SecNotes

I’ve found user and managed to setup a stable reverse shell. I’ve found a couple interesting things that feel unusual. However they don’t seem to help me any further towards root. I think I can’t mention my findings here without possibly spoiling something so I would appreciate it if someone could DM me and perhaps help me get to the next step.

Someone willing to DM me on initial??? i’ve injected the sh* out of this thing to no avail… no weird 500 errors or anything… also got mixed results on different runs of the tool.

Finally got root. This wasnt a easy box for me.
HINT
User: 1. enumerate services with nmap there are 3 services running on the box.
2. Watch Ippsec video on nightmare, you only need the first part. Dont try to run his command as you see rather go basic dont overthink it. A simple true statement is all you need.(winks)
3. Upon getting credentials connect with one of the services you enumerated earlier.
4. Try and get a shell, how you go about it is up to you. Once you have a shell you pretty much have user.txt

Root THis one was annoying

  1. Enumerate the box by playing around folders no need to run any stupid script. You definitely see something off that shouldnt be in a WINDOWS box
  2. Sometimes taking a shortcut is a good thing
  3. Once you have got a shell the rest is history (winks)

I tried to keep it spoiler free. Honestly coming from someone who struggled with this box the hints here are idiot proof unlike “enumerate”, “try harder” and stupid **** that PRO’s like to dish out.

@zauxzaux said:
Someone willing to DM me on initial??? i’ve injected the sh* out of this thing to no avail… no weird 500 errors or anything… also got mixed results on different runs of the tool.

for me it was the same! work in a “deeper” way to inject! also dont go just with the traditional methods try all of them

Would someone mind giving me a hint for the initial foothold please? I’ve tried a ton of si****** but can’t seem to progress past the 500 err. I’ve spent hours and checked out nightmare but I guess I’m just missing something…

EDIT: Ignore this, I’ve got it! What is it about posting a help request for a forum or emailing support that makes you work out the answer to your question immediately after? Lol!!!
EDIT2: Got root now, I was defiitely over complicating things. It was super easy once I looked in the right place! Learnt a thing or two though so it’s all good :slight_smile:

okay, it’s easy to get a reverse shell, for the privesc i think i should use what i’ve on Desktop (Torvalds) the problem that any command is hanging and i don’t if it is machine issue or my fault !! any help please ?

Hey All. I have user access and a stable shell but I haven’t been able to figure out the priv esc on this box. Can someone willing to help please PM me? I don’t want to give any spoilers but I’m getting permissions errors trying to access the root flag from the subsystem. Thanks!

@redcypress said:
Hey All. I have user access and a stable shell but I haven’t been able to figure out the priv esc on this box. Can someone willing to help please PM me? I don’t want to give any spoilers but I’m getting permissions errors trying to access the root flag from the subsystem. Thanks!

Never mind. Just got root flag. Wahoo!

Hey guys, can someone give me a pointer? I am massively missing something! Thanks!

Someone could help me via p.m for the easy step on this machine?

Hi !

Can someone give me a hint for the root flag ?

I have the “second shell” by using the feature given by this windows 10.

i’m enumerating lots of things but i don’t find the way to get the root.txt.

Thanks

whenever i try to run ****.exe i get error as “mesg: ttyname failed: Inappropriate ioctl for device” can someone help me
i am on the last stage to get root please PM

I am root, but i don’t see the flag , what happened here? — NEVERMIND I HAVE THIS I THINK…

ROOTED!!! great machine!

I tried to copy the b***.exe by Mr.torvalds to the South African folder to try if it is related to Ub****.exe , I even tried to launch b***.exe -c ‘netc**.exe -e ip/port’ to try if it would give me a reverse root shell because b***.exe runs under root.
still stuck by the b***.exe :cry:

I must be severely missing something with SQL injection. I think I’ve found where the injection point is (I’ve tested 500 vs non-500 responses in 2nd-order SQLi) but I can’t exploit to get any kind of meaningful response, even boolean injection either… Anyone PM me with a hint on what I should be looking at closer?

I’m all for learning and hammering away but I’m going on 4 hours of injecting on this one point and I think I’m just missing some “obvious”/“simple” thing as everyone has said earlier in this thread…

@notoriousclg said:
I must be severely missing something with SQL injection. I think I’ve found where the injection point is (I’ve tested 500 vs non-500 responses in 2nd-order SQLi) but I can’t exploit to get any kind of meaningful response, even boolean injection either… Anyone PM me with a hint on what I should be looking at closer?

I’m all for learning and hammering away but I’m going on 4 hours of injecting on this one point and I think I’m just missing some “obvious”/“simple” thing as everyone has said earlier in this thread…

Watch “Ippsec Nightmare” on YouTube

@garnettk said:

Watch “Ippsec Nightmare” on YouTube

I’ll rewatch it, but I already saw his SQL injection… I’m missing how he interprets lack of bad characters to mean “Here’s where I can inject” versus “The app just sanitized the input”. I’ll rewatch…

EDIT: I got user, but not with the way I think I was supposed to. Will work on root now.

I’m in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

Nevermind, a reverse shell I previously thought was not working… is now working.

X_X

@Virgula said:
I’m in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

Watch IppSec - Active on YouTube