SecNotes

Just rooted this little beauty. I’ve learned many things. Thank you to the creator of the machine!

PM me if you get stucked. Only specific questions.

Just rooted.
Path to user was pretty frustrating, even though it was so simple.
Path to root was fun. found it pretty realistic.
hardest/most annoying part about rooting is figuring out how to get a stable shell

Hello guys, i’m stuck on first part.
Im able to get some usernames and hashes from the database.
Do i need to crack these hashes with h*****t (Way too long with my computer) or there is another way to get to the other service ?
any hints ?

Hi all, i’m having a lot of 500 errors trying some queries, is this normal? I’m following the track of Nightmare but I’m stuck!! Some advice is welcome… please PM

I just have to say, this is one of the greats! So many shellz.

This is my second box and it is a serious kick in the nuts. Can anyone PM me some hints?

Would greatly appreciate if someone can give me a nudge on how to root (:

Hi ! Need a little help PM me plz i got a limited shell i dont know how i can go further

EDIT: Rooted ! Ty @iamr00t for the help ! nice box !
@ChiefCoolArrow thank you but this was not what i meant. I got a shell as user “i** a*****/n******” and i was struggling to get user but @iamr00t helped me with that. Thanks anyway :slight_smile:

@Loss420 said:
Hi ! Need a little help PM me plz i got a limited shell i dont know how i can go further

@Loss420 @Daffyspider
W10 added some cool Linux features recently. Explore what you can do with them.

how on earth are you guys getting stable responsive shells?!

nvm…got it on to privesc!

I am very new to windows… I have some doubts… Can someone pm me for help…

Finally got around to doing this one. Thanks for nudging me to find time today @n8. This was actually a pretty nice box. I had a long night of fun with this one.

Best hints I can give:
Don’t overthink it!
Don’t assume stuff…check.
People have already given all the good ones.

Just rooted this box. Good times, honestly.

I was really frustrated with the initial foothold. I learned a bunch there, and I could have sworn that I tried what ended up working before and it didn’t work, but that’s probably on me. I really liked the initial entry to this machine.

Root was a bit trickier. The solution was simple and there are plenty of hints. The usual actually, enumeration of files and then their contents is key for privesc.

PM me with any questions.

<< redacted >>

@evandrix said:

@TheInnocent said:
Rooted. My hints for this box:

  • first part: use one of the most famous hacking techniques for crafting malicious inputs in web-apps
  • second part: use the “new” service to load your shell
  • third part: look around to see what “new feature” has been added to windows systems
  • fourth: use that feature to gain root as you would usually do

p.s. the cool thing is that you can perform phases 2 and 4 in a variety of ways

only seems vulnerable to x*s but not s**i

you won’t see it with s***ap

<< redacted >>

Can someone PM me regarding the initial foothold? I understand the nature of the first vuln, but do not understand why it only works a certain way. Also would appreciate some tips in how to enumerate what I can extract from aside from just the credential I’ve extracted.

Edit: Learned something new about com***ts, apparently sometimes they require a value.

I’m currently stuck at privesc… I know I to use the ‘new feature’ in W10. Can’t figure it out what exactly to use. If someone would like to discuss this, PM me :slight_smile:

To anyone currently doing this box, If you’re getting a 500 internal server error you DO NOT NEED TO REVERT THE BOX EVERY 2.5 MINUTES.

Fix the thing youre injecting and then get on with it.

@lukeasec said:

@x0xxin said:
I got root.txt. Has anyone root shelled this box?

I just manage to get it. Very fun box, root shell not needed but popped for fun. It’s probably not the easiest way but some tools were just acting funny against this box - anyone else got it in a nice, clean way? At the moment the way I got root shell it’s a two stage process…

There is at least one tool in the impacket library that can be used to get a shell once you know how to get the flag. The version installed in kali did not work for me. I used the latest release from the git repo: GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.

The way the tool achieves code execution is also a multi-stage process. Quite interesting to inspect the traffic in wireshark when it does its magic.

EDIT: the post was probably misleading. You need administrative access to use the tool. This is not the way to get the flag. Once you know how to read the root flag, you will most likely be able to use it.