This box! Banging my had against the wall all day. Got low priv shell with svc account, tried almost every win priv esc using powershell (Giddy, Mantis, Optimum, and Chatterbox). Tried EMP-PU to but nothing worked. Haven’t found any uncles. At this point would love to get any tip on/directions to reading materials for more relevant priv esc.
Hey guys ! Someone can give me hint ?
I got user.txt and a password to connect to the box but I don’t know how to get a shell I only got RCE and powershell looks blocked by antivirus…
I don’t know much about windows
Thanks
For python purists or anyone attempting to pythonize this box using the common pypi project related to the DB, here’s a little note:
The API is not well documented and might lead you down a rabbit hole when going after user and getting a CONFIG error.
Each cursor object is an implicit transaction, and therefore is restricted to what commands can be run. This disallows you from ‘upgrading’ to exec. One hacky way around this is to specify your ‘upgrade commands’ in the conn_properties parameter of the connection object, which are treated as separate queries.
I don’t think any of that spoils anything, especially since most people are more likely to take the easier route. If the mods feel like it does feel free to bork my post.
And even this is done! This was very hard because I don’t have a lot of experience with MS SQL, but thanks to the hint of G***y and a little help of @D3vnull I’ve won the first obstacle.
I’ve really learn a lot thanks to this machine!
Hints:
Initial foothold: enumerate very well the ports you’ve and you will find the first piece of the puzzle
User: as I said before and others have said before me, there is an interesting old machine that can give you a very import hint! (it’s name start with G and ends with y)
Root: enumeration is the key! If you’re need help, some scripts can give you the solution
So I managed to get into the s** server using im****** and I can’t use the commands there because I don’t have the privs. So I’m guessing priv esc from here so I can run them, but I’m at a bit of a wall, any hints would be greatly appreciated.
Thanks to @ddosmg for your question and @sentry for the answer. It provided me with the nudge I needed.
One of the parts I was stuck on was getting reverse shell for user, as windows seemed to block a lot. For this i recommend reading the github page for ni****g repo.
Pretty cool machine. Learned something new along the way.
User: Enumerate and you’ll find something with the brazilian dance. Once you open the file look for interesting strings. Then login, you won’t be able to execute shell commands but maybe you can execute something more. Once you find what I’m talking about intercept that and get something to work on. Google and you’ll find a very useful script to upload files and it will even give you a shell!
Root: Very famous enumeration script (get the most recent version, don’t be like me and use an older version. I lost 4 hours because of this) then, brazilian dance again with your new credentials.
Enjoy.
I have the c568 credentials that i got from ML, via xp***** but where do i authenticate them against, please help. I’ve been banging my head against the wall with this. Please PM if able to help.
Rooted, ignore my previous comment, it’s a false path to victory that does not work. Pro tip for people trying to privesc, make sure you have the latest version of whatever tool you are trying to use to privesc or enumerate privesc details from, older versions may not show as much.
Rooted, ignore my previous comment, it’s a false path to victory that does not work. Pro tip for people trying to privesc, make sure you have the latest version of whatever tool you are trying to use to privesc or enumerate privesc details from, older versions may not show as much.