Official Atom Discussion

13»

Comments

  • Shooted. :P Dm for any help. :)

    Eat-Sleep-Shit-Repeat Security
    kragle
    If I helped you, you may +1 with respect

  • I am completely stuck. I have created my l*****.y** file, uploaded it where it needs to go, I can see the server request my exe, and then nothing. Tried a million different shells and modification to my .y** file. Any nudges? Feel free to PM.

  • Type your comment> @s00ner said:

    I am completely stuck. I have created my l*****.y** file, uploaded it where it needs to go, I can see the server request my exe, and then nothing. Tried a million different shells and modification to my .y** file. Any nudges? Feel free to PM.

    try to use m********r payload created with msfvenom

  • edited May 14

    try to use m********r payload created with msfvenom

    That's what I've been trying (among other payloads) with no luck so far.

    *edit: I figured it out. I was missing a flag in msfvenom the whole time.

  • Took me forever to get the initial foothold since I was trying to copy an article a bit too much. Getting to root was relatively smooth after I fixed how I was asking for information from the other service. Feel free to message me for a nudge!

  • So my listener is picking up the connection after pushing the *.y**, but no response after that :/ Anyone else run into this?

  • Growing increasingly frustrated with this box. I checked with several people who have gained a foothold on what to do, and the method I’m employing seems to be correct (using the l*****.y***). Just like @3xxu5 i can see the requests coming into my server, but no response. Tried multiple payloads, multiple methods and even several computers - none work.

    Any help with this box would be greatly appreciated. Perhaps I’m missing something… DM-me if you think you can help?

    image

  • edited June 7

    Rooted!!... That was the hardest medium box I have ever done...The user was quite obvious after the right google search tho but the root was a pain.

    Initial-foothole/User

    • Portable Document Formats files can give you a lot of information
    • Sometimes following the exact same thing you see may not be useful...Play with it a bit...See where the real vulnerability is

    Root

    • Go back to your scans...See what services may use passwords.
    • If you download a movie, where would it be saved?

    Hope these hints would help you a bit. If you need help, DM me. I will try to get you on track.

    Hack The Box

  • Finally got user ... this took SO much fiddling for me. I knew exactly what the exploit was but all these different little details were killing me.

    LegendarySpork

    LegendarySpork

  • Rooted !

    User : basic scanning and enumeration will tell you what to do and what to look for,
    you will find something which will give some information to further go on.

    Root : look for the installed applications/application files and the opened ports,
    connect this two, you may find a way.

    DM me for nudges

  • edited June 18

    finally rooted! user was honestly a lot harder than root imo, since the steps to it are pretty vague.

    User/foothold: Enumerate like how you usually would, at some point you should stumble across something that will vaguely point you in the write direction. Now do some google fu. If you're like me, make sure not to be lazy at reading and researching, you'll only waste your time if you copy something without understanding it.

    root: Enumerate the target machine as usual. You might stumble across something that will give you deja vu. If not look at whats being used on the machine, and what ports are open. and google some stuff again. Once you connect the dots privsec is pretty straight forward and is the easier part of this box imo.

  • After a painfully long time I finally rooted it. A lot of it has to do with the fact that this is the first windows box I've attempted in months, but it's still fairly difficult if you're unaware of what you're supposed to be looking for.

    Tips for user: This one came to me fairly quickly, not sure if it was blind luck or what but it's fairly easy to come by during your usual enumeration checklist. It may seem like a far reach to begin with, but doing a bit of googling will show you exactly what you need. In my case it was the first search result.

    Tips for root: Honestly, without a sanity check from a helpful user I probably would've ignored this or left it until last. As previous people have mentioned, this service is sending outbound connections, that information tied with a short winpeas search will hopefully give you all you need. It may take you a hot minute to figure out what to do with what you find from that service, but enumerating some common places in the user folder will lead you to your answer.

    Hack The Box

  • Hello everyone,

    I'm stuck on the foothold and would appreciate some help... I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
    I'm using m**v***m to generate the payload and use m***i/h*****r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I don't know what to do anymore :neutral:
    (I'm using the flags -p, -f, -o (and -e when encoding)

    Would any of you know what could be the cause?

    Thank you and happy hacking!

  • Hi,

    I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.

    If still stuck let me know.

    Pepe

    pp123

  • edited June 23

    Type your comment> @Netpal said:

    Hello everyone,

    I'm stuck on the foothold and would appreciate some help... I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
    I'm using m**v***m to generate the payload and use m***i/h*****r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I don't know what to do anymore :neutral:
    (I'm using the flags -p, -f, -o (and -e when encoding)

    Would any of you know what could be the cause?

    Thank you and happy hacking!

    When getting the foothole, you may have to play with the .**l file a bit. Don't just follow the POC. Understand what the real vulnerability is. Then make your own exploit. Remember what a "null byte" is and that you have to remove bytes like them.

    If you get stuck DM me.

    Hack The Box

  • edited June 25

    @pp123 said:
    Hi,

    I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.

    If still stuck let me know.

    Pepe

    Hi @pp123 , thank you for your answer! Well, I've been following the article from the start :confused: ... My file contains a " ' " in its name, as indicated in the article. I also tried to exclude bad characters from the payload as suggested by @kavigihan , but it doesn't work either.

