦completely forgot about the configuration part. Also spend too much time on the ***i path but the link in that post got to where I could use what I knew. Make sure to take notes on all the machines you doā¦chances are youāve already used this trick.
On to admin accessā¦hit me up if you need a nudge.
Cheers
update: got systemā¦lots of good hints in the forumā¦thanks! Fun box!
Hi. Not sure what Iām doing wrong. I have the user. Iām pretty sure Iāve found the way to privesc. My shell is very unstable and I cannot use the r###s /u###: command to execute anything. Any ideas what Iām doing wrong?
Edit: I have a stable shell and I am a part of the āinā group, but still canāt access the flag.
EDIT: Nevermind. Tried harder and got it.
I just got user but it doesnāt feel satisfying when I donāt have a full understanding of why it worked. If someone has a chance to DM me and explain why 3 out of 4 shells (all using the same language) didnāt work but the 4th one did it would be much appreciated. I almost gave up on that route because I thought it wasnāt viable.
Been struggling on getting a foothold for a couple of days now. I found the secret area that everyone has been talking about by observing my map. I found a thing, that just echos back what you throw at it. However I donāt know what to specifically throw at it to make it echo back what i want to know.
Honestly a DM in the right direction would be greatly appreciated!
Hi I donāt usually come over to the forums asking for help but I am completely stuck trying to find initial foothold Iāve found the service everyone is talking about via the nmap output Iāve tried enumerating the directories/files but most are forbidden. I also enumerated the ad**n directory using gob*r and I managed to read a file that showed a ver ID but I have nothing else and Iām completely stumped. If anybody has any good resources to read up on that will help me get through this blockage it would be much appreciated.
EDIT:
No worries I got some help from the discord I canāt believe that I was so close but forgot to use something from my n**p
I found the box very finicky, so if what you think you are doing should work for root and itās not, try a reboot, as after wasting a bunch of time, what I was doing worked the very first time after rebooting.
heh, I hesitate to mention this because I donāt want to lead anyone down a gopher hole, but I got user by changing stored info because I completely missed the easier intended method.
Spent the whole night trying to get into it. Here are the hints
User: If youāre like me and looking into various services or injections, thatās not the way to go (or maybe it is an unintended way who knows). Scan thoroughly, go through the results with a fine comb, maybe even adjust the normal flags youād use in your standard nmap scans.
Root: If youāre using our pride and join, metasploit, itās pretty easy to do, you just gotta ELEVATE the privileges.
Fun box, loved it. If anyone is stuck please ping me, will reply in a few hours, have to go to sleep right now
Fun box.
User: Use all you have in scans.
Root: With metasploit is very easy to exploit, enumeration key, as always
For any nudges DM.
That was so nice after a long break from HTB! Easy and fun box, but itās easy to get stuck on some rabbit holes. Feel free to send me a DM if you need a nudge