Access - Privilege Escalation

Am brand new to priv esc…any docs, reference link, blogs on that would be appreciated

@Senpaisol said:
Hi, i would like to separate the Access Privesc Discussion. Hope this is ok.

@Senpaisol said:
Ok i am loosing my ■■■■■■■■ mind. I got one User Account , the Administrator Account and the AUTHORITY\SYSTEM Account and still cant open the root flag. Is this intentional?

Yes, it’s intentional.

This explains the common reasons you’ll see the behaviour (hint, it’s not a problem with your permissions).

Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc.

@prutz said:
Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc.

Same boat.

@prutz said:
Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc.

you’re almost there guys, if you read carefully the runas syntax you will eventually find out what is needed to perform cmd commands

Finally got it, so many little details are important, thanks everyone!

I get only empty responses on every runas command with /s******* option. Wonder if there’s something fundamentally wrong in what i’m doing here or am i just missing a detail. Already tried shittonne of different combinations.

@canyin said:
I get only empty responses on every runas command with /s******* option. Wonder if there’s something fundamentally wrong in what i’m doing here or am i just missing a detail. Already tried shittonne of different combinations.

Or maybe you’re not executing the correct exe

For all those who struggle to read the root.txt although they are NT AUTHORITY\SYSTEM or belong to the same group as NT AUTHORITY\SYSTEM: think about what you do as a privilege user on your recent personal Windows desktop/laptop when your system asks something because you are trying to install a new program.

You “just” have to translate it in the (non interactive) shell you have.

Can someone help me?
I’ve stuck after getting user.txt.
Pls, PM me, who can help.
Thnx a lot.

I got the user.txt but i cant get the root.txt . I am connected via telnet in s… user and i cant take administrator permissions. I tried runas command but failed. Any help?

@lalala said:
I got the user.txt but i cant get the root.txt . I am connected via telnet in s… user and i cant take administrator permissions. I tried runas command but failed. Any help?

you are on the right way with the runas command.
try this command on your computer (or a Win10 VM) and see what’s the behaviour of this command

@rzouzou said:

@lalala said:
I got the user.txt but i cant get the root.txt . I am connected via telnet in s… user and i cant take administrator permissions. I tried runas command but failed. Any help?

you are on the right way with the runas command.
try this command on your computer (or a Win10 VM) and see what’s the behaviour of this command

First of all, thank you. I tried it. The problem is that always ask for administrators’s password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

First of all, thank you. I tried it. The problem is that always ask for administrators’s password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

Hint : users are lazy, check what options can be used with this command ( /?)

@rzouzou said:

First of all, thank you. I tried it. The problem is that always ask for administrators’s password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

Hint : users are lazy, check what options can be used with this command ( /?)

I get access in administrator folder but now i cant open root.txt

Is the Administrator password the one found in the .mdb file?

@nachofm said:
Is the Administrator password the one found in the .mdb file?

I didnt use password. I have just run the runas command to enter the administrator directory. Now i can see the root.txt in desktop but i cant open it

ok… i’ve tried r***s with the “lazy” option… it doesn’t prompt for password so i’m led to think that it’s the correct way… the problem is that neither cmd nor cd or dir works… always return an empty prompt… anyone can illuminate me???

They do work, you just cant see the output - look into how the command works, because it doesnt echo its results to the tty. You need to either use it to create a shell or stream the contents of one thing into another.

I officially give up trying to get the root flag with this one. I finally got a r**** command to work, got into the folder to read the flag, whilst working on it, box gets reset. Now the r**** command I used doesn’t work. FML!