Hi, new user here, trying to learn, I found a user name and a password, but having difficulty from here, does anyone have a walkthrough they could PM?
Many thanks/
I'm stuck on the e-W**** syntax I think. i have the r and i have the W***** but no matter how I format the command, it doesn't show me any love. tried on standard and non-standard ports with -i 10.10.10.169 -u \r*** -p 'W*******' -P (for any non-standard port). Being a windows guy, I'm trying to do this all from my Linux box so I can force myself to learn, but I never quite know what is case sensitive and what requires the '
@LaughingGhoul you need the password to be inside single quotes 'password' when it contains characters that the linux shell bash interprets as commands. Like that last char on that.
TBH honnest i'm surprised that the AV actually does NOT catch it, i would have expected it to analyze any file the second the OS is opening it, whatever it's location or incoming channel... if someone has some details on that i'd be interested to know.
0xdaff, thanks. I've actually been using DOMAIN\user after the -u and thought I had tried them all. I"m thinking I'll go pop it with my Windows box and then come back once I know the correct u/p and work on the syntax.
Any advice on the second user's creds? I've seen all the hints here but no luck. I know the root exploitation path, but not without the other user's creds. A PM'd hint would be appreciated!
I get booted from my e**l-w****m shell every other command and then can't get back in for a few minutes. therefore I cannot search around for the 2nd user creds.
Is this to do with box stability or is there a better shell to use? I'm on VIP and it's pretty much unusable.
Funbox with like a real AD pentest feeling. I learned a very cool trick that I am gonna remember forever and utilize it whenever I get red team engagement.
Hints:-
User:- Enum and poke on all the ports. You will find some info and think about how less security-savvy users think once the Sysadmin creates their account. That's it. Overthinking will kill your progress. So keep it simple.
Root:- A technique every pentester/red teamer should have up their sleeve. I recommend reading a lot of offensive security blogs not just for this box but for the entire skill development.
Finally got root!
That was a damn of a ride.
user and foothold are a snap. If you've done forest, then you already have everything you need to go ahead.
enumerate, enumerate and remember that networks and servers are used by human beings.
You eventually will see something strange...that's the key of everything, but going ahead is not a piece of cake, because the usual tools are almost useless...
If you are (like I am) one of the worst and less experienced coders on earth, you'll have hard times to find something that may help you, but eventually something can be retrieved.
But yet it's not done, because you still may have to tweak it a little bit...
Hy! I've read your comments and hints and just got w***m access with m****** user. Could someone help me to reach the next step? Thanks.
PS: if the hint need to be specific send me a PM!
Hy! I've read your comments and hints and just got w***m access with m****** user. Could someone help me to reach the next step? Thanks.
PS: if the hint need to be specific send me a PM!
Look where all begins and remember that even if you dont see something, this does not means that there's nothing...
I'm stuck on pulling the dll by the service. Can anyone help me?
I have had the very same issue with both the imp***** and sa***. I suppose it's related to smb version used in win-to-*nix process comms, but i'd not put a dime on that.
In any case, I opted for the path of least resistance and i found a way to deploy a local pl...next time i'll try with a windows box to check if my assumptions on smb are correct...
Comments
the AV bypass is a pain in the butt, any hints on how to do it would be great!
Hi, new user here, trying to learn, I found a user name and a password, but having difficulty from here, does anyone have a walkthrough they could PM?
Many thanks/
I'm stuck on the e-W**** syntax I think. i have the r and i have the W***** but no matter how I format the command, it doesn't show me any love. tried on standard and non-standard ports with -i 10.10.10.169 -u \r*** -p 'W*******' -P (for any non-standard port). Being a windows guy, I'm trying to do this all from my Linux box so I can force myself to learn, but I never quite know what is case sensitive and what requires the '
@LaughingGhoul you need the password to be inside single quotes
'password'
when it contains characters that the linux shellbash
interprets as commands. Like that last char on that.your problem is not the pw though!
