SecNotes

@firefly47 said:
I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can’t execute the files (web or .exe) that I upload. Can someone give me a little hint? :slight_smile:

No exploit needed. Think about where you’re uploading your file to, and how you might be able to execute them. Scanning more than just the most common ports might help.
Also, just because this is a windows box doesn’t mean all it can execute is M$ stuff like .exe files. :tongue:

I was able to identify the double SQL injection and obtain the current database name (SECNOTES) and version.

I was able to obtain the password hash for t****, am I in the right direction. I presume I have to use this to login ?

@nscur0 said:

@firefly47 said:
I found the credentials. After reading the forum I think I have to use some kind of exploit? I tried a dozen, none of them seems to work. I guess the other way is to upload a reverse shell, but I can’t execute the files (web or .exe) that I upload. Can someone give me a little hint? :slight_smile:

No exploit needed. Think about where you’re uploading your file to, and how you might be able to execute them. Scanning more than just the most common ports might help.
Also, just because this is a windows box doesn’t mean all it can execute is M$ stuff like .exe files. :tongue:

Thank you very much the hint did it. This is the second time I am not using nmap’s full potential :). Now I’m working on the privesc part I discovered the “feature”, wasn’t able to read the root.txt yet, But hopefully I’ll get it :slight_smile:

Pwned. Thanks to the creator of the box, learned a couple of new tricks.
Feel free to pm me for help or hints.

I am able to upload files via s** and browse to the webpage on port 8***. However I can’t get the revershell to connect back, I’ve tried aspx and ncat. I’ve uploaded a txt file with the name of i******* which I can view but can’t get anything to execute

I have identified the technique to access the database and I read database name and a few other things but I am getting the “Something went wrong error”. Some to PM me hints on refining my technique to extract more info?

i tried using smbexec.py to execute commands on the box, i keep getting an error message. I also tried uploading an aspx rev shell but to no avail

I finally got a stable shell and am enumerating the various folders looking for a potential privesc, this certainly is a tricky box

Ah Rooted!

The answer already there but because didn’t really to focus something different in the command.

Eyes problem lol

Rooted. My hints for this box:

  • first part: use one of the most famous hacking techniques for crafting malicious inputs in web-apps
  • second part: use the “new” service to load your shell
  • third part: look around to see what “new feature” has been added to windows systems
  • fourth: use that feature to gain root as you would usually do

p.s. the cool thing is that you can perform phases 2 and 4 in a variety of ways

@gregX01 said:
I have identified the technique to access the database and I read database name and a few other things but I am getting the “Something went wrong error”. Some to PM me hints on refining my technique to extract more info?

I think im getting same thing when i try to inject. can someone PM to help limp along?
every time i try inject on R******r.php page i get “Something went wrong error”, any hints how to get past this?

@lordsoahc said:

@gregX01 said:
I have identified the technique to access the database and I read database name and a few other things but I am getting the “Something went wrong error”. Some to PM me hints on refining my technique to extract more info?

I think im getting same thing when i try to inject. can someone PM to help limp along?
every time i try inject on R******r.php page i get “Something went wrong error”, any hints how to get past this?

DM Me

Great box. Just rooted. learned something in order to get user. the root flag was easy for me. I already had the knowledge to do it. btw. thanks for the box

Can someone pm me with hints for the user flag? I don’t know how to use sc***.

Just rooted this little beauty. I’ve learned many things. Thank you to the creator of the machine!

PM me if you get stucked. Only specific questions.

Just rooted.
Path to user was pretty frustrating, even though it was so simple.
Path to root was fun. found it pretty realistic.
hardest/most annoying part about rooting is figuring out how to get a stable shell

Hello guys, i’m stuck on first part.
Im able to get some usernames and hashes from the database.
Do i need to crack these hashes with h*****t (Way too long with my computer) or there is another way to get to the other service ?
any hints ?

Hi all, i’m having a lot of 500 errors trying some queries, is this normal? I’m following the track of Nightmare but I’m stuck!! Some advice is welcome… please PM

I just have to say, this is one of the greats! So many shellz.

This is my second box and it is a serious kick in the nuts. Can anyone PM me some hints?