Giddy

so the credentials are lying around somewhere waiting to be extracted?

my enum-fu only turned up re and at_c****t. follow those rabbit holes, or keep looking elsewhere? i would have hoped for a fileupload transfer.aspx like that other box :confused:

That was a tough box. So glad I got through it

... has reached the maximum allowed number of sessions per user. To start a new session, the user must first sign out from another session.
does it mean i have to wait/keep trying?

after gaining access to the PSWA console, PE is just a general Windows exploit?

I’m on it also… I need to trigger the exploit…

Per usual, there are a lot of dumb hints in here. Frey’s hint is probably the worst, since it leads you to assume you should enumerate the database by inserting rows. That is just not necessary (and a complete waste of time). The command is relevant only in the way that it initiates communication, not that it enumerates or provides you data.

Privesc is pretty simple. You don’t need to escape the shell at all. Enumerate the folders and find things from the past. You literally get the command to do what you need to do.

All attempts to use an msfvenom payload will fail. You can’t use command line arguments. So what do you do? Make a “simple” something that does only one thing (github has this made for you already)!

The initial foothold was a neat new something. The privesc is run of the mill and easier than user in my opinion.

There are three concepts to understand for user (2 simple, 1 unique) and only one for privesc.

I got a username but a feel stuck on my way to user. What now?

It’s true that payloads created by msfvenom will fail, if used ‘as is’. But there is some sort of ‘post processing’ you can do to make them stealthier. Then it works, this was my method of choice here … and on other Windows boxes than use similar protections.

I learned it from an ippsec video of a HTB box that shares some features with Giddy.

Is there a possibility to get a shell without using MSFVenom and just use a simple binary that works most of the times

Edit: Able to upload binaries, but somehow not able to execute them

Edit: BInary upload is not required. A nice box. Cheers to the maker

Rooted! Great box, thanks to the creator!
As mentioned above don’t waste time to get reverse shell. Powershell has all needed to trigger your stuff. And of course Enumeration is the key )

Fuckkkk, It was being hard for me. Excelent Box and thanks for this lab I have learned a lot!!!

Snowman418 was right in everything

could someone give me a nudge in the right direction for the initial foothold? i managed to inject something but the information i got out of it was useless. all the stuff i enumerated seems to lead nowhere aside from the one thing where i don’t have credentials for. any help would be greatly appreciated!

That was an awesome box. Privesc ended up being pretty simple, but learnt some more post-exploitation enumeration tricks!

I am stuck with the xp_*** ,i cant execute in the where clause. Send Me a PM

I need help please !

So i finally got root on this bad boy, thanks for a fun box! I am not 100% sure the way I did it was the intended method however… someone else who’s done it mind pm’ing me to compare methods?

@s4rgey said:
Rooted! Great box, thanks to the creator!
As mentioned above don’t waste time to get reverse shell. Powershell has all needed to trigger your stuff. And of course Enumeration is the key )

what about the suggested exploit as suggested by whats in front of me (to do with something that not where it should be)

Can someone drop my a PM to make sure I’m not way off track. I found a very common vuln and managed to grab some creds from M********** table but not sure how to use them. Don’t want to give spoilers so please DM for more info. Thanks

Rooted , awesome learning :slight_smile:

Feel free to PM me if you are running into problems.