¯\_(ツ)_/¯
TBH honnest i'm surprised that the AV actually does NOT catch it, i would have expected it to analyze any file the second the OS is opening it, whatever it's location or incoming channel... if someone has some details on that i'd be interested to know.
eCPPT | OSCP
YES!! Finally rooted this guy. Interesting path of attack.
Some hints:
For user, enumerate users and their details, than think outside of the box...
Fro root, find the other user credentials, see what this guy can so and google what you really want to accomplish with the discovered info.
0xdaff, thanks. I've actually been using DOMAIN\user after the -u and thought I had tried them all. I"m thinking I'll go pop it with my Windows box and then come back once I know the correct u/p and work on the syntax.
appreciate the tip
Still looking for the second password... any tips?
edit - Got it! thanks @ssklash
Any advice on the second user's creds? I've seen all the hints here but no luck. I know the root exploitation path, but not without the other user's creds. A PM'd hint would be appreciated!
Edit: Nevermind, found what I was looking for.
I get booted from my e**l-w****m shell every other command and then can't get back in for a few minutes. therefore I cannot search around for the 2nd user creds.
Is this to do with box stability or is there a better shell to use? I'm on VIP and it's pretty much unusable.
when loading that which one builds, is it loaded locally or UNC
Funbox with like a real AD pentest feeling. I learned a very cool trick that I am gonna remember forever and utilize it whenever I get red team engagement.
Hints:-
User:- Enum and poke on all the ports. You will find some info and think about how less security-savvy users think once the Sysadmin creates their account. That's it. Overthinking will kill your progress. So keep it simple.
Root:- A technique every pentester/red teamer should have up their sleeve. I recommend reading a lot of offensive security blogs not just for this box but for the entire skill development.
PM for nudges!
Spoiler Removed
Finally got root!
That was a damn of a ride.
user and foothold are a snap. If you've done forest, then you already have everything you need to go ahead.
enumerate, enumerate and remember that networks and servers are used by human beings.
You eventually will see something strange...that's the key of everything, but going ahead is not a piece of cake, because the usual tools are almost useless...
If you are (like I am) one of the worst and less experienced coders on earth, you'll have hard times to find something that may help you, but eventually something can be retrieved.
But yet it's not done, because you still may have to tweak it a little bit...
echo start dumb.bat > dumb.bat && dumb.bat
doh!
Hy! I've read your comments and hints and just got w***m access with m****** user. Could someone help me to reach the next step? Thanks.
PS: if the hint need to be specific send me a PM!
another fantastic box from @egre55 !
User was easy. If the password didn't work, it is not necessarily that someone has changed it
Think harder here.
Root was fun
Make sure to not touch the machine
OSCE | OSCP | CRTE | GPEN | eCPTX | CREST CRT | GDAT | eCPPTv2 | GWAPT | OSWP | ECSA (Practical)
Type your comment> @maurelio said:
Look where all begins and remember that even if you dont see something, this does not means that there's nothing...
echo start dumb.bat > dumb.bat && dumb.bat
doh!
I am stuck on restarting the service. Anything returns Access Denied. Can anyone help me?
edit: np, solved!
wow, i had no idea evil exised. enum was pretty easy.
Finally got root. Big thanks to @bertalting @Ninjacoder @tekkenpc for all your assistance, big respect!
Rooted, pm me for nudges
Spoiler Removed
can I have a hint
I have username and password
Is there anyway to get shell without evil-winrm
I'm stuck on pulling the dll by the service. Can anyone help me?
Can anyone help me on AV B****s?
Type your comment> @Fr3nZy said:
I have had the very same issue with both the imp***** and sa***. I suppose it's related to smb version used in win-to-*nix process comms, but i'd not put a dime on that.
In any case, I opted for the path of least resistance and i found a way to deploy a local pl...next time i'll try with a windows box to check if my assumptions on smb are correct...
echo start dumb.bat > dumb.bat && dumb.bat
doh!
For me it was a no-go. To elude the AV i had to avoid whatever ms***** package...
echo start dumb.bat > dumb.bat && dumb.bat
doh!
I get an error on my **B ****er:
TreeConnectAndX not found **.ll
when trying to pull the *ll to the target.
Google has failed me. Any ideas?