Access - Privilege Escalation

I think tip number one is to try the r**** command in a Windows machine to make sure to get the one that works. If you need any help, I’m open to PMs …

one thing that helped me was a reset before working on it, i was stuck for quiet some time, today i did a reset and the same commands that i tried once before, now got me root.

ok, i’ve ownd User, now i’m stuck on the r**** command. i think my syntax is right cuz it keeps me asking for Administrator password… can someone help me in pm?

@tulio666 said:
ok, i’ve ownd User, now i’m stuck on the r**** command. i think my syntax is right cuz it keeps me asking for Administrator password… can someone help me in pm?

There is a switch which prevents it from asking. However may still ask even if you have entered a non-existent account.

@TazWake said:

@tulio666 said:
ok, i’ve ownd User, now i’m stuck on the r**** command. i think my syntax is right cuz it keeps me asking for Administrator password… can someone help me in pm?

There is a switch which prevents it from asking. However may still ask even if you have entered a non-existent account.

can you help me pvt with the command?

got it! needed to test the line before on windows then did it perfectly on telnet. Hint to find the r***.t** file faster is to use with the branches and leaves of a tree [=

i would like some assistants with reading the root.txt … plz i am losing sleep over it :cry:

need some help with privesc

OK, so, this box…
User is pretty straight forward. Just check if the file is corrupted or something. Also, there are some online tools to help on reading and stuff.

Privesc.
I think the most difficult part is finding the attack vector, but since u are reading the forum, u probably know what to do by now.
A few tips:

  1. The program asks for a password
    A. Read the program’s manual, there is a option to bypass that

  2. The command executes, but doesn’t echo its results (no response)
    A. Just use the command to get another shell

  3. Cant read the root.txt
    A. Replace owner on subcontainers and objects

My 2 cents

Still banging my head. It looks like I can run things as an admin user from the tasklist showing things running escalated but I can’t look at directories or files as admin. I was able to add the compromised user to the Admins group, even, but no love getting the file.

LOL nvm, did something dumb but I figured it out. Pay VERY close attention to your syntax when escalating.

I’ll ask the same question here that I asked on the main thread. What pointed you to this escalation vector? (other than the forum). If there was no forum how could you have figured out that this sudoish command is the way to get “root” (Other than trial and error).

@xcorpion said:
I’ll ask the same question here that I asked on the main thread. What pointed you to this escalation vector? (other than the forum). If there was no forum how could you have figured out that this sudoish command is the way to get “root” (Other than trial and error).

In security user’s desktop (if I remember correctly) there is a link file to start the webcam app. If you open it you see the “lazy” command. But I’m new to windows machines (and I suck).

Rooted this weeks ago but if anyone needs help feel free to PM me :slight_smile:

Feel free to reach out if you need a push to get root. Thanks to @YellowBanana for the good hints.

i would suggest to understand what stored credential is in the windows server and you will then know why your ‘sudo’ doesn’t need a password…

can someone please help me with the priv esc am stuck from from a month nothing is working out for me. Kindly please PM me to get root. HELP !!!

got user earlier on, stuck on getting root, can see the file but getting ‘Access is denied’ - have tried running the r**** command but am still the s******* user

As an update, I’ve managed to put users into the A************ group using r**** however I still can’t use the r**** to view the root file ?!?

Humm… after reading all these comments, I feel some ppl are just overcomplicating stuff. You know you don’t have to get an admin shell or add the user to admin group in order to get the root file.