SecNotes

Ok I had a fine shell. For some reason my connection was cutting out every few seconds. If I pinged a box it would cut out over and over. Regenerated my connection pack and I’m rolling

got root… Onto Zipper thanks to @Ahm3dH3sham @TazWake

Rooted.

My feedback for areas I got stuck on (aside of my OVPN client not working and me thinking it was a flaky shell):

I got stuck on some injection right at the beginning. I sat down and wrote down what I thought was the query being executed, then wrote into that what I would do to bypass it. Copied and pasted and that worked.

Spin through Wikipedia’s page on new features to Windows 10. There are some really weird looking directories and files on the box. It should ring some bells when you see it in the Windows 10 feature listing.

When you know what you are looking for GO FIND IT.

At this point, start enumerating like you would do a new box.

Good luck!

Got root. That was a lot of fun. Happy to give hints to anyone who is stuck.

Great machine! Thanks to @LordeDestro @Underworld for assistance with the initial exploit. Priv-sec was indeed special!

Manage to get shell without bypassing anything, even after reset shell is still there, not sure am I doing something wrong because I’m not hitting issues that everybody are mentioning and it looks very easy and trivial… please let me know is this right approach or I’m on wrong track…

@Underworld said:
Rooted.

My feedback for areas I got stuck on (aside of my OVPN client not working and me thinking it was a flaky shell):

I got stuck on some injection right at the beginning. I sat down and wrote down what I thought was the query being executed, then wrote into that what I would do to bypass it. Copied and pasted and that worked.

Spin through Wikipedia’s page on new features to Windows 10. There are some really weird looking directories and files on the box. It should ring some bells when you see it in the Windows 10 feature listing.

When you know what you are looking for GO FIND IT.

At this point, start enumerating like you would do a new box.

Good luck!

I hate this hint because of how misleading it is. This is not a windows feature exclusive to win10. Telling people that they should examine a feature list is borderline mean.

You don’t even need to enumerate all the files and figure out weird looking directories or whatever. Just look at what the admin did or what shortcuts they use. It indicates what the box is used for. No research required.

Overall, This was a good box. Apart from the initial part (which was new for me), everything is straightforward for the user.

For Priv Esc, just read what’s in front of you and enumerate. Little googling will help as well.

Pm for hints if needed :smiley:

Hello guys. I have a problem with the current box. I find that you can do something in the platform and I am trying to get as much information out of that.
I got some version and a username, but when I try some more complex things I am getting an error with “Something went wrong. Please try again later.”.

I am doing something wrong? I didn’t want to spoil much.

If someone want to help, PM me.

Edit: got the user…let’s root that thing now :smiley:

500 Internal server error…

@0xskywalker said:
500 Internal server error…

Fix your query

@Akumu said:

@0xskywalker said:
500 Internal server error…

Fix your query

Thanks buddy.

I have stable shell and found the exe but cant for the life of me figure out how to use it for pirvesc. I get root but its not system…

I think I am using to much time without effect on privesc.
I found that w** is vulnerable, found exploit, have stable shell access, was able to get reverse shell once directly to u*****, ran exploit with my process id, everything looks ok, status in console finishes with information that it succeeded, but process is not elevated. Tried to run the same using b*** -c but then I can’t see status and process is not elevated neither.
Could someone PM me and let me know if I am on the right path?

(Edited out irrelevant stuff) User and root, plus full reverse shell for good measure. For root – this box involved one new-to-me technology plus a reminder to do the usual basic recon from the beginning whenever you find yourself in a new login context. I would recommend this to people who are doing PWK (OSCP).

Mimi’s sticky bun recipe turns out quite decent, by the way.

Can anybody hint me, I’m on priv. esc. and I think that I have all I need but when executing my exploit, compiled for new environment what I have, I got following error:

[err] bytes < 0, are you root?

Any hint is highly appreciated!

Anyone able to push me a little onto priv esc? thanks!!

EDIT: never mind, got r00t… stupid me…
EDIT2: privesc hint: Boards of Canada - Music Is Math - YouTube

edit:
Got root.
I learned many new things, but in the easiest part I spent so many hours overlooking something. Gosh, I wish I could’ve seen my face when I realized.

User was really easy, tho.

Can anyone point me in the right direction?i am getting my reverse connection died every now and then?what am i doing wrong???
Edit:got it.now onto priv esc

can someone pm me hint on initial shell. got the creds. see where i could in theory upload a shell, but not sure where that is executed from. drib with custom wordlist didnt help. only seeing 2 services running on this box. just ran a -T5 nmap scan, but still only seeing 2 services. are there more?