Giddy

Trying to get root.txt. Found interesting thing. Created payload exe. But how to trigger this thing? Dos exploit doesnt work. Legitimate thing restarting, doesn’t work too… can anyone give a hint?
EDIT 1: got root THX @3zculprit for last hint. I was so inattentive…

@s073r1k.
Thanks for you reply.

Figured out where I did something wrong.

Finally rooted… Shoutout to nikallass for the hint.

For all who struggling for days/weeks as me: think only to powershell and its specific commands.

Many thanks for this machine I learned a lot of new things…

Guys, could you pls assist me with generating and delivering malicious file to the victim?
I have tried different cmdlets and tools, do not work.
I know that I need to generate file, then execute that file o the victim and I will receive something that will help me.

This was a nice box learn a lot too!!
Thanks to @MTOTH for his hints!!! it helps me a lot!
for privilege scalation all i can say its search the vuln for the app once you read about the vuln you will now what to do but dont focus too much on getting a meterpreter session like a did ?

Thanks to box designer. So nice box. Learn a lot.
Also, would like to thanks @MTOTH and @x00byte for giving hint regarding rev shell.

Ok I was able to read the root flag without actually getting a reverse shell. Can anyone who got a connection PM me?

Where do I go from the obvious injection? xp_******* won’t work, how can I get the password hashes everyone is talking about? Tried xp_dir****e too.

bruteforce PowerShell webapp using dirbuster wordlist = yay or nay?

@evandrix said:
bruteforce PowerShell webapp using dirbuster wordlist = yay or nay?

nay

so the credentials are lying around somewhere waiting to be extracted?

my enum-fu only turned up re and at_c****t. follow those rabbit holes, or keep looking elsewhere? i would have hoped for a fileupload transfer.aspx like that other box :confused:

That was a tough box. So glad I got through it

... has reached the maximum allowed number of sessions per user. To start a new session, the user must first sign out from another session.
does it mean i have to wait/keep trying?

after gaining access to the PSWA console, PE is just a general Windows exploit?

I’m on it also… I need to trigger the exploit…

Per usual, there are a lot of dumb hints in here. Frey’s hint is probably the worst, since it leads you to assume you should enumerate the database by inserting rows. That is just not necessary (and a complete waste of time). The command is relevant only in the way that it initiates communication, not that it enumerates or provides you data.

Privesc is pretty simple. You don’t need to escape the shell at all. Enumerate the folders and find things from the past. You literally get the command to do what you need to do.

All attempts to use an msfvenom payload will fail. You can’t use command line arguments. So what do you do? Make a “simple” something that does only one thing (github has this made for you already)!

The initial foothold was a neat new something. The privesc is run of the mill and easier than user in my opinion.

There are three concepts to understand for user (2 simple, 1 unique) and only one for privesc.

I got a username but a feel stuck on my way to user. What now?

It’s true that payloads created by msfvenom will fail, if used ‘as is’. But there is some sort of ‘post processing’ you can do to make them stealthier. Then it works, this was my method of choice here … and on other Windows boxes than use similar protections.

I learned it from an ippsec video of a HTB box that shares some features with Giddy.

Is there a possibility to get a shell without using MSFVenom and just use a simple binary that works most of the times

Edit: Able to upload binaries, but somehow not able to execute them

Edit: BInary upload is not required. A nice box. Cheers to the maker

Rooted! Great box, thanks to the creator!
As mentioned above don’t waste time to get reverse shell. Powershell has all needed to trigger your stuff. And of course Enumeration is the key )