Optimum

I successfully owned the user, and I have access to a non-privileged shell.

I'm not asking for the answer but let me know if I'm in the right direction.

To Escalate, am I doing some magic within the non privileged cmd prompt or am I missing an exploit?

Tagged:
«1

Comments

  • Just one hint -> note architecture and use exploit suggester
    Thanks

    CodeNinja

  • I used a well known exploit,twicked a little bit

    d0ppl3r

  • @Sirriachi said:
    I successfully owned the user, and I have access to a non-privileged shell.

    I'm not asking for the answer but let me know if I'm in the right direction.

    To Escalate, am I doing some magic within the non privileged cmd prompt or am I missing an exploit?

    I struggled at the beginning to escalate privilege.. but I had to open my eyes as I was looking at it all the time.
    Now, you have a non-privileged shell --> know the architecture and you'll find the exploit under your nose.

    All the best my friend :)

    DedSecK

  • I've been stuck at this privilege escalation piece for a couple days now. I've used the Windows Exploit Suggester and just haven't found the right exploit. Sounds like this is the right path though.

  • The trick is this: Make sure you are working with the right architecture from BEGINNING TO END. That's the part that got me stuck. BEGINNING TO END. Good luck. :)

    likwidsec

  • Ok so after several hours struggling with the escalation I learn an important lesson: PAY ATTENTION TO THE ARCHITECTURE

    Giga

  • Ok so i think i found the right exploit using the windows exploit suggester and compiled it according to the architecture in use. Still nothing. What am i missing here? Is it something with the initial low priv shell?

  • Perhaps the wrong call back IP? Also reverting the box never hurts, some privesc's aren't reliable when ran multiple times.

  • edited October 2017

    if you are using metasploit check this:

    meterpreter > sysinfo
    Computer : OPTIMUM
    OS : Windows 2012 R2 (Build 9600).
    Architecture : x64
    System Language : el_GR
    Domain : HTB
    Logged On Users : 97
    Meterpreter : x64/windows <--------------*

    Anyway, there is a much better exploit than what most people use for Optimum. It doesn't create so many problems. I will write about this in a few days when Optimum will be retired.

  • yup ensure ..correct arch

  • can anybody tell me how to own system

  • can anybody tell me how to own system

  • I've been stuck on this for two days too. Does the meterpreter session have to be x64 arch too??

  • edited October 2017

    Everything (targets, sessions, payloads) have to be x64 arch. But keep in mind that -even if you do everything correctly- the specific exploit doesn't function as it should in some metasploit configurations. You can always search for alternative exploits.

  • try using something simple ( there is recon plugin that can help you )

  • edited October 2017

    ok, so i've tried Removed Spoilers and
    still no success. Am I along the right lines with any of these? P.S i've gotten user access
    I just need to escalate. Thanks for the help again

  • edited October 2017

    @sniper1777 said:
    ok, so i've tried Removed Spoilers and
    still no success. Am I along the right lines with any of these? P.S i've gotten user access
    I just need to escalate. Thanks for the help again

    Im still really struggling with this i've tried the Removed Spoilers as an x64 powershell module imported then ran Removed Spoilers, which says success you have achieved system, however it doesn't actually work :/. I'm using X64 meterpreter session too any rough help??

  • edited October 2017

    @sniper1777 said:

    @sniper1777 said:
    ok, so i've tried Removed Spoilers and
    still no success. Am I along the right lines with any of these? P.S i've gotten user access
    I just need to escalate. Thanks for the help again

    Im still really struggling with this i've tried the Removed Spoilers as an x64 powershell module imported then ran Removed Spoilers, which says success you have achieved system, however it doesn't actually work :/. I'm using X64 meterpreter session too any rough help??

    I am also stuck at the exact same place... :(

    Hack The Box

  • edited October 2017

    @briyani said:

    @sniper1777 said:

    @sniper1777 said:
    ok, so i've tried Removed Spoilers and
    still no success. Am I along the right lines with any of these? P.S i've gotten user access
    I just need to escalate. Thanks for the help again

    Im still really struggling with this i've tried the Removed Spoilersas an x64 powershell module imported then ran Removed Spoilers, which says success you have achieved system, however it doesn't actually work :/. I'm using X64 meterpreter session too any rough help??

    I am also stuck at the exact same place... :(

    Finally done it, I know how frustrating it can get, Look up Removed: Spoilers. Thank god for that two solid days it's taken!

    P.S I hope i'm allowed to post these hints, delete if inappropriate admin.

  • Hi guys, I have followed all your recommendations, I have the session on the right architecture but once I run the port recon it doesn't show up any compatible plugging. any clue which will help to to escalate my privilege?

  • To own the optimum you should be good at code review.
    hint:
    1} Know what exploit does
    2} Change what's needed
    3} Run exploit on machine
    4} Bingooo..!!! you own the machine
    :)

    B0rN2R00T

  • Thanks guys, I was using the right post/exploit but wrong arch. Lesson learned!

  • i'm not sure what i was doing wrong, i got system few seconds ago with the same exploit, same arch, same payload that i was trying at the begin for two days with no success :/

  • edited October 2017

    Sometimes, you have to reset the box for an exploit to work because the machine is in a altered state (from previous exploits applied by other users).

  • Optimum is a fun simple machine to start with, get all the information about it jump on google and boom, what you need is there modify it and run the bad boy.

  • hey there! i'm totally stuck with this one. like so many others, i easily managed to own the user but can't figure out how to escalate privs. the problem is i can't even confirm if i'm on the right track since my meterpreter sessions always dies when running local exploits. i gave the exploit suggester a shot but the session dies before it finishes, so i'm basically down to trial and error. can someone gimme a hint on how to get my session stable? i'm aware of the x64 arch and stuck to x64 payloads and exploits, but to no avail.

  • edited October 2017

    @horrorshow1984 said:
    hey there! i'm totally stuck with this one. like so many others, i easily managed to own the user but can't figure out how to escalate privs. the problem is i can't even confirm if i'm on the right track since my meterpreter sessions always dies when running local exploits. i gave the exploit suggester a shot but the session dies before it finishes, so i'm basically down to trial and error. can someone gimme a hint on how to get my session stable? i'm aware of the x64 arch and stuck to x64 payloads and exploits, but to no avail.

    if you are using proper x64 payload,meterpreter and exploit, everything will be perfect and it will work like a charm. If you still cant do it, I suggest you try harder more and PM me then ;)

    Hack The Box

  • alright, thanks! i'm trying yet another approach which looks quite promising so far

  • So, I'm stuck with priv escalation. I tried by myself and it always got stuck, so went and checked the video from ippsec and the writeup and using metasploit it always get stuck with exploit completed, but no session created? what can i do?

  • Just rooted it. Easy user, but I struggled the entire day with privesc... TBH, the solution blew my mind.

    Arrexel

Sign In to comment.