Giddy

@TheBull369 said:
Great machine! I learned a lot on this one, used a lot of new tools… Probably one of the my favorite machines so far…

Indeed, great machine. Many thanks to @lkys37en for it.
And @snowman418 for pointing to the right direction.

Vista and SuperiorCard … love it

Does priv esc require a restart? My current user isn’t allowed to do this. I therefore wonder if I’m off track.

I found this to be very useful once you have an idea of the PE vector (and if you are a complete noob to powershell like I was 24 hours ago) Microsoft PowerShell for Beginners - Video 1 Learn PowerShell - YouTube

Solved. Now onto root.

did something change on this box?
my notes of how i rooted no longer works.
can i PM someone to give details, so as not to spoil in this forum thread?

Can i PM someone for a hint regarding the root flag ?

Stuck on root flag, anyone available to PM for nudge?

Rooted. That took a little work, a bit of creativity, a lot of basic enumeration and headscratching but all the hints are pointing in the direction you need to go. Google and searchsploit on anything unusual you see. You don’t need to spin up a separate Windows box. Thanks to snowman418 for keeping me pointed in the right direction.

Could someone please provide me tips on initial foothold? Currently trying to use one of OWASP vulns, but not really making any progress in this direction. Can’t really seem to get any reponse out, except for errors so I know it is a valid way forward.

@linkerslv I used dirb but not with the common wordlist, then you should find a OWASP Vuln which should lead to more Information… Someone want to talk about Priv. Esc? I’m really close but missing something, maybe I’m just overthinking

trying for so long…but not able to find the proper syntax for xp_d*****.

nvm got it with full shell and completly on linux :slight_smile: If someone wants to connect from linux to ps web console this one is for you https://blog.quickbreach.io/ps-remote-from-linux-to-windows/

Edit: There are two possibilities to interact with the vulnerable service for priv esc :wink:

@saketsourav said:
trying for so long…but not able to find the proper syntax for xp_d*****.

Same boat, somebody able to give me a little push in the right direction?
Many thanks !

I got a s** inje***** on mvc… is it useful or a complete waste of time? I didn’t find any creds yet here. Only a bin file. neither privileges to get output from an os shell by a s** statement. I’ll appreciate if someone could p.m me

Greetings from Greece!!
I am still in the initial foothold, I’ve used sql-in****** on mvc, found all the db’s, 2 users and 1 pass and passwordsalt but I can’t crack it, any help would be appreciated!!
Thank you!

@manick69 said:
Greetings from Greece!!
I am still in the initial foothold, I’ve used sql-in****** on mvc, found all the db’s, 2 users and 1 pass and passwordsalt but I can’t crack it, any help would be appreciated!!
Thank you!

Use John The Ripper with a list of words very used in Kali Linux, it will not take more than 5 minutes to decipher it

Somebody Could help me please? I found the vid in the users folder. I found the exploit for it. But there is a task****.exe by default. That file should not exists according to the exploit… I reverted the machine But it is still there. I Can not delete because of running processes. Permission denied when I tries to stop the process…

Anyone willing to DM me discussing sqli??? In addition to the exposed path i’ve managed to get an actual user in traditional ‘DOMAIN\USER’ form as well as only 1 table name, but I’m at a stand still now, running out of ideas to try, gonna dig some more and read some more injection sources… would be nice to bounce ideas off someone…

@zauxzaux said:
Anyone willing to DM me discussing sqli??? check pm