SecNotes

13468914

Comments

  • Getting the basic info was pretty easy. But after that I was stuck for hours when I forgot an option in the first thing I do in my basic enumeration. After that it was very straight forward to get user, but I'm still stuck at the privesc. Spend hours on it, trying multiple things. Some hints are very welcome!

    Xitro

  • Can someone help me with a hint by pm, is secnotes app vulnerable? Where to focus?
  • Nice machine. For privesc hint... don't overthink it, there is pretty easy way of getting it. Just think about two things - not that old windows feature which wasn't available in earlier windows versions + basic enumeration you do once you figure out first thing :-)

  • As mentioned before, root is pretty strait forward, once you discover the feature, which was just added to Windows 10. You don't have to execute it - think about it..

    OSCP


    0x23b

  • I got a nc reverse shell but with this shell I can't execute interactive commands (as the one I think I need to run to privesc). So, how could I upgrade it to a interactive shell ?

  • edited September 2018

    @RawTables said:
    I got a nc reverse shell but with this shell I can't execute interactive commands (as the one I think I need to run to privesc). So, how could I upgrade it to a interactive shell ?

    I think this is basically one of the problems I encounter getting privesc. Almost everything I try is not functioning.
    Edit: I'm a bit further with this, you have to find a certain exe. Just basically run it from anywhere. It might throw an error but just ignore, it won't give any feedback and will look like it hangs.
    EDIT: Finally got it after hours.. pfff what a box. Weird way to get the flag tho. Basic Linux enumeration but you have to think outside the box.

    Xitro

  • The user flag was easy but rooting this is a pain. I'm root on the box but cannot get to the flag. I feel I'm really close and I'm missing one thing. Can anyone PM some pointers?

  • @jbob said:
    The user flag was easy but rooting this is a pain. I'm root on the box but cannot get to the flag. I feel I'm really close and I'm missing one thing. Can anyone PM some pointers?

    Rooted! That was a not a Priv Esc I was expecting . Thanks @lun3r and thanks @0xdf for creating this fun yet frustrating box. Learnt a lot of ways in how not to get the flag.

  • Maybe someone can give me a hint for the *** Inj****n on the login page. I think there is a little mistake in the syntax. Please PM or i'm on the wrong path?

  • I got credentials but not sure where to apply them to get shell. Any hint? please PM

  • Rooted! What a fun machine this was!

  • edited September 2018

    Wow, what a great machine! Really fun stuff. I love that there's no plug and play exploits or anything like that, it's almost entirely critical thinking and reading key files.

    ADMINS: Please remove any part of this that may contain spoilers. Thanks.

    For those struggling:

    Initial foothold: After you do your initial scan, while you're messing around, make sure you run a more complete scan in the background. It might just turn something up that your first scan didn't.

    Next step: There's some really good cheat sheets out there cheat sheets out there. One of IppSec's past videos alludes to the vulnerability, but this one is much simpler and you don't have to go nearly as in depth. Once you get in, just look around. Everything you need is right in front of you, can't stress that enough. Start with the basics.

    Now maybe you can use what you found to gain access to a running service. Notice that there's not much here. If you're confused, ask for help and read through the responses. See what you're allowed to do.

    Once you figure that out, you can try to get a simple RCE script running. Just like in other boxes, RCE will usually allow you to enumerate certain parts of the filesystem, and potentially even run commands on the system. Just remember to hurry up, or think of a way you can make your new situation less temporary.

    Once you get stable access, the rest is actually really easy, although it might not seem like it at first. Some of the hints in this thread are spot on: Notice the interesting directory? Think about what that means. If you were running that program as a user, that would give you different available programs, right? Maybe looking around for some of the more important or common ones will help you find what you need.

    Once you find the "long" filepath, enumerate, enumerate, enumerate! Just like you would for any other system! That should be everything you need. You don't need to run any programs once you gain access or anything like that.

    You can PM me, but if you do, your questions better be well thought-out and I expect to see what you've been trying, otherwise how will I know how to help guide you? No more of this 'plz help me I need it just tell me how' crap. :)

    EDIT: First PM after writing this: "SecNotes help logged in but dont know what to do"

    Guys. This is NOT how you ask for help.

    --Skunkfoot

  • Any one willing to PM about gain access to the box. I was able to find a set of credentials and I see something that can be used to look in some directories. After that I am lost. I am not sure how to get a reverse shell or be able to look around better.
  • Rooted! Very nice box.
    Tip on priv esc: basic (linux) enumeration is key. Look for the past, not the present.

  • Can anybode gave a hint to find out in which directory the server executes the upload? :) dirb and dirbuster find no additional directory :/

  • Make sure your port scan is complete

    --Skunkfoot

  • @Skunkfoot said:
    Wow, what a great machine! Really fun stuff. I love that there's no plug and play exploits or anything like that, it's almost entirely critical thinking and reading key files.

    The best hint!!! I use only the last part, but very good hint

  • Does anyone know why the box returns a very specific error (like 0x.....) when doing the very action needed to priv esc?

    blobbo

  • anyone currently doing this box pm me

  • edited September 2018

    Great one.
    It is worth to mention (again) that no bruteforcing nor exploits were needed.
    Feel free to ask for subtle hints.

    Edit. it took me much more time than it should, to sum up it was quite an easy one... i needed to get educated a little.

  • I'm having trouble with the initial foothold. I've watched the ippsec video and tried to replicate the technique but not having any success. I've even modified the tamper script for this box but that's not working either. Can someone toss me some help via DM?

  • I have a shell, but I'm completely lost. I tried to see if I can use the new things available in Win10, but no successs.... need help!

  • @royc3r said:

    @royc3r said:
    I've been stuck on getting a shell to work for a week. im guessing you have to rename the shell to one of the files in the directory so it doesnt get deleted but any of the ones i try i never see a connection from the server to my laptop in a tcpdump.

    finally got user. as always more enumeration was required.

    took a few days off to think about root....i was close but stuck and frustrated...figured it out today...the hints in this thread helped for sure....great box that is relevant today!

  • Could use a hint here - got creds and logged in but stuck with where to pursue next. PMs much appreciated :)

    Disloquer

  • Hello guys,
    Can anybody give me a hint regarding reverse shell?
    I found a user. Logged in to the service. However, do not know how to execute shell.
    Thanks in advance.

  • Do a full port scan. If you can get RCE, you can use that to run programs potentially. But Windows doesn't have netcat, right? Fix that. :)

    --Skunkfoot

  • Great box, user was straight forward. Took me a while to know where to look after, but @Everlastdg pointed me where to look and got root 5 mins after. Great box and unique way of getting root!

  • Hello,
    I have found some ***.exe. Have executed the file and got root. However, still cannot open Administrator directory and cannot find the file with the flag.
    Search command with "root.txt, administrator.txt"did not bring me positive results.

  • Definitely, got the root.
    Really great box. Spent almost 5 days. 100 % enjoyed the box.
    I would like to thank @Everlastdg and @Skunkfoot for not providing too much information about the hint. Learned a lot.

  • @c0uldb3 said:
    Hello,
    I have found some ***.exe. Have executed the file and got root. However, still cannot open Administrator directory and cannot find the file with the flag.
    Search command with "root.txt, administrator.txt"did not bring me positive results.

    can you plz give a hint , i stuck at the same place

Sign In to comment.