SecNotes

Just an update. Due to the box being bogged down the first few days by massive brute forcing attempts I was never able to do a full scan of the box. Once I did a full scan I found what I needed to gain user.

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

Stuck at the same step :frowning:
Had an idea to find a folder corresponding to share’s n**-s***, but dirb doesn’t help

@0daysru said:

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

Stuck at the same step :frowning:
Had an idea to find a folder corresponding to share’s n**-s***, but dirb doesn’t help

Nvm misread your post

Edit: I’m stuck in the same place, got a list of accounts and am attempting to bruteforce :stuck_out_tongue:

Hi guys,
I know the vulnerability and tried to get some information from the database. But when I am putting longer things it is throwing the error and short queries did not give me anything. Searched lots of sources for different syntax, none of them worked. Any ideas?

@millerangello said:
Hi guys,
I know the vulnerability and tried to get some information from the database. But when I am putting longer things it is throwing the error and short queries did not give me anything. Searched lots of sources for different syntax, none of them worked. Any ideas?

You’re overthinking. You’re on the right track but keep it simple

In the first step (web-app) I know which thing I have to use in order to get to the DB but it tells me that that thing has already been used and I can’t use it anymore. Do I have to reset the box everytime?

@elio said:
In the first step (web-app) I know which thing I have to use in order to get to the DB but it tells me that that thing has already been used and I can’t use it anymore. Do I have to reset the box everytime?

You can change first part.

@0daysru said:

@p3tj3v said:
ok… so logged in on the web page… pulled some notes…
connected to a different service where I can read and write files…
but then what :frowning: probably something basic…
if anyone can send me a small nudge… would be much appreciated.

Stuck at the same step :frowning:
Had an idea to find a folder corresponding to share’s n**-s***, but dirb doesn’t help

Maybe this helps:

@starcraftfreak said:
Just an update. Due to the box being bogged down the first few days by massive brute forcing attempts I was never able to do a full scan of the box. Once I did a full scan I found what I needed to gain user.

Then, look for files in n**-s*** you find in other places…

Nice box, thank you @0xdf !

i can’t find RCE :disappointed:
can anyone help

For privesc there’s no need to get reverse shell, just go back in time with the appropriate file in the appropriate directory!

rooted… learned a fair amount, felt like a box of simple loopholes and being lucky with the commands tho.

but not a bad box : ) positive rating

I have users, but nothing else…someone can help me?

EDIT: I got user
EDIT2: Rooted

Hi guys,
I am stuck on the Web App Login because I cannot find any table which provides anything. Enum of all Tables doesnt work either.
Would someone be so kind and provide a hint?

Edit 1:
So I am one step further. Found logon infos for a user which connects two services to each other. I can upload files into a directory but have no idea how to get a shell from there.
Any hints would be appriciated.

Could someone give me a hint on where I should start? I tried enumerating different pages, but cant seem to find anything. Injection also appears be be unfruitful.

Can anyone help me out getting the root flag? I have an interactive shell within the special environment running as root, but it only runs under context of the user starting the process (user.txt user in my case). I think I have carried out all other normal Windows enumeration for privesc and haven’t come up with anything yet… any advice?

EDIT: rooted. I enjoyed the privesc to Admin a lot.

@GetTheGuru I was stuck in the same place for a while. It turns out that what you need is very close. There is another small step before the flag.

Can someone PM me regarding initial errors ?

Nvm that was easy

Nice box, but someone keeps resetting it and it’s completely unnecessary. Also, brute forcing is NOT how you get in this box, neither is blasting it with any tool other than the basic enumeration.

Edit: Rooted. Very clever way of rooting. If you’re stuck, the answers you seek are in front of you.

Very nice machine. Was overthinking too much for priv esc:)