SecNotes

145791014

Comments

  • Hello all,
    Got root, but can't read Admin folder, any hint please....

  • edited October 2018
    Finally got the root flag on SecNotes.
    I can just say, really great box. I like very much box like this and I learned a lot. 😀
    Many thanks to the creator of this box!!!!

    If someone needs some help, just PM me. I'll try to replay quickly.

    Ozunu

  • Fun box.. great job 0xdf!

    Hack The Box

  • Hello guys, I passed web login page and successfully login to another service, i can upload and can execute files on server, even reverse shell is dropping but no code executing. When typing command and enter, it freezes and closes. Files are disappearing ok but even files are staying at server, reverse shell is not working too. I tried lots of commands for 2 days but there are not so much choices for windows (or i dont know :( )

    Do you have any suggestion/advice?

    Wainright

  • @Wainright said:
    Hello guys, I passed web login page and successfully login to another service, i can upload and can execute files on server, even reverse shell is dropping but no code executing. When typing command and enter, it freezes and closes. Files are disappearing ok but even files are staying at server, reverse shell is not working too. I tried lots of commands for 2 days but there are not so much choices for windows (or i dont know :( )

    Do you have any suggestion/advice?

    Same boat as you. :(

  • edited October 2018

    It' was really a fun box. To all trying to get user flag: don't dig too deep, you actually see a part of what you need after logging to app :bleep_bloop: On privesc: the new windows feature is really cool for developers. Even if it is your first contact with it, don't be afraid to make a step inside :grin: For any hints feel free to message me.

    n0tAVirus

  • I didn't like the privesc part. This is almost too stupid to come up with, but it teaches you to search in every last corner I guess.

    nscur0

  • That was fun. I was surprised to find certain credentials in a historical archive which made it more fun to find more or less by accident.

    Dltd

  • This was a fun box. Thanks to @vasusethia for subtle hint at beginning. Spent too long on the first steps trying to enumerate the db and making things more complicated than is actually needed. :facepalm moment for sure. Privesc was fun - wasn't expecting that on a windows box... Thanks @0xdf

    thrash

  • @xxizocxx said:

    @Wainright said:
    Hello guys, I passed web login page and successfully login to another service, i can upload and can execute files on server, even reverse shell is dropping but no code executing. When typing command and enter, it freezes and closes. Files are disappearing ok but even files are staying at server, reverse shell is not working too. I tried lots of commands for 2 days but there are not so much choices for windows (or i dont know :( )

    Do you have any suggestion/advice?

    Same boat as you. :(

    Finally rooted, I am replying my own question :)

    First of all, i couldnt find any easy way of reverse shell (lots of people said that try simple ones but maybe i couldnt work them out) , i tried my second method, if you CAN'T execute commands which you think that they should work, then try something different with that tools/commands (i dont want to give any spoiler)

    After getting user, for privesc, its same, like others said i didnt research new features of OS, enum enum enum, i just enumerated lots of files at first-look places. Then u can see there is a command that shouldnt be there. Go on looking for it, u will be suprise when your different commands are working. :D :D :open_mouth:

    (i hope that there is not so much spoiler) ;)

    Wainright

  • Hi, could anyone PM me? I’m stuck on the secondary service I found... I’ve never tried a windows machine so I’m a bit new with the service...
  • Hi, one help for me?? i had enumeration but i didn't find anything and i know little the sql injection

  • Hi all!

    I have rooted this box an unintended way and now trying to do it as many others. I have enumerated the new Win10 feature and I have a privileged user who cannot read the root.txt file because the service is running under non-privileged user. I am still hitting my head into the desk for 2 days so if someone can give a little hint in private please don't hesistate...

  • edited October 2018

    @MTOTH said:
    Hi all!

    I have rooted this box an unintended way and now trying to do it as many others. I have enumerated the new Win10 feature and I have a privileged user who cannot read the root.txt file because the service is running under non-privileged user. I am still hitting my head into the desk for 2 days so if someone can give a little hint in private please don't hesistate...

