Access

@GDX said:
For everyone who is trying to root via runas, don’t try to read the root.txt file or run any other command directly (since you also don’t see output), try to create a reverse shell first via that command.

Hint for everyone who doesn’t know why runas should help him in PrivEsc, search the possible arguments on the internet and then it should be really obvious which one is helpful for that purpose

For further hints PM me.

You’re right!

@darkcyber said:

@tacosaurus said:

@darkcyber said:
Stuck on get user.

I already read email so I know security account and the password, but try to log in in f** failed, try to login s__ logged in as en_in__r and security but I can’t read anything.

Where I’m doing wrong?

Maybe you should enumerate all open ports

Sorry, I don’t get it. I try f__ and s__ login with thus credential but no luck. So I don’t know where to go with thus credential.

UPDATED :
Finally got user.txt, looks like I need to reset machine then login to t_l_et using thus credential.

Now Stuck on root.txt

/s______d is not working where I’m doing wrong?

Do I need to enumerate after logged in as security? But I don’t know what to enumerate.

I’ll PM you.

Finally got r00t, if you stuck on root.txt, read this carefully

  • make sure you know where is the full path of root.txt
  • you can check with c_dk_y /list of course the Administrator is save the password in Credential manager
  • Somehow type command doesn’t return output when you combine with r__as command, so I hope you know how to redirect output to somewhere with the full path of file you want to read, and where you want to store.
  • You just need 2 options /u__r of course, and /sa__c__d

I hope it help

anyway thanks @clmtn @Beggy @brohlm

@darkcyber said:
Finally got r00t, if you stuck on root.txt, read this carefully

  • make sure you know where is the full path of root.txt
  • you can check with c_dk_y /list of course the Administrator is save the password in Credential manager
  • Somehow type command doesn’t return output when you combine with r__as command, so I hope you know how to redirect output to somewhere with the full path of file you want to read, and where you want to store.
  • You just need 2 options /u__r of course, and /sa__c__d

I hope it help

anyway thanks @clmtn @Beggy @brohlm

Congratz @darkcyber :smiley:

Any hints? Downloaded two files via f** the b*****.m** seems to be corrupted; other file is password protected. Tried several m** recovery tools none of which worked. My first windows box :persevere:

@Ryan. Change your transfer mode and try download the files again.

@Malone5923 said:
@Ryan. Change your transfer mode and try download the files again.

Managed to get it using wg** instead which worked fine. Got some credentials but t**** is saying specified user is not a member of TelnetClients group. Is that expected behaviour?

EDIT:

FIgured it out! :stuck_out_tongue:

Hey guys,
Currently I am looking to own system. I am t*****ting with an account, not quite an elevated account however. Anyone able to PM some pointers on Privesc?

@Rainerd said:
Hey guys,
Currently I am looking to own system. I am t*****ting with an account, not quite an elevated account however. Anyone able to PM some pointers on Privesc?

If you have already read the email, it should logged in successfully.

@darkcyber
I have used said account, but it’s not an admin?

Got it…

@darkcyber said:
Finally got r00t, if you stuck on root.txt, read this carefully

  • make sure you know where is the full path of root.txt
  • you can check with c_dk_y /list of course the Administrator is save the password in Credential manager
  • Somehow type command doesn’t return output when you combine with r__as command, so I hope you know how to redirect output to somewhere with the full path of file you want to read, and where you want to store.
  • You just need 2 options /u__r of course, and /sa__c__d

I hope it help

anyway thanks @clmtn @Beggy @brohlm

Got root. Thanks, I can’t believe that I was stuck because of the path…

@Rainerd said:
@darkcyber
I have used said account, but it’s not an admin?

yes that is not admin, get user.txt first with thus account, then privesc to got root.txt

Hey,
Been working on privescing for some time now, I think I’m close but I get syntax errors for r**** which I do not understand. Could someone give me a hand please?

@Urmine said:
Hey,
Been working on privescing for some time now, I think I’m close but I get syntax errors for r**** which I do not understand. Could someone give me a hand please?

read the manual

@darkcyber said:

@Urmine said:
Hey,
Been working on privescing for some time now, I think I’m close but I get syntax errors for r**** which I do not understand. Could someone give me a hand please?

read the manual

I agree. Turns out that I was using Bash redirects to try to show output. Still, I needed a push to finish this. Thanks EthicalHCOP for helping out.

FInally got root thanks @tacosaurus . Apparently I was missing one word, like dark cyber said, read the manual

What an infuriating box!!! However, I managed to learn a lot in the process of stumbling thru the steps. I also did learn that the vulnerability in this box maybe a common thing in enterprises with older Win boxes that use de-centralized s/w deployment or batch/script file deployments

Here’s my hints (since you are in this thread, I assume you are only figuring out root.txt access)

  1. KISS (Keep It Simple Stupid) - if you haven’t figured it out from the prev replies, this box is actually pretty simple. It does not require msf or any kit to get thru.

  2. There are some red herrings in the box once you are in as user. However, it does clue you in to whats possible. I also think the maker may have intended vbs to be used to gain access to the root file.

  3. ALWAYS use full paths in your commands. It will save you some headaches. At least for the r******.
    3.a As a cautionary info, r***** does not give a success or error output. You will need to figure out how to direct the output of the command being run to a file vs your console session. Some of your frustration may be because you haven’t tested the result of your attempt to check if it succeeded. t*****t is a pain to work with.

  4. “Access is denied” is intentional and there are multiple ways to get around. You will want to search methods or workarounds to get the contents

  5. Some of the possible methods do seem to break the box or ability to get root.txt. A command that worked for me stopped working midway, and then on a fresh session, did not work at all. Once I gained access to the file, I realised that someone else may have issues getting to it, or will get unexpected results in some of the commands being used. Which is why I think a large number of people tend to reset it. I did try to reverse my changes but found someone had reset it at that moment.

EDIT: @darkcyber hinted a pretty useful command that gives an idea on how /s********* works. Thanks.

@Urmine said:

@darkcyber said:

@Urmine said:
Hey,
Been working on privescing for some time now, I think I’m close but I get syntax errors for r**** which I do not understand. Could someone give me a hand please?

read the manual

I agree. Turns out that I was using Bash redirects to try to show output. Still, I needed a push to finish this. Thanks EthicalHCOP for helping out.

you’re welcome man ! Regards !

@laughingman777

I’m a big fan of Ghost in the Shell too, love your profile pic!!