SecNotes

Anyone willing to give small, non-spoiler hints for privilege escalation? I’m a bit of a noob when it comes to Windows and a little lost. Currently going through the filesystem looking for anything that might be useful. Not really noticing much. I DID notice the “odd” folder in the root directory, however.

hey any hints on this box struck after login …beginner my first box attempt

For privesc, I discovered something weird by accidentally listing everything…
n00bp0tat0

Rooted! Fun little box…

I’ve been struggling with privesc here… I was intrigued by u*****.exe and did some reading on WSL but can’t figure out how to make use of it as a non-privileged user. Am I in the right area or are my efforts better concentrated elsewhere?

ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

@rewks said:
I’ve been struggling with privesc here… I was intrigued by u*****.exe and did some reading on WSL but can’t figure out how to make use of it as a non-privileged user. Am I in the right area or are my efforts better concentrated elsewhere?

Keep digging, there is a way to make it work. Maybe google what your trying to run, and it what OS. I found it fairly quickly

Edit: Fixed the problem and rooted it. It was an issue of using the wrong tool to spawn my connect-back shell. Windows 10 is flakey.

This file might just hint you , Look for other interessing files related to it :wink:

maybe this could help some people, when your using one shell and it not working for what ever reason, get a different shell with another tool. There are many options. netcat, ncat, powercat, nishang, etc… I had two different connect back shells going, when something didn’t work in one, I switched to another. My shells would also get hung from time to time while I was experimenting, so I just sent another over and kept going

Rooted. Very interesting box, learned heaps by doing it. Happy to provide hints through DM

Just an update. Due to the box being bogged down the first few days by massive brute forcing attempts I was never able to do a full scan of the box. Once I did a full scan I found what I needed to gain user.

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

Stuck at the same step :frowning:
Had an idea to find a folder corresponding to share’s n**-s***, but dirb doesn’t help

@0daysru said:

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

Stuck at the same step :frowning:
Had an idea to find a folder corresponding to share’s n**-s***, but dirb doesn’t help

Nvm misread your post

Edit: I’m stuck in the same place, got a list of accounts and am attempting to bruteforce :stuck_out_tongue:

Hi guys,
I know the vulnerability and tried to get some information from the database. But when I am putting longer things it is throwing the error and short queries did not give me anything. Searched lots of sources for different syntax, none of them worked. Any ideas?

@millerangello said:
Hi guys,
I know the vulnerability and tried to get some information from the database. But when I am putting longer things it is throwing the error and short queries did not give me anything. Searched lots of sources for different syntax, none of them worked. Any ideas?

You’re overthinking. You’re on the right track but keep it simple

In the first step (web-app) I know which thing I have to use in order to get to the DB but it tells me that that thing has already been used and I can’t use it anymore. Do I have to reset the box everytime?

@elio said:
In the first step (web-app) I know which thing I have to use in order to get to the DB but it tells me that that thing has already been used and I can’t use it anymore. Do I have to reset the box everytime?

You can change first part.

@0daysru said:

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

Stuck at the same step :frowning:
Had an idea to find a folder corresponding to share’s n**-s***, but dirb doesn’t help

Maybe this helps:

@starcraftfreak said:
Just an update. Due to the box being bogged down the first few days by massive brute forcing attempts I was never able to do a full scan of the box. Once I did a full scan I found what I needed to gain user.

Then, look for files in n**-s*** you find in other places…

Nice box, thank you @0xdf !