SecNotes

189101214

Comments

  • Hey, I'm able to execute individual commands, but I'm stuck on getting a reverse shell that doesn't immediately die. Could someone PM me with some hints to move forward?

  • edited December 2018

    Hey did anyone else experience problems when trying to connect to c$ with the right password? pls PM
    EDIT: I was just being really stupid. Got root!

  • would someone please pm me with regards to privesc? I believe I have found a way to run commands that would usually not work on a windows box (which I think is the right direction) but I think my syntax or my shell is not good enough to actually have them run on the machine... can explain more in a pm

  • I've found user and managed to setup a stable reverse shell. I've found a couple interesting things that feel unusual. However they don't seem to help me any further towards root. I think I can't mention my findings here without possibly spoiling something so I would appreciate it if someone could DM me and perhaps help me get to the next step.

  • Someone willing to DM me on initial??? i've injected the sh* out of this thing to no avail... no weird 500 errors or anything.... also got mixed results on different runs of the tool.

    -Keep Learning
  • Finally got root. This wasnt a easy box for me.
    HINT
    User: 1. enumerate services with nmap there are 3 services running on the box.
    2. Watch Ippsec video on nightmare, you only need the first part. Dont try to run his command as you see rather go basic dont overthink it. A simple true statement is all you need.(winks)
    3. Upon getting credentials connect with one of the services you enumerated earlier.
    4. Try and get a shell, how you go about it is up to you. Once you have a shell you pretty much have user.txt

    Root THis one was annoying
    1. Enumerate the box by playing around folders no need to run any stupid script. You definitely see something off that shouldnt be in a WINDOWS box
    2. Sometimes taking a shortcut is a good thing
    3. Once you have got a shell the rest is history (winks)

    I tried to keep it spoiler free. Honestly coming from someone who struggled with this box the hints here are idiot proof unlike "enumerate", "try harder" and stupid **** that PRO's like to dish out.

  • @zauxzaux said:
    Someone willing to DM me on initial??? i've injected the sh* out of this thing to no avail... no weird 500 errors or anything.... also got mixed results on different runs of the tool.

    for me it was the same! work in a "deeper" way to inject! also dont go just with the traditional methods try all of them

    dplastico
    OSCP-OSCE

  • edited December 2018
    Would someone mind giving me a hint for the initial foothold please? I’ve tried a ton of s**i******** but can’t seem to progress past the 500 err. I’ve spent hours and checked out nightmare but I guess I’m just missing something...

    EDIT: Ignore this, I've got it! What is it about posting a help request for a forum or emailing support that makes you work out the answer to your question immediately after? Lol!!!
    EDIT2: Got root now, I was defiitely over complicating things. It was super easy once I looked in the right place! Learnt a thing or two though so it's all good :)
  • okay, it's easy to get a reverse shell, for the privesc i think i should use what i've on Desktop (Torvalds) the problem that any command is hanging and i don't if it is machine issue or my fault !! any help please ?

  • Hey All. I have user access and a stable shell but I haven't been able to figure out the priv esc on this box. Can someone willing to help please PM me? I don't want to give any spoilers but I'm getting permissions errors trying to access the root flag from the subsystem. Thanks!

  • @redcypress said:
    Hey All. I have user access and a stable shell but I haven't been able to figure out the priv esc on this box. Can someone willing to help please PM me? I don't want to give any spoilers but I'm getting permissions errors trying to access the root flag from the subsystem. Thanks!

    Never mind. Just got root flag. Wahoo!

  • Hey guys, can someone give me a pointer? I am massively missing something! Thanks!

  • edited December 2018

    Someone could help me via p.m for the easy step on this machine?

  • Hi !

    Can someone give me a hint for the root flag ?

    I have the "second shell" by using the feature given by this windows 10.

    i'm enumerating lots of things but i don't find the way to get the root.txt.

    Thanks

  • edited December 2018

    whenever i try to run ****.exe i get error as "mesg: ttyname failed: Inappropriate ioctl for device" can someone help me
    i am on the last stage to get root please PM

  • edited December 2018

    I am root, but i don't see the flag , what happened here? --- NEVERMIND I HAVE THIS I THINK...

