SecNotes

i got the initial credential but now i am stuck. how do i get reverse shell. Please give some hints : (

@DataPush3r said:
Iā€™ve got creds, and I can save stuff to the server. But I canā€™t get RCE or a shell with any of the methods Iā€™ve already tried. Can anyone PM with a nudge in the proper direction?

i have also stuck on same. what i need to do next

Iā€™ve been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

rooted this one, PM me for a nudge

@peacemindlav said:

@DataPush3r said:
Iā€™ve got creds, and I can save stuff to the server. But I canā€™t get RCE or a shell with any of the methods Iā€™ve already tried. Can anyone PM with a nudge in the proper direction?

i have also stuck on same. what i need to do next

Try different shells. :wink:

finally rooted, learn new things, really likes this one.
thanks the creator.
special thanks to @lun3r :slight_smile:

fell free to pm for hint

Whew. Getting user was fun.

Thereā€™s a few rabbit holes for web exploits that should be avoided. The easy to find exploit that would most likely involve social engineering is a rabbit hole. Multiple people have referenced the Nightmare machine so you should start there. Ippsecā€™s video should help. However, donā€™t get hung up on the db. If you get error messages, youā€™re probably going too deep.

Once you get non-shell access to the thing, if you donā€™t know how to use your the service, you probably didnā€™t enumerate enough. Go back to the first scan you did and ask yourself if you checked for everything. After than, itā€™s very straight forward. Itā€™s typically the second (sometimes first) thing I do and I totally forgot to do it. Could have saved me a few hours.

Hopefully I didnā€™t give too much away here. PM me for help on getting user.

@p3tj3v said:
okā€¦ so logged in on the web pageā€¦ pulled some notesā€¦
connected to a different service where I can read and write filesā€¦
but then what :frowning: probably something basicā€¦
if anyone can send me a small nudgeā€¦ would be much appreciated.

This is exactly where I am stuck. I can read and write files, but I canā€™t get any shell to execute either :frowning:

I was held up on user due to the fact that my initial Nmap ended prematurely.

Got root! It was quick and easy once i realized what was going on, and thanks to the hints in this thread.

I think I got root in a slightly different way, based on the writeups. At least, I used a different file, one that seems to be a more generic part of this Windows feature, and probably required less digging on the system.

I cannot believe how many different shells Iā€™ve tried getting an initial shell. asp, aspx, nishang, empire, etc. Nothing is working, the only different thing I ever get is a 500 error. Anyone with any insight, please PM me.

@beginner2010 said:
Very nice machine. Was overthinking too much for priv esc:)

Me too. Whenever I see a setup like this, I somehow always assume the worst and focus on more difficult ways of compromise. Nice box.

Hi everyone, I finally managed to get the root.txt file (really cool box, had a lot of fun!) but Iā€™m still not satisfied. I got it by logging into a certain service with elevated rights. I still donā€™t feel Iā€™ve properly rooted the machine though, even if I have the the flag, because I only have high privileges when logged into that specific service. Is there a way to get a proper system shell? I feel like Iā€™m missing somethingā€¦ If anyone wants to DM me with pointers I would really appreciate it :slight_smile:

Any hints for entry point? Im seeing secnotes page, but nothing for now.

@9999volts said:
Any hints for entry point? Im seeing secnotes page, but nothing for now.

You might want to re-scan the target host. You should find somewhere that accepts user input

On privesc, I am getting ā€œError: 0x8XX7XXXā€ when running the command. Is that normal?

Nevermind :slight_smile:

Great machine, usually I am not so familiar with windows. Once you have your stuff together, its pretty straight forward. PM if you need help.

#rooted
ping me if you struggle :slight_smile:

@royc3r said:
Iā€™ve been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

finally got user. as always more enumeration was required.