SecNotes

<< redacted >>

@evandrix said:

@TheInnocent said:
Rooted. My hints for this box:

  • first part: use one of the most famous hacking techniques for crafting malicious inputs in web-apps
  • second part: use the “new” service to load your shell
  • third part: look around to see what “new feature” has been added to windows systems
  • fourth: use that feature to gain root as you would usually do

p.s. the cool thing is that you can perform phases 2 and 4 in a variety of ways

only seems vulnerable to x*s but not s**i

you won’t see it with s***ap

<< redacted >>

Can someone PM me regarding the initial foothold? I understand the nature of the first vuln, but do not understand why it only works a certain way. Also would appreciate some tips in how to enumerate what I can extract from aside from just the credential I’ve extracted.

Edit: Learned something new about com***ts, apparently sometimes they require a value.

I’m currently stuck at privesc… I know I to use the ‘new feature’ in W10. Can’t figure it out what exactly to use. If someone would like to discuss this, PM me :slight_smile:

To anyone currently doing this box, If you’re getting a 500 internal server error you DO NOT NEED TO REVERT THE BOX EVERY 2.5 MINUTES.

Fix the thing youre injecting and then get on with it.

@lukeasec said:

@x0xxin said:
I got root.txt. Has anyone root shelled this box?

I just manage to get it. Very fun box, root shell not needed but popped for fun. It’s probably not the easiest way but some tools were just acting funny against this box - anyone else got it in a nice, clean way? At the moment the way I got root shell it’s a two stage process…

There is at least one tool in the impacket library that can be used to get a shell once you know how to get the flag. The version installed in kali did not work for me. I used the latest release from the git repo: GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.

The way the tool achieves code execution is also a multi-stage process. Quite interesting to inspect the traffic in wireshark when it does its magic.

EDIT: the post was probably misleading. You need administrative access to use the tool. This is not the way to get the flag. Once you know how to read the root flag, you will most likely be able to use it.

could anyone share a hint on how to use the new feature? i can’t figure out how to work my way around the windows file permissions with it.

I just gonna hit myself hard in the face for not enumerating this dir. Rooted.

Just rooted the Box! Its was the best priv esc i’ve ever experienced! I’ loved it! Big thnx to @0xdf for this amazing box!

I was able to obtain the password hash for t**** from the Si***
I really need help for cracking/ continue from here
PM me PLZ

Edit - Got user and root
Thanks a lot to @sixtonspacefly for some good brain hints

can someone give me a nudge regarding priv esc? i’m definitely missing something here

There are some absolutely terrible “hints” in this thread. There’s also some “wow amazing privesc!” comments which make me wonder…

There is nothing spectacular about this box. User requires some guesses of exactly what’s installed on the machine to get a reverse shell… and when you get to privesc, you need not venture far beyond the desktop to figure it out.

Also, none of the writeups include an actual shell, but once you have creds, impacket can do it for you.

No brute forcing required. Which is a good thing I think brute is a lazy and wasteful method.

This box is a lot of fun! I was able to grab hashes from “X” using “Y” and have a question on how to move forward. Do I have to crack using graphics card or is there another way? Feel free to PM. Thank you in advance.

NM. I know what to look for.

Anybody help me, i got a Username and hash by Sxxi, try login to Sxx but not work :((, suggest to me a nextstep please :frowning:

Awesome machine, initial foothold took me a while but had to get back to basics and stop trying so hard.

yay, finally got it!

r00ted. I enjoyed this box, but I don’t feel satisfied and would love if one of the more experienced guys could PM me with how they got a stable shell with just the first user. I want to go back through this box with that and see if I can “go back in the past” in a much better fashion.

Like everyone else, I was having issues with files disappearing and having to redo my shell every 5 min. Also had the issues where could not get it to be interactive with some things. Overall fun box, though.

Would be glad to have a hint on priv esc

Can someone give me a hint for the inital foodhold. I think i know what I am looking for, but I cannot find it.