Giddy

1234689

Comments

  • trying for so long..but not able to find the proper syntax for xp_d*****.

  • edited December 2018

    nvm got it with full shell and completly on linux :) If someone wants to connect from linux to ps web console this one is for you https://blog.quickbreach.io/ps-remote-from-linux-to-windows/

    Edit: There are two possibilities to interact with the vulnerable service for priv esc ;-)

  • @saketsourav said:
    trying for so long..but not able to find the proper syntax for xp_d*****.

    Same boat, somebody able to give me a little push in the right direction?
    Many thanks !

  • edited January 2019

    I got a s** inje***** on mvc... is it useful or a complete waste of time? I didn't find any creds yet here. Only a bin file. neither privileges to get output from an os shell by a s** statement. I'll appreciate if someone could p.m me

  • Greetings from Greece!!
    I am still in the initial foothold, I've used sql-in****** on mvc, found all the db's, 2 users and 1 pass and passwordsalt but I can't crack it, any help would be appreciated!!
    Thank you!

  • @manick69 said:
    Greetings from Greece!!
    I am still in the initial foothold, I've used sql-in****** on mvc, found all the db's, 2 users and 1 pass and passwordsalt but I can't crack it, any help would be appreciated!!
    Thank you!

    Use John The Ripper with a list of words very used in Kali Linux, it will not take more than 5 minutes to decipher it

  • edited January 2019

    Somebody Could help me please? I found the vid in the users folder. I found the exploit for it. But there is a task****.exe by default. That file should not exists according to the exploit… I reverted the machine But it is still there. I Can not delete because of running processes. Permission denied when I tries to stop the process...

  • Anyone willing to DM me discussing sqli???? In addition to the exposed path i've managed to get an actual user in traditional 'DOMAIN\USER' form as well as only 1 table name, but I'm at a stand still now, running out of ideas to try, gonna dig some more and read some more injection sources.... would be nice to bounce ideas off someone....

    -Keep Learning
  • @zauxzaux said:
    Anyone willing to DM me discussing sqli???? check pm

  • edited January 2019

    I dont know what happend. Suddenly my approach started working as I wanted from the begining. “rooted” / “Administered” or whatever it is called in Windows environment. I think there were too many ppl trying to do the same..

  • Initial Foothold
    The user's part was really confusing, I lost a lot of time doing useless things, some clues of the thread as some say can be misinterpreted, to begin with you should list as usual and exploit one of the most common vulnerabilities of OWASP Top

    User
    This is where they mention the use of xp_d*****e, it is also important to have knowledge of a new service that you do not see in Nmap, it is difficult to say more without spoiler, nevertheless I had to search a lot about xp_d***** e to combine two services and manage to exploit them ... The rest is to use JTR and follow your instinct.

    Administrator
    The root part was easier, but I was also losing time with PS, the most important track is in the first directory, look it up in Google, when you know what to do keep in mind that if you already exploited a service you can take advantage of it again and not break head in more complex things...

  • Ok... so finally figured out how to start/stop services... but no dice...smh wtf lol

    -Keep Learning
  • edited January 2019

    -

    -Keep Learning
  • Anyone that didn’t get system by uploading a payload to target wanna DM me? I’m curious how it was done without this as this was the only way I was willing to get root... fun box for sure
    -Keep Learning
  • Stuck on the web access :( "Auth Fail......verifiy you are auth to conn....".

    I have the login details but no joy....please help me lol

  • @zauxzaux said:
    Anyone willing to DM me discussing sqli???? In addition to the exposed path i've managed to get an actual user in traditional 'DOMAIN\USER' form as well as only 1 table name, but I'm at a stand still now, running out of ideas to try, gonna dig some more and read some more injection sources.... would be nice to bounce ideas off someone....

    I can't even get this far, there seems to be length limiting or something, I can't figure it out..

  • @umby24 this messed me up for a while, but the mistake was trying to get too much information out of it, which can be a rabbit hole... you should be focused on how you might be able to execute a command via that injection and how that might be useful... if you don't know the tech behind it you'll get stuck for hours... DM if you need a nudge.

