SecNotes

That was fun. I was surprised to find certain credentials in a historical archive which made it more fun to find more or less by accident.

This was a fun box. Thanks to @vasusethia for subtle hint at beginning. Spent too long on the first steps trying to enumerate the db and making things more complicated than is actually needed. :facepalm moment for sure. Privesc was fun - wasn’t expecting that on a windows box… Thanks @0xdf

@xxizocxx said:

@Wainright said:
Hello guys, I passed web login page and successfully login to another service, i can upload and can execute files on server, even reverse shell is dropping but no code executing. When typing command and enter, it freezes and closes. Files are disappearing ok but even files are staying at server, reverse shell is not working too. I tried lots of commands for 2 days but there are not so much choices for windows (or i dont know :frowning: )

Do you have any suggestion/advice?

Same boat as you. :frowning:

Finally rooted, I am replying my own question :slight_smile:

First of all, i couldnt find any easy way of reverse shell (lots of people said that try simple ones but maybe i couldnt work them out) , i tried my second method, if you CAN’T execute commands which you think that they should work, then try something different with that tools/commands (i dont want to give any spoiler)

After getting user, for privesc, its same, like others said i didnt research new features of OS, enum enum enum, i just enumerated lots of files at first-look places. Then u can see there is a command that shouldnt be there. Go on looking for it, u will be suprise when your different commands are working. :smiley: :smiley: :open_mouth:

(i hope that there is not so much spoiler) :wink:

Hi, could anyone PM me? I’m stuck on the secondary service I found… I’ve never tried a windows machine so I’m a bit new with the service…

Hi, one help for me?? i had enumeration but i didn’t find anything and i know little the sql injection

Hi all!

I have rooted this box an unintended way and now trying to do it as many others. I have enumerated the new Win10 feature and I have a privileged user who cannot read the root.txt file because the service is running under non-privileged user. I am still hitting my head into the desk for 2 days so if someone can give a little hint in private please don’t hesistate…

@MTOTH said:
Hi all!

I have rooted this box an unintended way and now trying to do it as many others. I have enumerated the new Win10 feature and I have a privileged user who cannot read the root.txt file because the service is running under non-privileged user. I am still hitting my head into the desk for 2 days so if someone can give a little hint in private please don’t hesistate…

Update: Okay finally I got it after 2 fck’n days… For future me: when found sth interesting do basic enumerations and do not overthink it. You can spare a lot of time if running basic enumeration scripts before going deep.

For all who struggling: check Win10 feature list and play with it. Try different shells if something not working as expected. Play with it and do basic enumerations!!!

I got the login credentials but now I do not know how to proceed to reverse shell…can you help me?

Am i the only one where the website takes hours to load because of the bootstrap cdn?

please give me hand for the reverse shell on s**c****t… i tried with metasploit but nothing

I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can’t execute the files (web or .exe) that I upload. Can someone give me a little hint? :slight_smile:

I would appreciate a nudge for this box, I am still struggling with getting an initial foothold. Perhaps I am overthinking this ?

@firefly47 said:
I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can’t execute the files (web or .exe) that I upload. Can someone give me a little hint? :slight_smile:

No exploit needed. Think about where you’re uploading your file to, and how you might be able to execute them. Scanning more than just the most common ports might help.
Also, just because this is a windows box doesn’t mean all it can execute is M$ stuff like .exe files. :tongue:

I was able to identify the double SQL injection and obtain the current database name (SECNOTES) and version.

I was able to obtain the password hash for t****, am I in the right direction. I presume I have to use this to login ?

@nscur0 said:

@firefly47 said:
I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can’t execute the files (web or .exe) that I upload. Can someone give me a little hint? :slight_smile:

No exploit needed. Think about where you’re uploading your file to, and how you might be able to execute them. Scanning more than just the most common ports might help.
Also, just because this is a windows box doesn’t mean all it can execute is M$ stuff like .exe files. :tongue:

Thank you very much the hint did it. This is the second time I am not using nmap’s full potential :). Now I’m working on the privesc part I discovered the “feature”, wasn’t able to read the root.txt yet, But hopefully I’ll get it :slight_smile:

Pwned. Thanks to the creator of the box, learned a couple of new tricks.
Feel free to pm me for help or hints.

I am able to upload files via s** and browse to the webpage on port 8***. However I can’t get the revershell to connect back, I’ve tried aspx and ncat. I’ve uploaded a txt file with the name of i******* which I can view but can’t get anything to execute

I have identified the technique to access the database and I read database name and a few other things but I am getting the “Something went wrong error”. Some to PM me hints on refining my technique to extract more info?

i tried using smbexec.py to execute commands on the box, i keep getting an error message. I also tried uploading an aspx rev shell but to no avail

I finally got a stable shell and am enumerating the various folders looking for a potential privesc, this certainly is a tricky box