SecNotes

1810121314

Comments

  • I think I am using to much time without effect on privesc.
    I found that w** is vulnerable, found exploit, have stable shell access, was able to get reverse shell once directly to u*****, ran exploit with my process id, everything looks ok, status in console finishes with information that it succeeded, but process is not elevated. Tried to run the same using b*** -c but then I can't see status and process is not elevated neither.
    Could someone PM me and let me know if I am on the right path?

  • edited November 2018

    (Edited out irrelevant stuff) User and root, plus full reverse shell for good measure. For root -- this box involved one new-to-me technology plus a reminder to do the usual basic recon from the beginning whenever you find yourself in a new login context. I would recommend this to people who are doing PWK (OSCP).

    Mimi's sticky bun recipe turns out quite decent, by the way.

    LegendarySpork

    LegendarySpork

  • Can anybody hint me, I'm on priv. esc. and I think that I have all I need but when executing my exploit, compiled for new environment what I have, I got following error:

    [err] bytes < 0, are you root?

    Any hint is highly appreciated!

    Arrexel

    |OSCP|OSCE|

  • edited November 2018

    Anyone able to push me a little onto priv esc? thanks!!

    EDIT: never mind, got r00t.. stupid me..
    EDIT2: privesc hint:

  • edited November 2018

    edit:
    Got root.
    I learned many new things, but in the easiest part I spent so many hours overlooking something. Gosh, I wish I could've seen my face when I realized.

    User was really easy, tho.

  • edited November 2018

    Can anyone point me in the right direction?i am getting my reverse connection died every now and then?what am i doing wrong???
    Edit:got it.now onto priv esc

  • edited November 2018

    can someone pm me hint on initial shell. got the creds. see where i could in theory upload a shell, but not sure where that is executed from. drib with custom wordlist didnt help. only seeing 2 services running on this box. just ran a -T5 nmap scan, but still only seeing 2 services. are there more?

  • @SW4gb3JkZXIgdG said:
    can someone pm me hint on initial shell. got the creds. see where i could in theory upload a shell, but not sure where that is executed from. drib with custom wordlist didnt help. only seeing 2 services running on this box. just ran a -T5 nmap scan, but still only seeing 2 services. are there more?

    Do a better nmap search and maybe something will come out...

    Arrexel

  • edited November 2018

    I receive an error message when I start W**.***
    "mesg: ttyname failed: Inappropriate ioctl for device" Can someone send me a PM? Then I can give more details.

  • @marvin7408 said:
    I receive an error message when I start W**.***
    "mesg: ttyname failed: Inappropriate ioctl for device" Can someone send me a PM? Then I can give more details.

    I solved the problem. I can't give any details because of spoiler. Thx.

  • Rooted !!! Nice box, PM if you need a nudge

    GreysMatter

  • Hi,

    I am stuck at privesc. Got second shell with full priv on sub. But don't know how to go further since it's mapped as a windows specific filesystem (can't change privs of main drive).

    Thank you in advance,
    mrothenbuecher

  • edited November 2018

    Got root. Frustrating part was that the special feature for privesc was not working properly until I reset the box.

    It's been said before, but once you activate the special feature, make sure you fully explore what you just got access to. It's really basic enumeration.

    Don't forget who you are and where you come from.
    -- F. Scott Fitzgerald

    PM me if you need help.

  • Need help in priv esc part.
    I was trying for two days. :) I will inbox whatever I did yet

  • Feel free to PM me if you are running into issues.

  • edited December 2018

    I got some cred with s**i on the web app but don't know what I can do with it apart from uploading files with s**c***** . Can somebody let me know if I am on the right direction?

    Thank you.

  • edited December 2018

    Could use a nudge here... I can upload files but can't execute them... :-(

    Edit: managed that... still stuck on Privesc. :-D

    Edit2: finally root...

    was pain and also fun... nice box after all.

    r00tk1d

  • @kwong240 said:
    I got some cred with s**i on the web app but don't know what I can do with it apart from uploading files with s**c***** . Can somebody let me know if I am on the right direction?

    Thank you.

    If you find only two ports, nmap again!!

  • @r00tk1d nmap for you too!! :)

  • edited December 2018

    @mrothenbuecher said:
    Hi,

    I am stuck at privesc. Got second shell with full priv on sub. But don't know how to go further since it's mapped as a windows specific filesystem (can't change privs of main drive).

    Thank you in advance,
    mrothenbuecher

    I'm at the same point.. Have you managed it ?

    image

  • Yes managed I have... :-)

    Keep it simple and try the basics...

    r00tk1d

  • @r00tk1d said:
    Yes managed I have... :-)

    Keep it simple and try the basics...

    Yeap!!!
    Finally done it!
    In the final step you should do the basic enumeration for that OS..

    Tks

    image

  • Owned.
    Thanks to everybody that helps me, specially for @skiamakhe

    You guys that are in trouble with Priv Esc on this machine I suggest you believe that the shell U find is working and type commands on it (because it really is!!) XDDDD

  • Rooted. hints are already in the desktop. what you need after that is basic enumeration in the new shell. Don't overthink!

    Cheers~

  • edited December 2018

    I don't know if i got the correct hash from the S**i .... i got a blowfish hash, which i don't know how to use for login.... :/

    **Nevermind... I queried the wrong table... maybe got an unintended hash hehe

  • Can anyone give me some hints on how to get a stable reverse shell? My shell keep on dropping after a few minutes.

  • ^ I used a stable NON-REVERSE shell. hint hint

  • edited December 2018

    Got stuck at the initial level. Any hints please!!

  • Alright I feel like an idiot at this point. I watched ippecs vid. I understand the sec_ord injection but I cannot get the query right. Can someone nudge me to a resource or push me over the edge on the correct syntax?
    Thanks!

Sign In to comment.