Querier

pentestjo · May 15, 2019, 11:30pm

This box! Banging my had against the wall all day. Got low priv shell with svc account, tried almost every win priv esc using powershell (Giddy, Mantis, Optimum, and Chatterbox). Tried EMP-PU to but nothing worked. Haven’t found any uncles. At this point would love to get any tip on/directions to reading materials for more relevant priv esc.

Thanks!

env · May 16, 2019, 3:38am

Rooted! Fun box,but had to guess a little bit for the first step. If anyone have any difficulty, feel free to PM

DaChef · May 16, 2019, 11:40am

Just rooted! Big thnx to @D3vnull for the shell hint

Neolex · May 16, 2019, 12:04pm

Hey guys ! Someone can give me hint ?
I got user.txt and a password to connect to the box but I don’t know how to get a shell I only got RCE and powershell looks blocked by antivirus…
I don’t know much about windows
Thanks

DeepStorm · May 17, 2019, 8:44am

Rooted
Great and good box, thank for the all hints.

Zer0Code · May 19, 2019, 10:20pm

Stuck in Priv Esc

Rooted

R0adRunn3rrr · May 20, 2019, 9:46pm

Type your comment> @stonepresto said:

@haimvak https://youtu.be/XIVkqW23C6I?t=5

For python purists or anyone attempting to pythonize this box using the common pypi project related to the DB, here’s a little note:

The API is not well documented and might lead you down a rabbit hole when going after user and getting a CONFIG error.

Each cursor object is an implicit transaction, and therefore is restricted to what commands can be run. This disallows you from ‘upgrading’ to exec. One hacky way around this is to specify your ‘upgrade commands’ in the conn_properties parameter of the connection object, which are treated as separate queries.

I don’t think any of that spoils anything, especially since most people are more likely to take the easier route. If the mods feel like it does feel free to bork my post.

hahahaha!! Loving the video…

thed4ve · May 21, 2019, 7:52pm

And even this is done! This was very hard because I don’t have a lot of experience with MS SQL, but thanks to the hint of G***y and a little help of @D3vnull I’ve won the first obstacle.

I’ve really learn a lot thanks to this machine!

Hints:

Initial foothold: enumerate very well the ports you’ve and you will find the first piece of the puzzle
User: as I said before and others have said before me, there is an interesting old machine that can give you a very import hint! (it’s name start with G and ends with y)
Root: enumeration is the key! If you’re need help, some scripts can give you the solution

PM me if you need some help!

d4zs3c · May 21, 2019, 10:01pm

Finally got user now on to root! Have no experience with M***L so found it very challenging so far but learnt a lot!

murderfalcon · May 21, 2019, 11:26pm

So I managed to get into the s** server using im****** and I can’t use the commands there because I don’t have the privs. So I’m guessing priv esc from here so I can run them, but I’m at a bit of a wall, any hints would be greatly appreciated.

pytera · May 23, 2019, 4:07am

Any nudges for root? Got an output from J**S enum script but nothing seems to stand out after looking at it multiple times.

EDIT: ROOTED thanks @KaiserPhoenix

0x64Marsh · May 23, 2019, 6:43pm

Thanks to @ddosmg for your question and @sentry for the answer. It provided me with the nudge I needed.

One of the parts I was stuck on was getting reverse shell for user, as windows seemed to block a lot. For this i recommend reading the github page for ni****g repo.

barondune · May 24, 2019, 4:15pm

Can someone PM me the steps on how to enumerate the users for sql. I’m not suer how to get the username to connect to the DB with.

hdrnn · May 24, 2019, 10:00pm

Type your comment

invictim · May 25, 2019, 1:51am

If you have the uncles and are stuck, look into other im****et modules, very useful

m4xp0wer · May 25, 2019, 3:17am

Pretty cool machine. Learned something new along the way.
User: Enumerate and you’ll find something with the brazilian dance. Once you open the file look for interesting strings. Then login, you won’t be able to execute shell commands but maybe you can execute something more. Once you find what I’m talking about intercept that and get something to work on. Google and you’ll find a very useful script to upload files and it will even give you a shell!
Root: Very famous enumeration script (get the most recent version, don’t be like me and use an older version. I lost 4 hours because of this) then, brazilian dance again with your new credentials.
Enjoy.

fbarrsmith · May 26, 2019, 2:36pm

I have the c568 credentials that i got from ML, via xp***** but where do i authenticate them against, please help. I’ve been banging my head against the wall with this. Please PM if able to help.

Edit: nvm got this

fbarrsmith · May 26, 2019, 3:01pm

I’ve now created a local admin user. But am unable to log in as said user, any help via pm would be appreciated.

fbarrsmith · May 26, 2019, 5:44pm

Rooted, ignore my previous comment, it’s a false path to victory that does not work. Pro tip for people trying to privesc, make sure you have the latest version of whatever tool you are trying to use to privesc or enumerate privesc details from, older versions may not show as much.

j0c0d3r · May 28, 2019, 1:00am

Type your comment> @fbarrsmith said:

Rooted, ignore my previous comment, it’s a false path to victory that does not work. Pro tip for people trying to privesc, make sure you have the latest version of whatever tool you are trying to use to privesc or enumerate privesc details from, older versions may not show as much.

No, it’s not a false path to victory bro

Anyone stuck, PM me to help <3