SecNotes

Okay, it is my understanding at this point it is si****** as the entrypoint. However, I wanted to make sure that was teh case as some basic X** testing seems to trigger as well. If it is sI****** could somebody please DM me? I’ve tried some basic ones at the log in form and I’m not even getting any error messages that would lead me to believe i’m moving in the right direction. Thanks ahead of time.

Hey all, I have gained access to the web app, and logged into what I believe is the service of interest, I’m also able to upload files, but not sure of the approach to get RCE? Im also not 100% sure im in the right service, if anyone could PM me I would be grateful :slight_smile:

got root… mimi bunz was the hardest tbh cus i do not have experience with a particular webapp exploit.

Okay got user - but now completely stuck on priv esc. Got a simple webshell and tried every one liner reverse windows shell on the internet as well as trying various payloads but the box keeps deleting them when I try and run them…

Any hint in the right direction I would be very grateful!!!

@samsepi0l said:
Rooted

Initial Foothold:
Do not try to brute force in any service with any user, think of a way to pass yourself as administrator using two words (seen in other machines), If you can not enter use all the forms, they are there for some reason

I guess I don’t understand the clue… I’ve seen IppSec’s N******** video and I did what I had to do. I got the hashes from the u**** table. I don’t really understand where to go from here

Rooted. Thanks @r00tk1d and @Baikuya
I am still learning, the user was not that hard, mentioned OWASP top10 will help with that. Priv esc uses an interesting feature of win10. God how I love delorians!

Can someone PM me a hint on how to solve the 500 error for the initial foothold? I think my query is wrong but I have no idea how to modify it to bypass the error

just rooted! Root was pretty simple, all the hints are inside this thread. PM me if you need some advice!

Can someone give me a hint in the right direction. I think I found all the services via nmap. I also used S**i to find username and a hash. Am I supposed to crack it? From previous post I feel like that I am missing something

So i got access to ‘special feature’ no prob. I don’t see anyone mentioning what im thinking i could use (if i could hard reset the box without its filesystem reverting back to 0) but i am probably wrong. I’ve only seen one mention of it in the hints, that the thing you’re supposed to use to escalate is related to the users home folder ? Not talking shortcuts. seems like those processes start at startup and modifying them wouldnt make a difference unless i could run them again with elevated rights which doesnt seem logical. should i fux those or walk away ?

I have gotten the user flag, but cannot find a proper way to get to the root flag. The “new” feature of this box works seemingly ok when running simple commands and scripts with it, but I’m still in none-priviledged mode, so I cannot access the required folder(s). Any hints on how to proceed? PM me, please.

@KuroiKuro said:
Can someone PM me a hint on how to solve the 500 error for the initial foothold? I think my query is wrong but I have no idea how to modify it to bypass the error

I have same issue.
can anyone PM with some help.

@ashr said:
So i got access to ‘special feature’ no prob. I don’t see anyone mentioning what im thinking i could use (if i could hard reset the box without its filesystem reverting back to 0) but i am probably wrong. I’ve only seen one mention of it in the hints, that the thing you’re supposed to use to escalate is related to the users home folder ? Not talking shortcuts. seems like those processes start at startup and modifying them wouldnt make a difference unless i could run them again with elevated rights which doesnt seem logical. should i fux those or walk away ?

Haha, got it. There was a nice tip in a prior post. Tx m8, i should read better.

any one can give me some hints please ?

Is anyone having trouble keeping a session up for more than 30 seconds?

stuck at S**i, would appreciate a nudge. :astonished:
EDIT1: got it
EDIT2: rooted. interesting privesc :lol:

I can use some help guys :slight_smile:
Can someone pm me ?

Rooted !! well that really was not the priv esc i initially assumed it to be … but a fun box

someone can send me some clues ? im blocked, this is my second machine :expressionless:
no spoiler, i find one thing usefull ma i dont know how can i use it

Finally rooted!! That privesc concept was pretty cool, but i totally made it harder on myself with rabbit holes.