SecNotes

okay, it’s easy to get a reverse shell, for the privesc i think i should use what i’ve on Desktop (Torvalds) the problem that any command is hanging and i don’t if it is machine issue or my fault !! any help please ?

Hey All. I have user access and a stable shell but I haven’t been able to figure out the priv esc on this box. Can someone willing to help please PM me? I don’t want to give any spoilers but I’m getting permissions errors trying to access the root flag from the subsystem. Thanks!

@redcypress said:
Hey All. I have user access and a stable shell but I haven’t been able to figure out the priv esc on this box. Can someone willing to help please PM me? I don’t want to give any spoilers but I’m getting permissions errors trying to access the root flag from the subsystem. Thanks!

Never mind. Just got root flag. Wahoo!

Hey guys, can someone give me a pointer? I am massively missing something! Thanks!

Someone could help me via p.m for the easy step on this machine?

Hi !

Can someone give me a hint for the root flag ?

I have the “second shell” by using the feature given by this windows 10.

i’m enumerating lots of things but i don’t find the way to get the root.txt.

Thanks

whenever i try to run ****.exe i get error as “mesg: ttyname failed: Inappropriate ioctl for device” can someone help me
i am on the last stage to get root please PM

I am root, but i don’t see the flag , what happened here? — NEVERMIND I HAVE THIS I THINK…

ROOTED!!! great machine!

I tried to copy the b***.exe by Mr.torvalds to the South African folder to try if it is related to Ub****.exe , I even tried to launch b***.exe -c ‘netc**.exe -e ip/port’ to try if it would give me a reverse root shell because b***.exe runs under root.
still stuck by the b***.exe :cry:

I must be severely missing something with SQL injection. I think I’ve found where the injection point is (I’ve tested 500 vs non-500 responses in 2nd-order SQLi) but I can’t exploit to get any kind of meaningful response, even boolean injection either… Anyone PM me with a hint on what I should be looking at closer?

I’m all for learning and hammering away but I’m going on 4 hours of injecting on this one point and I think I’m just missing some “obvious”/“simple” thing as everyone has said earlier in this thread…

@notoriousclg said:
I must be severely missing something with SQL injection. I think I’ve found where the injection point is (I’ve tested 500 vs non-500 responses in 2nd-order SQLi) but I can’t exploit to get any kind of meaningful response, even boolean injection either… Anyone PM me with a hint on what I should be looking at closer?

I’m all for learning and hammering away but I’m going on 4 hours of injecting on this one point and I think I’m just missing some “obvious”/“simple” thing as everyone has said earlier in this thread…

Watch “Ippsec Nightmare” on YouTube

@garnettk said:

Watch “Ippsec Nightmare” on YouTube

I’ll rewatch it, but I already saw his SQL injection… I’m missing how he interprets lack of bad characters to mean “Here’s where I can inject” versus “The app just sanitized the input”. I’ll rewatch…

EDIT: I got user, but not with the way I think I was supposed to. Will work on root now.

I’m in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

Nevermind, a reverse shell I previously thought was not working… is now working.

X_X

@Virgula said:
I’m in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

Watch IppSec - Active on YouTube

Rooted!
Flag Captured!

I was about to give up, but then I decided to give it the last shot and bang, basic understanding of Linux filename saved me!

Rooted! This took a lot longer than I would’ve wanted, but whatever – I consider it a good challenge if I learn new tricks along the way. Thanks to pablovidela for the nudge, getting stable access was a pain but when it was obtained the rest was just enumeration. Great challenge!

I’ve managed to get access but am trying to find some unusual files that can be executed by me that would get me up to Administrator level. Struggling using the shell I’ve created. Anyone that can PM me a hint?

EDIT: I’m working on exploiting the u*****.exe to try and bypass access restrictions and such… anyone that can PM me a hint? Trying to reverse shell out from my current shell to exploit…

@notoriousclg said:
I’ve managed to get access but am trying to find some unusual files that can be executed by me that would get me up to Administrator level. Struggling using the shell I’ve created. Anyone that can PM me a hint?

EDIT: I’m working on exploiting the u*****.exe to try and bypass access restrictions and such… anyone that can PM me a hint? Trying to reverse shell out from my current shell to exploit…

No need to do anything for root other than look for clues that user has left

Hmmm I think I’ve found it, but I’m not finding a way to actually use some credentials I’ve found, even with a shell on the machine… Any other pointers?

Tried using a three-letter database service running on the machine using creds found, but it only prints out information then returns me back out of the program… Will keep pushing.