SecNotes

1235714

Comments

  • @Elios said:
    Hey guys, anyone else having trouble having a persistent shell (user level)? Mine drops everytime after about 20 seconds. Not sure what I'm doing wrong

    There might be a script that deletes files you upload after a certain time? ;)

  • i got the initial credential but now i am stuck. how do i get reverse shell. Please give some hints : (

    Arrexel

  • @DataPush3r said:
    I've got creds, and I can save stuff to the server. But I can't get RCE or a shell with any of the methods I've already tried. Can anyone PM with a nudge in the proper direction?

    i have also stuck on same. what i need to do next

    Arrexel

  • I've been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

  • rooted this one, PM me for a nudge

  • @peacemindlav said:

    @DataPush3r said:
    I've got creds, and I can save stuff to the server. But I can't get RCE or a shell with any of the methods I've already tried. Can anyone PM with a nudge in the proper direction?

    i have also stuck on same. what i need to do next

    Try different shells. ;)

  • finally rooted, learn new things, really likes this one.
    thanks the creator.
    special thanks to @lun3r :)

    Hack The Box

  • edited September 2018

    fell free to pm for hint

    Hack The Box

  • edited September 2018

    Whew. Getting user was fun.

    There's a few rabbit holes for web exploits that should be avoided. The easy to find exploit that would most likely involve social engineering is a rabbit hole. Multiple people have referenced the Nightmare machine so you should start there. Ippsec's video should help. However, don't get hung up on the db. If you get error messages, you're probably going too deep.

    Once you get non-shell access to the thing, if you don't know how to use your the service, you probably didn't enumerate enough. Go back to the first scan you did and ask yourself if you checked for everything. After than, it's very straight forward. It's typically the second (sometimes first) thing I do and I totally forgot to do it. Could have saved me a few hours.

    Hopefully I didn't give too much away here. PM me for help on getting user.

  • @p3tj3v said:
    ok.. so logged in on the web page.. pulled some notes..
    connected to a different service where I can read and write files..
    but then what :( probably something basic..
    if anyone can send me a small nudge.. would be much appreciated.

    This is exactly where I am stuck. I can read and write files, but I can't get any shell to execute either :(

    Hack The Box

  • edited September 2018

    I was held up on user due to the fact that my initial Nmap ended prematurely.

    Got root! It was quick and easy once i realized what was going on, and thanks to the hints in this thread.

    I think I got root in a slightly different way, based on the writeups. At least, I used a different file, one that seems to be a more generic part of this Windows feature, and probably required less digging on the system.

    koredump
    If you PM, please include the steps you've already taken. Don't forget to hit the respect button!

  • I cannot believe how many different shells I've tried getting an initial shell. asp, aspx, nishang, empire, etc. Nothing is working, the only different thing I ever get is a 500 error. Anyone with any insight, please PM me.

  • @beginner2010 said:
    Very nice machine. Was overthinking too much for priv esc:)

    Me too. Whenever I see a setup like this, I somehow always assume the worst and focus on more difficult ways of compromise. Nice box.

    gedsic

  • Hi everyone, I finally managed to get the root.txt file (really cool box, had a lot of fun!) but I'm still not satisfied. I got it by logging into a certain service with elevated rights. I still don't feel I've properly rooted the machine though, even if I have the the flag, because I only have high privileges when logged into that specific service. Is there a way to get a proper system shell? I feel like I'm missing something... If anyone wants to DM me with pointers I would really appreciate it :)

  • Any hints for entry point? Im seeing secnotes page, but nothing for now.

  • @9999volts said:
    Any hints for entry point? Im seeing secnotes page, but nothing for now.

    You might want to re-scan the target host. You should find somewhere that accepts user input

  • On privesc, I am getting "Error: 0x8XX7XXX" when running the command. Is that normal?

  • Nevermind :)

  • Great machine, usually I am not so familiar with windows. Once you have your stuff together, its pretty straight forward. PM if you need help.

    Hack The Box

  • rooted

    ping me if you struggle :)

  • @royc3r said:
    I've been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

    finally got user. as always more enumeration was required.

  • edited September 2018

    Stuck getting a shell :/ tried the ways i know and searched a bit more but got nothing ..
    any hint ? :)
    Edit: got user and root, was easier than I thought.. don't get bored of enumerating and looking at details.. feel free to pm me if you need help

  • edited September 2018

    I learned a lot even when i was in the wrong way :)
    Thank you @0xdf .

    image

    sckull

  • Rooted, wow a long way to get the flag :) Trying harder things than the easy way.

  • edited September 2018

    Need help with initial foothold. Dumped the users with hashes. Can someone please pm me?

    EDIT 1: got through! Thanks @Kadi
    EDIT 2: just got root. Thanks to all who helped me out. It is easy if you know what to do.

    Great box @0xdf . A sweet experience once you get there.

  • edited September 2018

    Can somebody PM me ? i'm totally lost with privesc

    EDIT :
    I get root !
    PM me if needed

    Jugulairel

  • I got root.txt. Has anyone root shelled this box?

    x0xxin

  • @x0xxin said:
    I got root.txt. Has anyone root shelled this box?

    I just manage to get it. Very fun box, root shell not needed but popped for fun. It's probably not the easiest way but some tools were just acting funny against this box - anyone else got it in a nice, clean way? At the moment the way I got root shell it's a two stage process...

    lukeasec

  • edited September 2018

    500 - Internal server error :astonished: :anguished:

    Edit: Get user :sleepy:

    Hack The Box

  • @Ju577Ry said:
    500 - Internal server error :astonished: :anguished:

    Correct your query

Sign In to comment.