Giddy

1246789

Comments

  • @The5thDomain said:
    Does the initial foothold have something to do with xp_******ll or xp_****ee? Been playing around with it for hours but can't figure out how to get it to function.

    in the same place, found the injection but cant seem to get anything useful.

  • One of the best windows machine I have solved till now. Loads to learn :)

    3zCulprit

  • Wow - learned a lot with this one. Special thanks to @vasusethia for the assistance. Not sure I would have found the initial method to user without a point in the general direction. Did end up utilizing a Windows VM like some others. Nice build @lkys37en

    thrash

  • Amazing Box thanks to @pikey301 i learned a ton about how messed up some services are. <3

  • edited October 2018

    Really stuck on the privesc for this machine... Could anyone give me a PM and give me some hints.

    Edit:
    Nevermind, got root :)

  • edited October 2018
    Hmmm found vulnerability that allowed me to eventually get NT... Used John and hashcat with best64 and got same result for both but can't access the panel on web with those creds! Am I missing something? Or do I need a reset?


    Edit: NVM got it ๐Ÿ˜€
  • Anyone want to help me with xp******e query?

  • Hey guys... Been stuck at this PowerShell webapp forever now, my ps game is weak obviously... I see a path to escalate but I can't run what I need to run that arbitrary file I can create if anyone can offer a push in the right direction it'd be greatly appreciated!
  • @3s073r1k said:
    Hey guys... Been stuck at this PowerShell webapp forever now, my ps game is weak obviously... I see a path to escalate but I can't run what I need to run that arbitrary file I can create if anyone can offer a push in the right direction it'd be greatly appreciated!

    I'm in exactly the same spot. I'm aware of the vulnerability and exploit (unless I'm way off track), but I'm having trouble bypassing/evading preventative measures.

    --Skunkfoot

  • @Skunkfoot said:

    @3s073r1k said:
    Hey guys... Been stuck at this PowerShell webapp forever now, my ps game is weak obviously... I see a path to escalate but I can't run what I need to run that arbitrary file I can create if anyone can offer a push in the right direction it'd be greatly appreciated!

    I'm in exactly the same spot. I'm aware of the vulnerability and exploit (unless I'm way off track), but I'm having trouble bypassing/evading preventative measures.

    Yeah I'm pulling out hair here ๐Ÿ˜‚ I've tried all the previous methods I knew which were not many and been Googling with no luck too

  • @3s073r1k said:

    @Skunkfoot said:

    @3s073r1k said:
    Hey guys... Been stuck at this PowerShell webapp forever now, my ps game is weak obviously... I see a path to escalate but I can't run what I need to run that arbitrary file I can create if anyone can offer a push in the right direction it'd be greatly appreciated!

    I'm in exactly the same spot. I'm aware of the vulnerability and exploit (unless I'm way off track), but I'm having trouble bypassing/evading preventative measures.

    Yeah I'm pulling out hair here ๐Ÿ˜‚ I've tried all the previous methods I knew which were not many and been Googling with no luck too

    I'm in the same boat... I successfully bypassed the PS restriction so I was able to get interactive shell, but when tried to execute vulnerability I hit into another wall.... Could someone PM me what am I missing?

  • Anyone can help me in private message with a hint? I am working with the first vulnerability with no success... Thanks in advance

  • Hi guys!
    I found that enumeration is the main part on initial steps, used big wordlist. Now trying to get RCE but usual way doesnt work. Can anyone give a hint?

  • Hello,
    I have found some logins and hashed passwords.
    Can anyone give me a hint how to decrypt them?

  • > @c0uldb3 said:
    > Hello,
    > I have found some logins and hashed passwords.
    > Can anyone give me a hint how to decrypt them?

    John or hashcat both work
  • Hi, I have user and pass (pass cracked from hash) and I'm trying to login to 'command prompt' via web but I'm getting error that connection cannot be established, when I try with Metasploit module for same access type, in HTTP response I'm getting 500 error. After reset, I'm getting same error... is something wrong with VM or I'm doing something wrong???

    Arrexel

    |OSCP|OSCE|

  • edited October 2018

    @deda1mraz said:
    Hi, I have user and pass (pass cracked from hash) and I'm trying to login to 'command prompt' via web but I'm getting error that connection cannot be established, when I try with Metasploit module for same access type, in HTTP response I'm getting 500 error. After reset, I'm getting same error... is something wrong with VM or I'm doing something wrong???

    You're probably missing a couple specific special characters in front of your username, that's what got me for a while

    --Skunkfoot

  • edited October 2018

    @Skunkfoot said:

    @deda1mraz said:
    Hi, I have user and pass (pass cracked from hash) and I'm trying to login to 'command prompt' via web but I'm getting error that connection cannot be established, when I try with Metasploit module for same access type, in HTTP response I'm getting 500 error. After reset, I'm getting same error... is something wrong with VM or I'm doing something wrong???

    You're probably missing a couple specific special characters in front of your username, that's what got me for a while

    Hm, now it works without any tweaking, just with regular u/n and p/w....

    EDIT: I can log in but when I try to do anything I'm getting "Internal server error" or similar errors....
    EDIT: Now it works fine....

    Arrexel

    |OSCP|OSCE|

  • edited October 2018

    Trying to get root.txt. Found interesting thing. Created payload exe. But how to trigger this thing? Dos exploit doesnt work. Legitimate thing restarting, doesn't work too.. can anyone give a hint?
    EDIT 1: got root THX @3zculprit for last hint. I was so inattentive..

  • @s073r1k.
    Thanks for you reply.

    Figured out where I did something wrong.

  • edited October 2018

    Finally rooted... Shoutout to nikallass for the hint.

    For all who struggling for days/weeks as me: think only to powershell and its specific commands.

    Many thanks for this machine I learned a lot of new things....

  • Guys, could you pls assist me with generating and delivering malicious file to the victim?
    I have tried different cmdlets and tools, do not work.
    I know that I need to generate file, then execute that file o the victim and I will receive something that will help me.

  • This was a nice box learn a lot too!!
    Thanks to @MTOTH for his hints!!! it helps me a lot!
    for privilege scalation all i can say its search the vuln for the app once you read about the vuln you will now what to do but dont focus too much on getting a meterpreter session like a did ๐Ÿ˜…

  • Thanks to box designer. So nice box. Learn a lot.
    Also, would like to thanks @MTOTH and @x00byte for giving hint regarding rev shell.

  • Ok I was able to read the root flag without actually getting a reverse shell. Can anyone who got a connection PM me?

    Hack The Box

    OSCE | OSCP | CRTE | GPEN | eCPTX | CREST CRT | GDAT | eCPPTv2 | GWAPT | OSWP | ECSA (Practical)

  • edited October 2018

    Where do I go from the obvious injection? xp_******* won't work, how can I get the password hashes everyone is talking about? Tried xp_dir****e too.

    OSCP

  • bruteforce PowerShell webapp using dirbuster wordlist = yay or nay?

  • @evandrix said:
    bruteforce PowerShell webapp using dirbuster wordlist = yay or nay?

    nay

    my4andle

  • so the credentials are lying around somewhere waiting to be extracted?

    my enum-fu only turned up r****e and a****t_c****t. follow those rabbit holes, or keep looking elsewhere? i would have hoped for a fileupload transfer.aspx like that other box :/
  • That was a tough box. So glad I got through it

    tobor
    Gods make rules. They don't follow them

Sign In to comment.