SecNotes

1356714

Comments

  • edited August 2018

    Anyone willing to give small, non-spoiler hints for privilege escalation? I'm a bit of a noob when it comes to Windows and a little lost. Currently going through the filesystem looking for anything that might be useful. Not really noticing much. I DID notice the "odd" folder in the root directory, however.

    opt1kz
    https://i.imgur.com/4jXzPqJ.png
    404 Friend Not Found

  • hey any hints on this box struck after login ..beginner my first box attempt

  • For privesc, I discovered something weird by accidentally listing everything...
    n00bp0tat0

  • Rooted! Fun little box...

    Mochan

    Checkout my Dropbox of Goodies >> https://www.dropbox.com/sh/ba0t59c5fnccgms/AACvUbUSflWB1_AAgj8okEUra?dl=0

    [CCNA R&S] [OSCP - In Progress] [Security+ - In Progress]

  • I've been struggling with privesc here.. I was intrigued by u*****.exe and did some reading on WSL but can't figure out how to make use of it as a non-privileged user. Am I in the right area or are my efforts better concentrated elsewhere?

  • ok.. so logged in on the web page.. pulled some notes..
    connected to a different service where I can read and write files..
    but then what :( probably something basic..
    if anyone can send me a small nudge.. would be much appreciated.

  • @rewks said:
    I've been struggling with privesc here.. I was intrigued by u*****.exe and did some reading on WSL but can't figure out how to make use of it as a non-privileged user. Am I in the right area or are my efforts better concentrated elsewhere?

    Keep digging, there is a way to make it work. Maybe google what your trying to run, and it what OS. I found it fairly quickly

  • edited August 2018

    Edit: Fixed the problem and rooted it. It was an issue of using the wrong tool to spawn my connect-back shell. Windows 10 is flakey.

    opt1kz
    https://i.imgur.com/4jXzPqJ.png
    404 Friend Not Found

  • This file might just hint you , Look for other interessing files related to it ;)

    xMagass

  • maybe this could help some people, when your using one shell and it not working for what ever reason, get a different shell with another tool. There are many options. netcat, ncat, powercat, nishang, etc... I had two different connect back shells going, when something didn't work in one, I switched to another. My shells would also get hung from time to time while I was experimenting, so I just sent another over and kept going

  • Rooted. Very interesting box, learned heaps by doing it. Happy to provide hints through DM

  • Just an update. Due to the box being bogged down the first few days by massive brute forcing attempts I was never able to do a full scan of the box. Once I did a full scan I found what I needed to gain user.

  • edited August 2018

    @p3tj3v said:
    ok.. so logged in on the web page.. pulled some notes..
    connected to a different service where I can read and write files..
    but then what :( probably something basic..
    if anyone can send me a small nudge.. would be much appreciated.

    Stuck at the same step :(
    Had an idea to find a folder corresponding to share's n**-s***, but dirb doesn't help

  • edited August 2018

    @0daysru said:

    @p3tj3v said:
    ok.. so logged in on the web page.. pulled some notes..
    connected to a different service where I can read and write files..
    but then what :( probably something basic..
    if anyone can send me a small nudge.. would be much appreciated.

    Stuck at the same step :(
    Had an idea to find a folder corresponding to share's n**-s***, but dirb doesn't help

    Nvm misread your post

    Edit: I'm stuck in the same place, got a list of accounts and am attempting to bruteforce :P

    jamesa

  • Hi guys,
    I know the vulnerability and tried to get some information from the database. But when I am putting longer things it is throwing the error and short queries did not give me anything. Searched lots of sources for different syntax, none of them worked. Any ideas?

  • @millerangello said:
    Hi guys,
    I know the vulnerability and tried to get some information from the database. But when I am putting longer things it is throwing the error and short queries did not give me anything. Searched lots of sources for different syntax, none of them worked. Any ideas?

    You're overthinking. You're on the right track but keep it simple

  • edited August 2018

    In the first step (web-app) I know which thing I have to use in order to get to the DB but it tells me that that thing has already been used and I can't use it anymore. Do I have to reset the box everytime?

    Elio

  • @elio said:
    In the first step (web-app) I know which thing I have to use in order to get to the DB but it tells me that that thing has already been used and I can't use it anymore. Do I have to reset the box everytime?

    You can change first part.

  • edited August 2018

    @0daysru said:

    @p3tj3v said:
    ok.. so logged in on the web page.. pulled some notes..
    connected to a different service where I can read and write files..
    but then what :( probably something basic..
    if anyone can send me a small nudge.. would be much appreciated.

    Stuck at the same step :(
    Had an idea to find a folder corresponding to share's n**-s***, but dirb doesn't help

    Maybe this helps:

    @starcraftfreak said:
    Just an update. Due to the box being bogged down the first few days by massive brute forcing attempts I was never able to do a full scan of the box. Once I did a full scan I found what I needed to gain user.

    Then, look for files in n**-s*** you find in other places...

  • Nice box, thank you @0xdf !

  • i can't find RCE :disappointed:
    can anyone help

  • For privesc there's no need to get reverse shell, just go back in time with the appropriate file in the appropriate directory!
  • edited September 2018

    rooted.. learned a fair amount, felt like a box of simple loopholes and being lucky with the commands tho.

    but not a bad box : ) positive rating

    Hack The Box

  • edited September 2018

    I have users, but nothing else..someone can help me?

    EDIT: I got user
    EDIT2: Rooted

  • edited September 2018

    Hi guys,
    I am stuck on the Web App Login because I cannot find any table which provides anything. Enum of all Tables doesnt work either.
    Would someone be so kind and provide a hint?

    Edit 1:
    So I am one step further. Found logon infos for a user which connects two services to each other. I can upload files into a directory but have no idea how to get a shell from there.
    Any hints would be appriciated.

  • Could someone give me a hint on where I should start? I tried enumerating different pages, but cant seem to find anything. Injection also appears be be unfruitful.

  • Can anyone help me out getting the root flag? I have an interactive shell within the special environment running as root, but it only runs under context of the user starting the process (user.txt user in my case). I think I have carried out all other normal Windows enumeration for privesc and haven't come up with anything yet... any advice?

  • edited September 2018

    EDIT: rooted. I enjoyed the privesc to Admin a lot.

    @GetTheGuru I was stuck in the same place for a while. It turns out that what you need is very close. There is another small step before the flag.

    Elio

  • l0xl0x
    edited September 2018

    Can someone PM me regarding initial errors ?

    Nvm that was easy

  • edited September 2018

    Nice box, but someone keeps resetting it and it's completely unnecessary. Also, brute forcing is NOT how you get in this box, neither is blasting it with any tool other than the basic enumeration.

    Edit: Rooted. Very clever way of rooting. If you're stuck, the answers you seek are in front of you.

Sign In to comment.