Access

So before people get completely confused - certutil and trying to mount smb shares are not needed.

Now hopefully this isn’t seen as some sort of a spoiler but in general certutil can be used to download a file over http (without the s) and save it locally somewhere. It’s like a wget.

ignore this

Rooted with tons of help from my bros.

A few pointers…

  1. I didn’t bother to find the equivalent in linux. I ported the things i got from the initial foothold to windows to read.
    Read and you will get a key to come in.
  2. Privesc however need to know what is the sudo equivalent in windows and find the sudo -l equivalent as well.

Goodluck guys!!!

@wilsonnkwan said:
Rooted with tons of help from my bros.

A few pointers…

  1. I didn’t bother to find the equivalent in linux. I ported the things i got from the initial foothold to windows to read.
    Read and you will get a key to come in.
  2. Privesc however need to know what is the sudo equivalent in windows and find the sudo -l equivalent as well.

Goodluck guys!!!

great hints, it hasnt been tough sudo’in in windows, but im not sure how to open an elevated command prompt or indirectly obtain the flag, such as by copying it to temp… all i can seem to do is make the administrator ping myself… cant even echo a test word and save as text file in temp

rooted too finally, from what I am reading i think i went some other way. PM me if u want to discuss(not gonna give the solution) of your aproach. For those who rooted, please pm me just so I know what was your way, because i don’t think i managed to root it the way you did

Was able to obtain root.txt however I am not able to read the file yet, can anyone PM me a hint?

I am an administrator
I own the administrator folder and all subdirectories and files
I have full permissions to root.txt
i own root.txt
yet i can not read root.txt…
what do i not understand about windows permissions?

Update: rooted. This was not a permissions issue.

edit : got user since u get all the docs u know what to do ! :slight_smile:

I’m a bit lost at what to do after user. Would anyone be so kind to give a little nudge?

Me too. I’m not good with Windows boxes, any hints where I can continue would be great help. thx!

I own user…

I’m having the hardest time trying to root. Any tips? Tried everything on this board. Can’t figure out the hinted command here. Still needs PW :frowning:

@rlfonseca said:

@flexkid said:

@fasetto said:
You can read without evolution as well.

I tried to use str*** but It’s just junk data

either someone messed with it, something went wrong with the download or u need to read it closely again

facts

Any hits after user? Runas is asking for password. and password is not known for Administratotr. am i missing something?

Holy ■■■■ this box has been so ■■■■ of interesting, first time i rooted, i was lucky because i was on the free server. Second time I managed to make it work without help of the others and made me learn about the runas(guess there is no point on hiding that command at this point) and some nuances about it. After this i read an write-up password protected and found a even more clever way to use runas to get the root.txt. So yeah, there are plenty of ways to get the root.txt. What started as an super annoying priv esc box ended up being one of my favorite ones. congratz @egre55

@TazWake said:

@n1b1ru said:

@n1b1ru said:
It’s a silly question. How did you upload files ??? I used ftp and pyftpdlib with no success, so weird.

Just silliest… SMB and impacket

You got SMB to work?

yep.

@rlfonseca said:

You should read about certutil

I didn’t know it. Anyway I’m not so experienced in Windows system. Thnx

@n1b1ru np. Always glad to help

@lordsoahc said:
Any hits after user? Runas is asking for password. and password is not known for Administratotr. am i missing something?

Just enumerate all user desktops and you will find the answer…

@all:
I’m wondering why some users encountered problems reading the root.txt file, when they were already Administrator. There wasn’t any problem at all to me… Was the machine updated or something?

Pwned it. Thanks for the tips in thread. Cool machine, learnt a thing or two. Thanks @egre55