Access

thanks @TazWake for the alternative approach !

@blobbo said:
If your file is corrupted, make sure your transfer mode was set to BINARY.

Thx

@technion said:

@TazWake said:

@iainpbsec said:
i’ve managed to get the root flag copied into another file by using ru*** and a quick script, but i can’t read file that either or change its permissions.

Copying it might not be the best approach.

I’ve just popped root, but I’m not happy with it because I don’t follow this.

Can anyone elaborate on why this is the case? I can copy the file to my own user desktop directory and run takeown.exe and still can’t access the file. I can’t replicate that on any of my own servers. If it’s in a directory you own, I’ve always been able to do this.

There has to be something special on this server, you’ll probably need to PM to avoid spoilers.

I believe it has to do with permissions of the file being retained when you copy from/to the same volume in windows. It depends on how you are trying to open it, if you’re just in telnet, your options are limited.

edit: interesting box. By far the easiest, except for the corrupt files (binary or otherwise) that were a real pain. It seemed like a SANS challenge, “download a weird file and figure out the right program to install on your kali box to view it”

Kind of stoked, I was able to get user on this machine in under an hour :slight_smile: Lots of creds, lots of info…now root!

@flexkid said:

@0xlc said:

@flexkid said:

@0xlc said:

@flexkid said:
I have the .pst file any hint for the next step?

open it :sweat_smile:

yes but how xd I tried but nothing I also imported on windows

i am on linux i just imported in Evolution

same I installed in evolution and but did not load the file

Anyone not familiar with PST, there are utilities in linux that allow you to parse these right from the shell, fyi. WAY easier than screwing around with a mail client.

I can run the r**s command, formatted similarly to the example so I don’t get prompted for credentials. I have a few pages of commands I have tried, but I can’t seem to find the right approach. Any help would be appreciated, this is my first active box I got access (lol) on, but I can’t make the leap to privesc. I think I need some help to knock some ideas loose. NOT looking for an answer, would prefer someone ask me the right question.

I need help can someone pm me with some hints, Im stuck with run__ command to get to the root.

Finally got root.txt. Thx for @Tree and @Ahm3dH3sham help!!!

@sayyeah said:
Finally got root.txt. Thx for @Tree and @Ahm3dH3sham help!!!

You’re welcome :wink:

Finally root the machine special thanks to @TazWake @jackshd @TheJ0k3r :slight_smile:

Anyone who is interested of helping me out, got user etc. I have a clue what to do, but can’t get working or it’s totally wrong.

Can anyone give me some tips, i have user.txt and i know i need to do something with priv escalation but only done that once on Linux not Windows. If anyone can give me some tips in the right direction it would be great.

Sorry for the stupid question i am new to hacking and trying to learn some new stuff.

I connected to the target machine via ftp. Any hint how to continue?

Can I pm someone to have some tips please. Thanks

@r0pSteev said:

@jamesa said:
For everyone having trouble with runas…

Let’s imagine you’re a lazy sysadmin, and repeating the same action over and over becomes tedious - what do you do? If you check the runas man page you should see a parameter that will help with the laziness :slight_smile:

Runas - Run under a different user account - Windows CMD - SS64.com

When you think you’ve found it, try to ping yourself.

Let’s call this the ‘Eureka Hint’

ping will save your time lot. thanks buddy

anyone care to help me out…have initial access, have some questions about other creds ive found

I don’t seem able to browse directories in the f** service - constantly getting ‘550 Data channel timed out’. From the comments, other people have been able to access files this way - can you just browse to the files in a standard client, or is there an enumeration technique I’m missing?

@570b0r said:
I can run the r**s command, formatted similarly to the example so I don’t get prompted for credentials. I have a few pages of commands I have tried, but I can’t seem to find the right approach. Any help would be appreciated, this is my first active box I got access (lol) on, but I can’t make the leap to privesc. I think I need some help to knock some ideas loose. NOT looking for an answer, would prefer someone ask me the right question.

you will lose A LOT of time trying to figure out the rs command using tt because you can’t see the output to figure out what you are doing wrong. I STRONGLY advice to install a Windows virtual machine and test your command first there. You need maybe 15 min to complete your command and get root.txt

@nofunofunofun said:

you will lose A LOT of time trying to figure out the rs command using tt because you can’t see the output to figure out what you are doing wrong. I STRONGLY advice to install a Windows virtual machine and test your command first there. You need maybe 15 min to complete your command and get root.txt

I wasted probably an hour or more trying out different things blindly, fired up a Win10 VM and figured out a number of commands in about 20 minutes.

Hey so I got root a while back, and was even able to make myself SYSTEM. But I couldn’t figure out why I couldn’t access the file as SYSTEM, and instead had to do that funky command to read the file. I experimented with ACLs, but to no avail. Anyone here that can give some insight on this?