Giddy

@s4rgey said:
Rooted! Great box, thanks to the creator!
As mentioned above don’t waste time to get reverse shell. Powershell has all needed to trigger your stuff. And of course Enumeration is the key )

what about the suggested exploit as suggested by whats in front of me (to do with something that not where it should be)

Can someone drop my a PM to make sure I’m not way off track. I found a very common vuln and managed to grab some creds from M********** table but not sure how to use them. Don’t want to give spoilers so please DM for more info. Thanks

Rooted , awesome learning :slight_smile:

Feel free to PM me if you are running into problems.

Great machine! I learned a lot on this one, used a lot of new tools… Probably one of the my favorite machines so far…

@TheBull369 said:
Great machine! I learned a lot on this one, used a lot of new tools… Probably one of the my favorite machines so far…

Indeed, great machine. Many thanks to @lkys37en for it.
And @snowman418 for pointing to the right direction.

Vista and SuperiorCard … love it

Does priv esc require a restart? My current user isn’t allowed to do this. I therefore wonder if I’m off track.

I found this to be very useful once you have an idea of the PE vector (and if you are a complete noob to powershell like I was 24 hours ago) Microsoft PowerShell for Beginners - Video 1 Learn PowerShell - YouTube

Solved. Now onto root.

did something change on this box?
my notes of how i rooted no longer works.
can i PM someone to give details, so as not to spoil in this forum thread?

Can i PM someone for a hint regarding the root flag ?

Stuck on root flag, anyone available to PM for nudge?

Rooted. That took a little work, a bit of creativity, a lot of basic enumeration and headscratching but all the hints are pointing in the direction you need to go. Google and searchsploit on anything unusual you see. You don’t need to spin up a separate Windows box. Thanks to snowman418 for keeping me pointed in the right direction.

Could someone please provide me tips on initial foothold? Currently trying to use one of OWASP vulns, but not really making any progress in this direction. Can’t really seem to get any reponse out, except for errors so I know it is a valid way forward.

@linkerslv I used dirb but not with the common wordlist, then you should find a OWASP Vuln which should lead to more Information… Someone want to talk about Priv. Esc? I’m really close but missing something, maybe I’m just overthinking

trying for so long…but not able to find the proper syntax for xp_d*****.

nvm got it with full shell and completly on linux :slight_smile: If someone wants to connect from linux to ps web console this one is for you https://blog.quickbreach.io/ps-remote-from-linux-to-windows/

Edit: There are two possibilities to interact with the vulnerable service for priv esc :wink:

@saketsourav said:
trying for so long…but not able to find the proper syntax for xp_d*****.

Same boat, somebody able to give me a little push in the right direction?
Many thanks !

I got a s** inje***** on mvc… is it useful or a complete waste of time? I didn’t find any creds yet here. Only a bin file. neither privileges to get output from an os shell by a s** statement. I’ll appreciate if someone could p.m me