    ROOTED!!!!! great machine!

    Hack The Box

  • I tried to copy the b.exe by Mr.torvalds to the South African folder to try if it is related to Ub****.exe , I even tried to launch b.exe -c 'netc**.exe -e ip/port' to try if it would give me a reverse root shell because b***.exe runs under root.
    still stuck by the b***.exe :'(

  • edited December 2018

    I must be severely missing something with SQL injection. I think I've found where the injection point is (I've tested 500 vs non-500 responses in 2nd-order SQLi) but I can't exploit to get any kind of meaningful response, even boolean injection either... Anyone PM me with a hint on what I should be looking at closer?

    I'm all for learning and hammering away but I'm going on 4 hours of injecting on this one point and I think I'm just missing some "obvious"/"simple" thing as everyone has said earlier in this thread......

  • @notoriousclg said:
    I must be severely missing something with SQL injection. I think I've found where the injection point is (I've tested 500 vs non-500 responses in 2nd-order SQLi) but I can't exploit to get any kind of meaningful response, even boolean injection either... Anyone PM me with a hint on what I should be looking at closer?

    I'm all for learning and hammering away but I'm going on 4 hours of injecting on this one point and I think I'm just missing some "obvious"/"simple" thing as everyone has said earlier in this thread......

    Watch "Ippsec Nightmare" on YouTube

  • edited December 2018

    @garnettk said:

    Watch "Ippsec Nightmare" on YouTube

    I'll rewatch it, but I already saw his SQL injection... I'm missing how he interprets lack of bad characters to mean "Here's where I can inject" versus "The app just sanitized the input". I'll rewatch...

    EDIT: I got user, but not with the way I think I was supposed to. Will work on root now.

  • edited December 2018

    I'm in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

  • edited December 2018

    Nevermind, a reverse shell I previously thought was not working... is now working.

    X_X

    Fibbot
    OSCP

  • @Virgula said:
    I'm in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

    Watch IppSec - Active on YouTube

  • Rooted!
    Flag Captured!

    I was about to give up, but then I decided to give it the last shot and bang, basic understanding of Linux filename saved me!

  • Rooted! This took a lot longer than I would've wanted, but whatever -- I consider it a good challenge if I learn new tricks along the way. Thanks to pablovidela for the nudge, getting stable access was a pain but when it was obtained the rest was just enumeration. Great challenge!

  • edited January 2019

    I've managed to get access but am trying to find some unusual files that can be executed by me that would get me up to Administrator level. Struggling using the shell I've created. Anyone that can PM me a hint?

    EDIT: I'm working on exploiting the u*****.exe to try and bypass access restrictions and such... anyone that can PM me a hint? Trying to reverse shell out from my current shell to exploit...

  • @notoriousclg said:
    I've managed to get access but am trying to find some unusual files that can be executed by me that would get me up to Administrator level. Struggling using the shell I've created. Anyone that can PM me a hint?

    EDIT: I'm working on exploiting the u*****.exe to try and bypass access restrictions and such... anyone that can PM me a hint? Trying to reverse shell out from my current shell to exploit...

    No need to do anything for root other than look for clues that user has left

  • edited January 2019

    Hmmm I think I've found it, but I'm not finding a way to actually use some credentials I've found, even with a shell on the machine.... Any other pointers?

    Tried using a three-letter database service running on the machine using creds found, but it only prints out information then returns me back out of the program... Will keep pushing.

  • edited January 2019

    I can upload files and get a shell fired up, but I cannot interact with it. I try to even run a DIR command, and it seems to freeze, then after a few seconds, the shell drops. Someone PM some hints on a stable shell to use?

    EDIT: Got a stable shell and user.txt. Learned a new method on that one! Now for root!

    n00b

  • rooted! Hint sometimes you get blind trying to execute when you can do more stuffs

    dplastico
    OSCP-OSCE

Sign In to comment.