SecNotes

I just have to say, this is one of the greats! So many shellz.

This is my second box and it is a serious kick in the nuts. Can anyone PM me some hints?

Would greatly appreciate if someone can give me a nudge on how to root (:

Hi ! Need a little help PM me plz i got a limited shell i dont know how i can go further

EDIT: Rooted ! Ty @iamr00t for the help ! nice box !
@ChiefCoolArrow thank you but this was not what i meant. I got a shell as user “i** a*****/n******” and i was struggling to get user but @iamr00t helped me with that. Thanks anyway :slight_smile:

@Loss420 said:
Hi ! Need a little help PM me plz i got a limited shell i dont know how i can go further

@Loss420 @Daffyspider
W10 added some cool Linux features recently. Explore what you can do with them.

how on earth are you guys getting stable responsive shells?!

nvm…got it on to privesc!

I am very new to windows… I have some doubts… Can someone pm me for help…

Finally got around to doing this one. Thanks for nudging me to find time today @n8. This was actually a pretty nice box. I had a long night of fun with this one.

Best hints I can give:
Don’t overthink it!
Don’t assume stuff…check.
People have already given all the good ones.

Just rooted this box. Good times, honestly.

I was really frustrated with the initial foothold. I learned a bunch there, and I could have sworn that I tried what ended up working before and it didn’t work, but that’s probably on me. I really liked the initial entry to this machine.

Root was a bit trickier. The solution was simple and there are plenty of hints. The usual actually, enumeration of files and then their contents is key for privesc.

PM me with any questions.

<< redacted >>

@evandrix said:

@TheInnocent said:
Rooted. My hints for this box:

  • first part: use one of the most famous hacking techniques for crafting malicious inputs in web-apps
  • second part: use the “new” service to load your shell
  • third part: look around to see what “new feature” has been added to windows systems
  • fourth: use that feature to gain root as you would usually do

p.s. the cool thing is that you can perform phases 2 and 4 in a variety of ways

only seems vulnerable to x*s but not s**i

you won’t see it with s***ap

<< redacted >>

Can someone PM me regarding the initial foothold? I understand the nature of the first vuln, but do not understand why it only works a certain way. Also would appreciate some tips in how to enumerate what I can extract from aside from just the credential I’ve extracted.

Edit: Learned something new about com***ts, apparently sometimes they require a value.

I’m currently stuck at privesc… I know I to use the ‘new feature’ in W10. Can’t figure it out what exactly to use. If someone would like to discuss this, PM me :slight_smile:

To anyone currently doing this box, If you’re getting a 500 internal server error you DO NOT NEED TO REVERT THE BOX EVERY 2.5 MINUTES.

Fix the thing youre injecting and then get on with it.

@lukeasec said:

@x0xxin said:
I got root.txt. Has anyone root shelled this box?

I just manage to get it. Very fun box, root shell not needed but popped for fun. It’s probably not the easiest way but some tools were just acting funny against this box - anyone else got it in a nice, clean way? At the moment the way I got root shell it’s a two stage process…

There is at least one tool in the impacket library that can be used to get a shell once you know how to get the flag. The version installed in kali did not work for me. I used the latest release from the git repo: GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.

The way the tool achieves code execution is also a multi-stage process. Quite interesting to inspect the traffic in wireshark when it does its magic.

EDIT: the post was probably misleading. You need administrative access to use the tool. This is not the way to get the flag. Once you know how to read the root flag, you will most likely be able to use it.

could anyone share a hint on how to use the new feature? i can’t figure out how to work my way around the windows file permissions with it.

I just gonna hit myself hard in the face for not enumerating this dir. Rooted.

Just rooted the Box! Its was the best priv esc i’ve ever experienced! I’ loved it! Big thnx to @0xdf for this amazing box!

I was able to obtain the password hash for t**** from the Si***
I really need help for cracking/ continue from here
PM me PLZ

Edit - Got user and root
Thanks a lot to @sixtonspacefly for some good brain hints