SecNotes

r00ted. I enjoyed this box, but I don’t feel satisfied and would love if one of the more experienced guys could PM me with how they got a stable shell with just the first user. I want to go back through this box with that and see if I can “go back in the past” in a much better fashion.

Like everyone else, I was having issues with files disappearing and having to redo my shell every 5 min. Also had the issues where could not get it to be interactive with some things. Overall fun box, though.

Would be glad to have a hint on priv esc

Can someone give me a hint for the inital foodhold. I think i know what I am looking for, but I cannot find it.

Anyone please may PM me. I found come creds and I have an idea how to go on but I am missing something. I need a hint
Edit: Got it…just needed another nmap scan -,-

Could someone give me some hints on the first foothold? I don’t have much so far. I haven’t managed to pull off any SQL injection. I watched IPPsecs video on the Night**** box, but that didn’t seem to be applicable in my situation. I’ve tried enumerating s*b ports. Also the higher level port my dirbuster didn’t find anything. Thanks! Someone give me a bump in the right direction and ill be off!

@Underworld said:
Could someone give me some hints on the first foothold? I don’t have much so far. I haven’t managed to pull off any SQL injection. I watched IPPsecs video on the Night**** box, but that didn’t seem to be applicable in my situation. I’ve tried enumerating s*b ports. Also the higher level port my dirbuster didn’t find anything. Thanks! Someone give me a bump in the right direction and ill be off!

PM me

Rooted ! Thanks @sixtonspacefly for the hint !
PM me for hints

Anyone help ? I am stuck

Finally r00ted :smiley: thanks @n0tAVirus @publicist for the help regarding root part !
I really enjoyed this machine though I hated it in the beginning lol
pm If you need help :slight_smile:

I found some hashes in the initial foothold, do I need to crack those or look for other information?

EDIT: Got in

@Underworld said:
Could someone give me some hints on the first foothold? I don’t have much so far. I haven’t managed to pull off any SQL injection. I watched IPPsecs video on the Night**** box, but that didn’t seem to be applicable in my situation. I’ve tried enumerating s*b ports. Also the higher level port my dirbuster didn’t find anything. Thanks! Someone give me a bump in the right direction and ill be off!

I’m in the same point, I’ve tried all the sequences that use IppSec and only appear the 500 ERROR

I managed to get in by thinking what the sql query might be then manipulating it. Just now looking for a stable shell that doesn’t keep cutting out

I can put files into n**-s** but i cannot seem to get a shell … PM please

Got user now on to root

Ok I had a fine shell. For some reason my connection was cutting out every few seconds. If I pinged a box it would cut out over and over. Regenerated my connection pack and I’m rolling

got root… Onto Zipper thanks to @Ahm3dH3sham @TazWake

Rooted.

My feedback for areas I got stuck on (aside of my OVPN client not working and me thinking it was a flaky shell):

I got stuck on some injection right at the beginning. I sat down and wrote down what I thought was the query being executed, then wrote into that what I would do to bypass it. Copied and pasted and that worked.

Spin through Wikipedia’s page on new features to Windows 10. There are some really weird looking directories and files on the box. It should ring some bells when you see it in the Windows 10 feature listing.

When you know what you are looking for GO FIND IT.

At this point, start enumerating like you would do a new box.

Good luck!

Got root. That was a lot of fun. Happy to give hints to anyone who is stuck.

Great machine! Thanks to @LordeDestro @Underworld for assistance with the initial exploit. Priv-sec was indeed special!

Manage to get shell without bypassing anything, even after reset shell is still there, not sure am I doing something wrong because I’m not hitting issues that everybody are mentioning and it looks very easy and trivial… please let me know is this right approach or I’m on wrong track…