SecNotes

rooted this one, PM me for a nudge

@peacemindlav said:

@DataPush3r said:
I’ve got creds, and I can save stuff to the server. But I can’t get RCE or a shell with any of the methods I’ve already tried. Can anyone PM with a nudge in the proper direction?

i have also stuck on same. what i need to do next

Try different shells. :wink:

finally rooted, learn new things, really likes this one.
thanks the creator.
special thanks to @lun3r :slight_smile:

fell free to pm for hint

Whew. Getting user was fun.

There’s a few rabbit holes for web exploits that should be avoided. The easy to find exploit that would most likely involve social engineering is a rabbit hole. Multiple people have referenced the Nightmare machine so you should start there. Ippsec’s video should help. However, don’t get hung up on the db. If you get error messages, you’re probably going too deep.

Once you get non-shell access to the thing, if you don’t know how to use your the service, you probably didn’t enumerate enough. Go back to the first scan you did and ask yourself if you checked for everything. After than, it’s very straight forward. It’s typically the second (sometimes first) thing I do and I totally forgot to do it. Could have saved me a few hours.

Hopefully I didn’t give too much away here. PM me for help on getting user.

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

This is exactly where I am stuck. I can read and write files, but I can’t get any shell to execute either :frowning:

I was held up on user due to the fact that my initial Nmap ended prematurely.

Got root! It was quick and easy once i realized what was going on, and thanks to the hints in this thread.

I think I got root in a slightly different way, based on the writeups. At least, I used a different file, one that seems to be a more generic part of this Windows feature, and probably required less digging on the system.

I cannot believe how many different shells I’ve tried getting an initial shell. asp, aspx, nishang, empire, etc. Nothing is working, the only different thing I ever get is a 500 error. Anyone with any insight, please PM me.

@beginner2010 said:
Very nice machine. Was overthinking too much for priv esc:)

Me too. Whenever I see a setup like this, I somehow always assume the worst and focus on more difficult ways of compromise. Nice box.

Hi everyone, I finally managed to get the root.txt file (really cool box, had a lot of fun!) but I’m still not satisfied. I got it by logging into a certain service with elevated rights. I still don’t feel I’ve properly rooted the machine though, even if I have the the flag, because I only have high privileges when logged into that specific service. Is there a way to get a proper system shell? I feel like I’m missing something… If anyone wants to DM me with pointers I would really appreciate it :slight_smile:

Any hints for entry point? Im seeing secnotes page, but nothing for now.

@9999volts said:
Any hints for entry point? Im seeing secnotes page, but nothing for now.

You might want to re-scan the target host. You should find somewhere that accepts user input

On privesc, I am getting “Error: 0x8XX7XXX” when running the command. Is that normal?

Nevermind :slight_smile:

Great machine, usually I am not so familiar with windows. Once you have your stuff together, its pretty straight forward. PM if you need help.

#rooted
ping me if you struggle :slight_smile:

@royc3r said:
I’ve been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

finally got user. as always more enumeration was required.

Stuck getting a shell :confused: tried the ways i know and searched a bit more but got nothing …
any hint ? :slight_smile:
Edit: got user and root, was easier than I thought… don’t get bored of enumerating and looking at details… feel free to pm me if you need help

I learned a lot even when i was in the wrong way :slight_smile:
Thank you @0xdf .

Image

Rooted, wow a long way to get the flag :slight_smile: Trying harder things than the easy way.