Giddy

Does priv esc require a restart? My current user isn’t allowed to do this. I therefore wonder if I’m off track.

I found this to be very useful once you have an idea of the PE vector (and if you are a complete noob to powershell like I was 24 hours ago) Microsoft PowerShell for Beginners - Video 1 Learn PowerShell - YouTube

Solved. Now onto root.

did something change on this box?
my notes of how i rooted no longer works.
can i PM someone to give details, so as not to spoil in this forum thread?

Can i PM someone for a hint regarding the root flag ?

Stuck on root flag, anyone available to PM for nudge?

Rooted. That took a little work, a bit of creativity, a lot of basic enumeration and headscratching but all the hints are pointing in the direction you need to go. Google and searchsploit on anything unusual you see. You don’t need to spin up a separate Windows box. Thanks to snowman418 for keeping me pointed in the right direction.

Could someone please provide me tips on initial foothold? Currently trying to use one of OWASP vulns, but not really making any progress in this direction. Can’t really seem to get any reponse out, except for errors so I know it is a valid way forward.

@linkerslv I used dirb but not with the common wordlist, then you should find a OWASP Vuln which should lead to more Information… Someone want to talk about Priv. Esc? I’m really close but missing something, maybe I’m just overthinking

trying for so long…but not able to find the proper syntax for xp_d*****.

nvm got it with full shell and completly on linux :slight_smile: If someone wants to connect from linux to ps web console this one is for you https://blog.quickbreach.io/ps-remote-from-linux-to-windows/

Edit: There are two possibilities to interact with the vulnerable service for priv esc :wink:

@saketsourav said:
trying for so long…but not able to find the proper syntax for xp_d*****.

Same boat, somebody able to give me a little push in the right direction?
Many thanks !

I got a s** inje***** on mvc… is it useful or a complete waste of time? I didn’t find any creds yet here. Only a bin file. neither privileges to get output from an os shell by a s** statement. I’ll appreciate if someone could p.m me

Greetings from Greece!!
I am still in the initial foothold, I’ve used sql-in****** on mvc, found all the db’s, 2 users and 1 pass and passwordsalt but I can’t crack it, any help would be appreciated!!
Thank you!

@manick69 said:
Greetings from Greece!!
I am still in the initial foothold, I’ve used sql-in****** on mvc, found all the db’s, 2 users and 1 pass and passwordsalt but I can’t crack it, any help would be appreciated!!
Thank you!

Use John The Ripper with a list of words very used in Kali Linux, it will not take more than 5 minutes to decipher it

Somebody Could help me please? I found the vid in the users folder. I found the exploit for it. But there is a task****.exe by default. That file should not exists according to the exploit… I reverted the machine But it is still there. I Can not delete because of running processes. Permission denied when I tries to stop the process…

Anyone willing to DM me discussing sqli??? In addition to the exposed path i’ve managed to get an actual user in traditional ‘DOMAIN\USER’ form as well as only 1 table name, but I’m at a stand still now, running out of ideas to try, gonna dig some more and read some more injection sources… would be nice to bounce ideas off someone…

@zauxzaux said:
Anyone willing to DM me discussing sqli??? check pm

I dont know what happend. Suddenly my approach started working as I wanted from the begining. “rooted” / “Administered” or whatever it is called in Windows environment. I think there were too many ppl trying to do the same…

Initial Foothold
The user’s part was really confusing, I lost a lot of time doing useless things, some clues of the thread as some say can be misinterpreted, to begin with you should list as usual and exploit one of the most common vulnerabilities of OWASP Top

User
This is where they mention the use of xp_de, it is also important to have knowledge of a new service that you do not see in Nmap, it is difficult to say more without spoiler, nevertheless I had to search a lot about xp_d e to combine two services and manage to exploit them … The rest is to use JTR and follow your instinct.

Administrator
The root part was easier, but I was also losing time with PS, the most important track is in the first directory, look it up in Google, when you know what to do keep in mind that if you already exploited a service you can take advantage of it again and not break head in more complex things…