    Update: Okay finally I got it after 2 fck'n days..... For future me: when found sth interesting do basic enumerations and do not overthink it. You can spare a lot of time if running basic enumeration scripts before going deep.

    For all who struggling: check Win10 feature list and play with it. Try different shells if something not working as expected. Play with it and do basic enumerations!!!

  • I got the login credentials but now I do not know how to proceed to reverse shell....can you help me?

  • Am i the only one where the website takes hours to load because of the bootstrap cdn?

    If you ask for help, show your workings and what you've tried or I won't reply.

  • please give me hand for the reverse shell on s**c****t.... i tried with metasploit but nothing

  • I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can't execute the files (web or .exe) that I upload. Can someone give me a little hint? :)

  • I would appreciate a nudge for this box, I am still struggling with getting an initial foothold. Perhaps I am overthinking this ?

  • @firefly47 said:
    I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can't execute the files (web or .exe) that I upload. Can someone give me a little hint? :)

    No exploit needed. Think about where you're uploading your file to, and how you might be able to execute them. Scanning more than just the most common ports might help.
    Also, just because this is a windows box doesn't mean all it can execute is M$ stuff like .exe files. :tongue:

    nscur0

  • edited October 2018

    I was able to identify the double SQL injection and obtain the current database name (SECNOTES) and version.

    I was able to obtain the password hash for t****, am I in the right direction. I presume I have to use this to login ?

  • @nscur0 said:

    @firefly47 said:
    I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can't execute the files (web or .exe) that I upload. Can someone give me a little hint? :)

    No exploit needed. Think about where you're uploading your file to, and how you might be able to execute them. Scanning more than just the most common ports might help.
    Also, just because this is a windows box doesn't mean all it can execute is M$ stuff like .exe files. :tongue:

    Thank you very much the hint did it. This is the second time I am not using nmap's full potential :). Now I'm working on the privesc part I discovered the "feature", wasn't able to read the root.txt yet, But hopefully I'll get it :)

  • Pwned. Thanks to the creator of the box, learned a couple of new tricks.
    Feel free to pm me for help or hints.

    Arrexel

  • I am able to upload files via s** and browse to the webpage on port 8***. However I can't get the revershell to connect back, I've tried aspx and ncat. I've uploaded a txt file with the name of i******* which I can view but can't get anything to execute

  • I have identified the technique to access the database and I read database name and a few other things but I am getting the "Something went wrong error". Some to PM me hints on refining my technique to extract more info?

  • i tried using smbexec.py to execute commands on the box, i keep getting an error message. I also tried uploading an aspx rev shell but to no avail

  • I finally got a stable shell and am enumerating the various folders looking for a potential privesc, this certainly is a tricky box

  • Ah Rooted!

    The answer already there but because didn't really to focus something different in the command.

    Eyes problem lol

  • edited October 2018

    Rooted. My hints for this box:

    • first part: use one of the most famous hacking techniques for crafting malicious inputs in web-apps
    • second part: use the "new" service to load your shell
    • third part: look around to see what "new feature" has been added to windows systems
    • fourth: use that feature to gain root as you would usually do

    p.s. the cool thing is that you can perform phases 2 and 4 in a variety of ways

    TheInnocent

    "I recognize, Mr. Reese, that there's a disparity between how much I know about you and how much you know about me. I know you'll be trying to close that gap as quickly as possible. But I should tell you... I'm a really private person."

  • @gregX01 said:
    I have identified the technique to access the database and I read database name and a few other things but I am getting the "Something went wrong error". Some to PM me hints on refining my technique to extract more info?

    I think im getting same thing when i try to inject. can someone PM to help limp along?
    every time i try inject on R******r.php page i get "Something went wrong error", any hints how to get past this?

    lordsoahc
    CCNP, CCNAx3

Sign In to comment.