Access - Privilege Escalation

Rooted this weeks ago but if anyone needs help feel free to PM me :slight_smile:

Feel free to reach out if you need a push to get root. Thanks to @YellowBanana for the good hints.

i would suggest to understand what stored credential is in the windows server and you will then know why your ‘sudo’ doesn’t need a password…

can someone please help me with the priv esc am stuck from from a month nothing is working out for me. Kindly please PM me to get root. HELP !!!

got user earlier on, stuck on getting root, can see the file but getting ‘Access is denied’ - have tried running the r**** command but am still the s******* user

As an update, I’ve managed to put users into the A************ group using r**** however I still can’t use the r**** to view the root file ?!?

Humm… after reading all these comments, I feel some ppl are just overcomplicating stuff. You know you don’t have to get an admin shell or add the user to admin group in order to get the root file.

hello all! Im able to use r***s i test the command and i can execute as admin, but commands to get the root.txt are not working Im terrible at windows so if someone can pm me please! otherwhise i think anything that i write could be a spoiler

Finally completed the machine if have any query feel free to ask.

@Sogeking said:
Humm… after reading all these comments, I feel some ppl are just overcomplicating stuff. You know you don’t have to get an admin shell or add the user to admin group in order to get the root file.

Hi! would appreciate any suggestions. I’ve tried so many variations of the r*** command and I just can’t access the root.txt file. (the command isn’t even working properly on my own windows machine so it obviously has some issues in it)

could someone help me in the private?

@michelbf said:

@Sogeking said:
Humm… after reading all these comments, I feel some ppl are just overcomplicating stuff. You know you don’t have to get an admin shell or add the user to admin group in order to get the root file.

Hi! would appreciate any suggestions. I’ve tried so many variations of the r*** command and I just can’t access the root.txt file. (the command isn’t even working properly on my own windows machine so it obviously has some issues in it)

Microsoft usually stands out when talking about documentation, but specifically for the command you are trying to run I’d suggest you to look on Wikipedia instead. There’s a page specifically for it with all flags you need to use. More specifically you wanna use the starting with u and s ones. Just remember all you wanna do is check the contents of root.txt, don’t overcomplicate things. If you can’t cat its contents direct to your terminal screen, try to cat it to some other place. Then, check this other place. And always use full commands, don’t abbreviate the .exe

@rufy said:
Feel free to reach out if you need a push to get root. Thanks to @YellowBanana for the good hints.

Hi,
Can you help me please to get root for Access machine?
I’ve got a user, but I’m stuck with root.
I tried Runas but it ask me for password.
Please can you help me out?!!!

I’ve> @rzouzou said:

First of all, thank you. I tried it. The problem is that always ask for administrators’s password. I dont know about it. There is a way to bypass the password or i must do something to learn it?

Hint : users are lazy, check what options can be used with this command ( /?)

Thank for hint…
I got access in administrator folder.
Now for root.txt …

Managed to get root.txt! My first box, very exciting! It looks like people are overthinking a bit…there’s no need to perform a lot of complicated things…only get one thing right.

Thanks to @salamander who gave the perfect tips!

@salamander said:

Microsoft usually stands out when talking about documentation, but specifically for the command you are trying to run I’d suggest you to look on Wikipedia instead. There’s a page specifically for it with all flags you need to use. More specifically you wanna use the starting with u and s ones. Just remember all you wanna do is check the contents of root.txt, don’t overcomplicate things. If you can’t cat its contents direct to your terminal screen, try to cat it to some other place. Then, check this other place. And always use full commands, don’t abbreviate the .exe

@morenji said:

@xcorpion said:
I’ll ask the same question here that I asked on the main thread. What pointed you to this escalation vector? (other than the forum). If there was no forum how could you have figured out that this sudoish command is the way to get “root” (Other than trial and error).

In security user’s desktop (if I remember correctly) there is a link file to start the webcam app. If you open it you see the “lazy” command. But I’m new to windows machines (and I suck).

That file is owned by administrators group, so you can’t read it as security user. I suppose somebody that owned the machine changed its permissions.

I think something is wrong with this machine. I can see the stored creds, but /s___c___ flag doesn’t seem to work for me, keeps asking for password. I spotted similar bug reports in microsoft forums. I feel really sorry for the windows admins in the real world, having to deal with such a creepy OS/cmdline

EDIT: Ignore ~ after 3-4 resets it worked. Condolences for win admins still applies though :stuck_out_tongue:

I’ve found that people are resetting account passwords which makes any EFS files inaccessible until a reset.

There is a way to get an admin shell where you can read any file normally. Additional to the already mentioned Tips:

  • You can’t elevate privileges of a running process in Windows. This is a design issue.
  • It’s usually not much of a use to spawn a new process (where you want to perform I/O) in non-interactive sessions, because you can’t handle it locally, right? Any alternatives to that?
  • If you are stuck with a limited or problematic shell, and you want to upgrade to a powershell, what would you do? Keep in mind the aforementioned restrictions.

@prutz said:
Can anyone give, or PM a hint how to actually get admin? I can runas administrator but Im not able to open a prompt etc

Tell me PM, give me a small hint please.