    I'm starting to wonder if the issue could come from Metasploit, because I had warnings when using m**v***m (due to a recent ruby gems update I think). I resolved those warnings by tinkering with commands, but there may still be a problem...

    At this point I'd be grateful if someone could just PM me their command to generate the payload.

    Thank you!

    Edit: I got it :smiley: It worked with another payload... I was blindly following an advice to use a meterpreter one, but it worked with another one!

  • Hey everyone!

    I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?

    I finally found a command that works, but I ask by curiosity. Prior to finding that command, I tried various Powershell and "normal" Windows commands containing quotes in them and they all crashed my reverse shell (Session manipulation failed: Unmatched double quote). Do you guys know why?

    Also, what .exe do you use? I just tried with x64 but it doesn't work (that's what I used in my msf***** payload).

    Thanks!

  • edited June 25

    @Netpal said:

    Edit: I got it :smiley: It worked with another payload... I was blindly following an advice to use a meterpreter one, but it worked with another one!

    I got it working with a meterpreter payload.

    I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?

    I didn't upload WinPEAS but I had a meterpreter shell and could just the upload option.

    There are a lot of ways you can send data to boxes though:

    • powershell
    • curl
    • LOLBAS
    • SMB

    (Session manipulation failed: Unmatched double quote). Do you guys know why?

    Sounds a bit like a typo in the command, possibly failing to escape something.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    Hi @TazWake, thank you for your answer :)

    @Netpal said:

    Edit: I got it :smiley: It worked with another payload... I was blindly following an advice to use a meterpreter one, but it worked with another one!

    I got it working with a meterpreter payload.

    That's weird, I tried several different options and couldn't get it to work... I'll try again and see if it works...

    I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?

    I didn't upload WinPEAS but I had a meterpreter shell and could just the upload option.

    Ah right, I forgot we could do that with Meterpreter...

    There are a lot of ways you can send data to boxes though:

    • powershell
    • curl
    • LOLBAS
    • SMB

    I didn't know about LOLBAS, thank you for the info. In my case HTTP was the easiest way of doing it, but I'll try the other options you mentionned.

    (Session manipulation failed: Unmatched double quote). Do you guys know why?

    Sounds a bit like a typo in the command, possibly failing to escape something.

    You might be right, however I found those commands in articles explaining file transfers from Kali to Windows, so it's weird it doesn't work.

    Have a nice day!

  • got user and root. Fun machine :)

  • GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

  • Type your comment> @k01n said:

    GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

    user done!
    But holyy how slowly works this machine wtf

  • edited July 6

    Type your comment> @k01n said:

    GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

    stuck at same phase any help ???

  • Type your comment> @pagal said:

    Type your comment> @k01n said:

    GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

    stuck at same phase any help ???

    Read the POC, understand where the real vulnerability lies. Don't just copy and paste... Build your own one..DM if you are stuck

  • Rooted!
    Very cool machine to make, I love Windows machines and the experience gained when trying to hack.

    User: List and use google to find interesting things.
    Careful when creating the pieces necessary for exploration, I hit my head and lost hours due to lack of attention.

    Root: First time I make a machine where it's easier than the user.

    Feel free to send PM in case of help, if I don't respond immediately you can call me on the telegram @WhoamiAlves


    Enraizada!
    Maquina muito legal de fazer, adoro maquinas Windows e a experiência adquirida ao tentar hackear.

    Usuário: Enumerar e usar o google para encontrar coisas interessantes.
    Cuidado ao criar as peças necessárias para exploração, eu bati a cabeça e perdi horas por falta de atenção.

    Root: Primeira vez que faço uma maquina onde é mais fácil que o usuário.

    Sinta-se a vontade para enviar PM em caso de ajuda, caso eu não responda imediatamente pode me chamar no telegram @WhoamiAlves

    RecifePOXA!

    Hack The Box

  • Rooted, Heaps of good info in this thread. Pretty finicky machine for user and root needs you to put a couple of things together

    DM if you need a push

  • Finally rooted! Man I did mistakes with this one :D

  • Type your comment> @k01n said:

    Type your comment> @k01n said:

    GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

    user done!
    But holyy how slowly works this machine wtf

    exactly how slowly? I've been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.

  • Type your comment> @dobrocat said:

    Type your comment> @k01n said:

    Type your comment> @k01n said:

    GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

    user done!
    But holyy how slowly works this machine wtf

    exactly how slowly? I've been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.

    Yeah me too mate, every command that i write it took like 10 secs to execute. If i try to download something with powershell its impossible because never end the download... i don't know whats wrong with this machine

  • Type your comment> @k01n said:

    Type your comment> @dobrocat said:

    Type your comment> @k01n said:

    Type your comment> @k01n said:

    GET /l*****.**l HTTP/1.1" 200
    But never spawns my reverse shell...
    Any help?

    user done!
    But holyy how slowly works this machine wtf

    exactly how slowly? I've been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.

    Yeah me too mate, every command that i write it took like 10 secs to execute. If i try to download something with powershell its impossible because never end the download... i don't know whats wrong with this machine

    Cheers. It's gotten worse ten hours later. I think this box is getting hammered by folks trying to get it before it retires tomorrow. Reckon I'll move on and forget about this one for points and CPEs. Onward!

    Thanks for replying.

Sign In to comment.