Access - Privilege Escalation

Hi, i would like to separate the Access Privesc Discussion. Hope this is ok.

@Senpaisol said:
Ok i am loosing my god damn mind. I got one User Account , the Administrator Account and the AUTHORITY\SYSTEM Account and still cant open the root flag. Is this intentional?

If you ask for help, show your workings and what you've tried or I won't reply.

«1

Comments

  • Am brand new to priv esc...any docs, reference link, blogs on that would be appreciated
  • @Senpaisol said:
    Hi, i would like to separate the Access Privesc Discussion. Hope this is ok.

    @Senpaisol said:
    Ok i am loosing my god damn mind. I got one User Account , the Administrator Account and the AUTHORITY\SYSTEM Account and still cant open the root flag. Is this intentional?

    Yes, it's intentional.

    https://support.microsoft.com/en-au/help/2623670/access-denied-or-other-errors-when-you-access-or-work-with-files-and-f

    This explains the common reasons you'll see the behaviour (hint, it's not a problem with your permissions).

    blobbo

  • Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc.

    prutz

  • @prutz said:
    Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc.

    Same boat.

    Vex20k

  • @prutz said:
    Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc.

    you're almost there guys, if you read carefully the runas syntax you will eventually find out what is needed to perform cmd commands

  • Finally got it, so many little details are important, thanks everyone!

    prutz

  • I get only empty responses on every runas command with /s******* option. Wonder if there's something fundamentally wrong in what i'm doing here or am i just missing a detail. Already tried shittonne of different combinations.

  • @canyin said:
    I get only empty responses on every runas command with /s******* option. Wonder if there's something fundamentally wrong in what i'm doing here or am i just missing a detail. Already tried shittonne of different combinations.

    Or maybe you're not executing the correct exe

  • For all those who struggle to read the root.txt although they are NT AUTHORITY\SYSTEM or belong to the same group as NT AUTHORITY\SYSTEM: think about what you do as a privilege user on your recent personal Windows desktop/laptop when your system asks something because you are trying to install a new program.

    You "just" have to translate it in the (non interactive) shell you have.

  • Can someone help me?
    I've stuck after getting user.txt.
    Pls, PM me, who can help.
    Thnx a lot.

  • I got the user.txt but i cant get the root.txt . I am connected via telnet in s....... user and i cant take administrator permissions. I tried runas command but failed. Any help?

  • @lalala said:
    I got the user.txt but i cant get the root.txt . I am connected via telnet in s....... user and i cant take administrator permissions. I tried runas command but failed. Any help?

    you are on the right way with the runas command.
    try this command on your computer (or a Win10 VM) and see what's the behaviour of this command

  • @rzouzou said:

    @lalala said:
    I got the user.txt but i cant get the root.txt . I am connected via telnet in s....... user and i cant take administrator permissions. I tried runas command but failed. Any help?

    you are on the right way with the runas command.
    try this command on your computer (or a Win10 VM) and see what's the behaviour of this command

    First of all, thank you. I tried it. The problem is that always ask for administrators's password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

  • First of all, thank you. I tried it. The problem is that always ask for administrators's password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

    Hint : users are lazy, check what options can be used with this command ( /?)

  • @rzouzou said:

    First of all, thank you. I tried it. The problem is that always ask for administrators's password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

    Hint : users are lazy, check what options can be used with this command ( /?)

    I get access in administrator folder but now i cant open root.txt

  • Is the Administrator password the one found in the .mdb file?

  • @nachofm said:
    Is the Administrator password the one found in the .mdb file?

    I didnt use password. I have just run the runas command to enter the administrator directory. Now i can see the root.txt in desktop but i cant open it

  • ok... i've tried r***s with the "lazy" option... it doesn't prompt for password so i'm led to think that it's the correct way... the problem is that neither cmd nor cd or dir works... always return an empty prompt... anyone can illuminate me???

  • They do work, you just cant see the output - look into how the command works, because it doesnt echo its results to the tty. You need to either use it to create a shell or stream the contents of one thing into another.

  • I officially give up trying to get the root flag with this one. I finally got a r**** command to work, got into the folder to read the flag, whilst working on it, box gets reset. Now the r**** command I used doesn't work. FML!

  • I think tip number one is to try the r**** command in a Windows machine to make sure to get the one that works. If you need any help, I'm open to PMs ...

  • one thing that helped me was a reset before working on it, i was stuck for quiet some time, today i did a reset and the same commands that i tried once before, now got me root.

  • ok, i've ownd User, now i'm stuck on the r**** command. i think my syntax is right cuz it keeps me asking for Administrator password.. can someone help me in pm?

  • @tulio666 said:
    ok, i've ownd User, now i'm stuck on the r**** command. i think my syntax is right cuz it keeps me asking for Administrator password.. can someone help me in pm?

    There is a switch which prevents it from asking. However may still ask even if you have entered a non-existent account.

  • @TazWake said:

    @tulio666 said:
    ok, i've ownd User, now i'm stuck on the r**** command. i think my syntax is right cuz it keeps me asking for Administrator password.. can someone help me in pm?

    There is a switch which prevents it from asking. However may still ask even if you have entered a non-existent account.

    can you help me pvt with the command?

  • got it! needed to test the line before on windows then did it perfectly on telnet. Hint to find the r*.t file faster is to use with the branches and leaves of a tree [=

  • i would like some assistants with reading the root.txt ... plz i am losing sleep over it :'(

  • need some help with privesc

  • OK, so, this box...
    User is pretty straight forward. Just check if the file is corrupted or something. Also, there are some online tools to help on reading and stuff.

    Privesc.
    I think the most difficult part is finding the attack vector, but since u are reading the forum, u probably know what to do by now.
    A few tips:
    1. The program asks for a password
    A. Read the program's manual, there is a option to bypass that

    1. The command executes, but doesn't echo its results (no response)
      A. Just use the command to get another shell

    2. Cant read the root.txt
      A. Replace owner on subcontainers and objects

    My 2 cents

  • Still banging my head. It looks like I can run things as an admin user from the tasklist showing things running escalated but I can't look at directories or files as admin. I was able to add the compromised user to the Admins group, even, but no love getting the file.

Sign In or Register to comment.