    -Keep Learning
  • @zauxzaux said:
    @umby24 this messed me up for a while, but the mistake was trying to get too much information out of it, which can be a rabbit hole... you should be focused on how you might be able to execute a command via that injection and how that might be useful... if you don't know the tech behind it you'll get stuck for hours... DM if you need a nudge.

    I knew the tech, I just didn't enumerate fully.

    Took a couple of hours after getting user, but I got root!

  • edited January 2019
    Could someone please PM me and provide me with some resources to read for the PowerShell segment of this box.
    As I am stuggling to escalate privileges
    Any help is a appreciated!
    Thanks in advance.
  • I really enjoyed this box and learnt some valuable lessons along the way. Many thanks to @lkys37en for a great learning experience.

    Initial foothold:

    Enumeration was the key, upon discovering the right area you can search for a new bicycle tire (perhaps yours had been punctured?).

    User:

    Using a common method should reveal some interesting information. Something you see can guide you on the right path but you must go out of band and understand how to respond to the situation. If you get lucky with your research (as I did) a familiar four legged friend (with the help of a little bird) can show you the way. I imagine this was intended(?) and if so was a great lesson concerning the importance of reconnaissance.

    After obtaining the desired information hashcat is your friend and you can use the result to access a different service. There are plenty of guides about how to access the service online and don't be discouraged if your login attempts fail at first, you just need to deal with the how the creds need to be entered.

    Admin:

    Once in, the clue needed for privesc is in front of you.

    I wanted an admin reverse shell using the exploit as I wanted to practice some evasion techniques. It is indeed helpful (although not strictly necessary) to have a windows VM available for testing if you do this and some trial and error with different tools may be required. https://developer.microsoft.com/en-us/windows/downloads/virtual-machines.

    I read that some people managed to achieve privesc without uploading anything. If anyone who did this is willing to share please could you DM me. If anybody wants to discuss techniques or needs a sanity check then I'm happy to help in DM. I hope there are no obvious spoilers in the above but if you have got this far into the thread then most of what I have said has already been covered.

  • @gongol nice wording... I was curious about the lack of upload as well; haven't heard from anyone about this... methinks it's BS

    -Keep Learning
  • I'm partially through the initial foothold. I've found some services, the MVC and a way to get information out. Hints here seem to refer to the use of SPs to get RCE. This isn't working for me however. Something wrong with my syntax, or maybe I'm exploiting the wrong endpoint. A DM and some nudges are welcome!

  • edited January 2019

    Rooted! I really liked this box. Great mix of paths, common/realistic exploits and rabbit holes. A good Windows box that no one should need meterpreter or any other msf post exploit modules for.
    I would add this to an OSCP-like list for anyone gearing up for that. Granted it's a more modern OS, but the techniques are universal and its good Windows practice.
    It can be completed 100% from Kali with the right tools.

  • Is the 500 normal when trying to gain an initial foot hold? Or am I just too dumb to use my tools correctly? I'd appreciate a hint.

    Arguing with strangers over the internet since 1848

  • @dmaendlen said:
    Is the 500 normal when trying to gain an initial foot hold? Or am I just too dumb to use my tools correctly? I'd appreciate a hint.

    If you're referring to the P* page - then yes, that's normal. Check the error message displayed, which should give you an idea on what to do next.

  • @clmtn said:
    If you're referring to the P* page - then yes, that's normal. Check the error message displayed, which should give you an idea on what to do next.

    I know the vuln and I'm actively trying to exploit it. The thing is, the tool I'm using usually gives up citing too many 500 errors.

    Sorry for phrasing it a bit vague but I'd like to avoid spoiling it for others, even though most of the thread doesn't care about that, obviously. :(

    Arguing with strangers over the internet since 1848

  • Cool box, was able to learn a lot of things, got user and root.
    PM me if you have questions.

  • Hi, Im working on giddy for last 3 days. I was able to do sqli with un*** s*****, gather some info, username st**y, db name I***c***n, etc, now on to shell xp_c******l. Some folks here also mention about xp_d******. Appreciate any hints, which way I should go.
    thx

  • Got System. IMO this is one of the best machines.

  • I am stuck. I'm still not able to stop or start or even list any services. This is required to run my exploit. Can anyone help?

Sign In to comment.