So before people get completely confused - certutil and trying to mount smb shares are not needed.
Now hopefully this isn’t seen as some sort of a spoiler but in general certutil can be used to download a file over http (without the s) and save it locally somewhere. It’s like a wget.
I didn’t bother to find the equivalent in linux. I ported the things i got from the initial foothold to windows to read.
Read and you will get a key to come in.
Privesc however need to know what is the sudo equivalent in windows and find the sudo -l equivalent as well.
@wilsonnkwan said:
Rooted with tons of help from my bros.
A few pointers…
I didn’t bother to find the equivalent in linux. I ported the things i got from the initial foothold to windows to read.
Read and you will get a key to come in.
Privesc however need to know what is the sudo equivalent in windows and find the sudo -l equivalent as well.
Goodluck guys!!!
great hints, it hasnt been tough sudo’in in windows, but im not sure how to open an elevated command prompt or indirectly obtain the flag, such as by copying it to temp… all i can seem to do is make the administrator ping myself… cant even echo a test word and save as text file in temp
rooted too finally, from what I am reading i think i went some other way. PM me if u want to discuss(not gonna give the solution) of your aproach. For those who rooted, please pm me just so I know what was your way, because i don’t think i managed to root it the way you did
I am an administrator
I own the administrator folder and all subdirectories and files
I have full permissions to root.txt
i own root.txt
yet i can not read root.txt…
what do i not understand about windows permissions?
Holy ■■■■ this box has been so ■■■■ of interesting, first time i rooted, i was lucky because i was on the free server. Second time I managed to make it work without help of the others and made me learn about the runas(guess there is no point on hiding that command at this point) and some nuances about it. After this i read an write-up password protected and found a even more clever way to use runas to get the root.txt. So yeah, there are plenty of ways to get the root.txt. What started as an super annoying priv esc box ended up being one of my favorite ones. congratz @egre55
@lordsoahc said:
Any hits after user? Runas is asking for password. and password is not known for Administratotr. am i missing something?
Just enumerate all user desktops and you will find the answer…
@all:
I’m wondering why some users encountered problems reading the root.txt file, when they were already Administrator. There wasn’t any problem at all to me… Was the machine updated or something?