Giddy

1235789

Comments

  • edited November 2018

    ... has reached the maximum allowed number of sessions per user. To start a new session, the user must first sign out from another session.
    does it mean i have to wait/keep trying?

  • after gaining access to the PSWA console, PE is just a general Windows exploit?

  • I'm on it also... I need to trigger the exploit...

    ompamo

  • edited November 2018

    Per usual, there are a lot of dumb hints in here. Frey's hint is probably the worst, since it leads you to assume you should enumerate the database by inserting rows. That is just not necessary (and a complete waste of time). The command is relevant only in the way that it initiates communication, not that it enumerates or provides you data.

    Privesc is pretty simple. You don't need to escape the shell at all. Enumerate the folders and find things from the past. You literally get the command to do what you need to do.

    All attempts to use an msfvenom payload will fail. You can't use command line arguments. So what do you do? Make a "simple" something that does only one thing (github has this made for you already)!

    The initial foothold was a neat new something. The privesc is run of the mill and easier than user in my opinion.

    There are three concepts to understand for user (2 simple, 1 unique) and only one for privesc.

  • I got a username but a feel stuck on my way to user. What now?

  • It's true that payloads created by msfvenom will fail, if used 'as is'. But there is some sort of 'post processing' you can do to make them stealthier. Then it works, this was my method of choice here ... and on other Windows boxes than use similar protections.

    I learned it from an ippsec video of a HTB box that shares some features with Giddy.

  • edited November 2018

    Is there a possibility to get a shell without using MSFVenom and just use a simple binary that works most of the times

    Edit: Able to upload binaries, but somehow not able to execute them

    Edit: BInary upload is not required. A nice box. Cheers to the maker

    pzylence
    OSCP

  • Rooted! Great box, thanks to the creator!
    As mentioned above don't waste time to get reverse shell. Powershell has all needed to trigger your stuff. And of course Enumeration is the key )

  • Fuckkkk, It was being hard for me. Excelent Box and thanks for this lab I have learned a lot!!!

    Snowman418 was right in everything

  • could someone give me a nudge in the right direction for the initial foothold? i managed to inject something but the information i got out of it was useless. all the stuff i enumerated seems to lead nowhere aside from the one thing where i don't have credentials for. any help would be greatly appreciated!

  • That was an awesome box. Privesc ended up being pretty simple, but learnt some more post-exploitation enumeration tricks!

  • edited November 2018

    I am stuck with the xp_*** ,i cant execute in the where clause. Send Me a PM

  • I need help please !

  • So i finally got root on this bad boy, thanks for a fun box! I am not 100% sure the way I did it was the intended method however.... someone else who's done it mind pm'ing me to compare methods?

  • @s4rgey said:
    Rooted! Great box, thanks to the creator!
    As mentioned above don't waste time to get reverse shell. Powershell has all needed to trigger your stuff. And of course Enumeration is the key )

    what about the suggested exploit as suggested by whats in front of me (to do with something that not where it should be)

  • Can someone drop my a PM to make sure I'm not way off track. I found a very common vuln and managed to grab some creds from M********** table but not sure how to use them. Don't want to give spoilers so please DM for more info. Thanks

  • Rooted , awesome learning :)

  • Feel free to PM me if you are running into problems.

  • Great machine! I learned a lot on this one, used a lot of new tools..... Probably one of the my favorite machines so far....

  • @TheBull369 said:
    Great machine! I learned a lot on this one, used a lot of new tools..... Probably one of the my favorite machines so far....

    Indeed, great machine. Many thanks to @lkys37en for it.
    And @snowman418 for pointing to the right direction.

    scorp1o

  • Vista and SuperiorCard ... love it

    LegendarySpork

    LegendarySpork

  • Does priv esc require a restart? My current user isn't allowed to do this. I therefore wonder if I'm off track.

  • I found this to be very useful once you have an idea of the PE vector (and if you are a complete noob to powershell like I was 24 hours ago) https://www.youtube.com/watch?v=IHrGresKu2w

  • edited December 2018

    Solved. Now onto root.

  • did something change on this box?
    my notes of how i rooted no longer works.
    can i PM someone to give details, so as not to spoil in this forum thread?

  • Can i PM someone for a hint regarding the root flag ?

  • Stuck on root flag, anyone available to PM for nudge?

  • edited December 2018

    Rooted. That took a little work, a bit of creativity, a lot of basic enumeration and headscratching but all the hints are pointing in the direction you need to go. Google and searchsploit on anything unusual you see. You don't need to spin up a separate Windows box. Thanks to snowman418 for keeping me pointed in the right direction.

    LegendarySpork

    LegendarySpork

  • Could someone please provide me tips on initial foothold? Currently trying to use one of OWASP vulns, but not really making any progress in this direction. Can't really seem to get any reponse out, except for errors so I know it is a valid way forward.

  • @linkerslv I used dirb but not with the common wordlist, then you should find a OWASP Vuln which should lead to more Information... Someone want to talk about Priv. Esc? I'm really close but missing something, maybe I'm just overthinking

Sign In to comment.