Reel

Got initial shell, I think I know more or less where I should go but no luck. Any hint please ?

@dodo said:
I managed to privesc from tom to ****** using the *****view to enable some commands and modify a property for the ****** user as tom.

But now I’m stuck…again :disappointed: :smiley:

Thanks! I was trying to do the same but with other tools. I used *****view and it worked :dizzy:

Hi,
Could anyone PM me a foothold about this box? I found few ports open, and I tried to exploit these ports by using metaxxxx but I was failed, and also tried some other exploits about these ports, but also failed. Then, I have no idea what I need to do…

Thank you.

Hmm, I’ve enumerated and have read some files and I am now researching what I see. Is this box attackable from Kali or do you need to be on a Windows machine? (PM would be helpful)

@LegendarySpork not necessary to be on a Windows machine, with Kali you can do everything you need.

.

I originally thought so but suddenly felt uncertain … kali has (or you can apt-get) loads of excellent tools for working with Windows, a few of which I have already used to get to this point. Thanks!

Give a hint about a privilege escalation from tom, please! I see that there’s a pentest tool, but I can’t run it. Any hint, please how to move a next step. Thanks in advance!

Hey guys, after owning several easier boxes I decided to try something slightly more difficult because what’s the point if you don’t advance right!? Well… Stuck pretty early on here but found some interesting stuff that surely are relevant at some point and another service I’m having a tough time enumerating what I feel is my way to initiate a foothold if anyone has time for a PM I’d really appreciate it! Just looking for some general advice.

Edit:
I think I actually found what I was looking for after reading more closely some docs available to me, hopefully now I can use that other service to get that delivered :v

@dodo said:
I managed to privesc from tom to ****** using the *****view to enable some commands and modify a property for the ****** user as tom.

But now I’m stuck…again :disappointed: :smiley:

I’m stuck at this same point. Anyone i can DM about it?

Never mind, i got it. Feel free to DM me.

Hi,

I need a bit of help with this machine. I discovered the service which possibly could be running on the machine and I also know how to connect to it. But I am unable to figure out how to exploit this particular service.

I googled a lot and found everywhere that it requires credentials to login to the machine. I checked the configuration file as well but it also does not contain that much of info to land somewhere.

I have done a lot of linux machines previously but not windows so far. This is just the second windows machine I am doing. So, don’t know much about powershell commands and other windows exploitation techniques. Any help will be appreciated.

Has anyone managed the first step without the m-tool? I’ve got user reliably but I’d like to be able to do it manually. It seems straightforward enough and I’m pretty close, just failing on the very last bit.

So, i’ m t** now, when I import ‘The file’ it says bad JSON in BH and does nothing. What am I missing on that one? Feel free to DM

@Wubalubadubdub said:
So, i’ m t** now, when I import ‘The file’ it says bad JSON in BH and does nothing. What am I missing on that one? Feel free to DM
Happened to me too. Be sure the file is transferred correctly (I happened to miss a few bytes). Compute and compare checksums.

I’m stuck at priv esc, if anyone can DM me, please do. Thanks

I guess i’m the only idiot here because i can’t get initial foothold at all… I see smtp, i see the files, i have an idea of what to do but it doesn’t seem to be working so i guess it’s the wrong way?

@christo There is a an exploit … it’s hinted at in this discussion - to be exploited using a stand-alone script or an exploitation framework or a combination of those.

If you have problems to send to payload … use the ‘normal client’ a user would use. (Saying this as I did not get it to work typing SMTP commands … ).

What I found was that sometimes the payload indeed did not ‘explode’ though I always followed the same process… and sometimes the shell was very stable and came back to me for days. It helped to start over with the same method but using a different file name.

@chickenbit said:
So I’ve hit a bit of a wall on this one. I’ve managed to make it a ways in until I had control over the b***********s object, but it doesn’t seem that one actually controls anything/has any real permissions. At least not that I can see. Is that object useful, or did I go down the wrong path?

I was stuck at exactly this point for an embarrassingly long time though or because I found the escalation path through the objects rather straight-forward … and I did not even use ‘exploit tools’ for ‘doing the escalation’, but only built-in Microsoft command line tools. (The report provided is of course useful, and I ran the recon tools again not to miss something … but I nearly looked at every interesting object ‘manually’ anyway. )

But then I simply failed to see what I am able to do with the ‘privileges’ I got … due to some small error / oversight … and went down some hilarious rabbit holes related to even more super obscure objects in that ‘directory’. So I guess my hint is rather: Don’t overthink it - at every step of escalation, check what you can do in a rather down-to-earth way.

i think I know what service to exploit but I can’t get to the service… can’t someone help out?