SecNotes

Hi !

Can someone give me a hint for the root flag ?

I have the “second shell” by using the feature given by this windows 10.

i’m enumerating lots of things but i don’t find the way to get the root.txt.

Thanks

whenever i try to run ****.exe i get error as “mesg: ttyname failed: Inappropriate ioctl for device” can someone help me
i am on the last stage to get root please PM

I am root, but i don’t see the flag , what happened here? — NEVERMIND I HAVE THIS I THINK…

ROOTED!!! great machine!

I tried to copy the b***.exe by Mr.torvalds to the South African folder to try if it is related to Ub****.exe , I even tried to launch b***.exe -c ‘netc**.exe -e ip/port’ to try if it would give me a reverse root shell because b***.exe runs under root.
still stuck by the b***.exe :cry:

I must be severely missing something with SQL injection. I think I’ve found where the injection point is (I’ve tested 500 vs non-500 responses in 2nd-order SQLi) but I can’t exploit to get any kind of meaningful response, even boolean injection either… Anyone PM me with a hint on what I should be looking at closer?

I’m all for learning and hammering away but I’m going on 4 hours of injecting on this one point and I think I’m just missing some “obvious”/“simple” thing as everyone has said earlier in this thread…

@notoriousclg said:
I must be severely missing something with SQL injection. I think I’ve found where the injection point is (I’ve tested 500 vs non-500 responses in 2nd-order SQLi) but I can’t exploit to get any kind of meaningful response, even boolean injection either… Anyone PM me with a hint on what I should be looking at closer?

I’m all for learning and hammering away but I’m going on 4 hours of injecting on this one point and I think I’m just missing some “obvious”/“simple” thing as everyone has said earlier in this thread…

Watch “Ippsec Nightmare” on YouTube

@garnettk said:

Watch “Ippsec Nightmare” on YouTube

I’ll rewatch it, but I already saw his SQL injection… I’m missing how he interprets lack of bad characters to mean “Here’s where I can inject” versus “The app just sanitized the input”. I’ll rewatch…

EDIT: I got user, but not with the way I think I was supposed to. Will work on root now.

I’m in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

Nevermind, a reverse shell I previously thought was not working… is now working.

X_X

@Virgula said:
I’m in trouble to get a shell once connected throught s*b. Could someone help me please via pm? Thank You

Watch IppSec - Active on YouTube

Rooted!
Flag Captured!

I was about to give up, but then I decided to give it the last shot and bang, basic understanding of Linux filename saved me!

Rooted! This took a lot longer than I would’ve wanted, but whatever – I consider it a good challenge if I learn new tricks along the way. Thanks to pablovidela for the nudge, getting stable access was a pain but when it was obtained the rest was just enumeration. Great challenge!

I’ve managed to get access but am trying to find some unusual files that can be executed by me that would get me up to Administrator level. Struggling using the shell I’ve created. Anyone that can PM me a hint?

EDIT: I’m working on exploiting the u*****.exe to try and bypass access restrictions and such… anyone that can PM me a hint? Trying to reverse shell out from my current shell to exploit…

@notoriousclg said:
I’ve managed to get access but am trying to find some unusual files that can be executed by me that would get me up to Administrator level. Struggling using the shell I’ve created. Anyone that can PM me a hint?

EDIT: I’m working on exploiting the u*****.exe to try and bypass access restrictions and such… anyone that can PM me a hint? Trying to reverse shell out from my current shell to exploit…

No need to do anything for root other than look for clues that user has left

Hmmm I think I’ve found it, but I’m not finding a way to actually use some credentials I’ve found, even with a shell on the machine… Any other pointers?

Tried using a three-letter database service running on the machine using creds found, but it only prints out information then returns me back out of the program… Will keep pushing.

I can upload files and get a shell fired up, but I cannot interact with it. I try to even run a DIR command, and it seems to freeze, then after a few seconds, the shell drops. Someone PM some hints on a stable shell to use?

EDIT: Got a stable shell and user.txt. Learned a new method on that one! Now for root!

rooted! Hint sometimes you get blind trying to execute when you can do more stuffs

Hey guys,

I am able to launch “b***.exe” and I also ran enumeration on that x side, but still not seeing the way to get elevated Admin access on the W** side. If you guys can give me a little hint it will be appreciated.

Thanks,

PP

EDITED: There is a very good hint on previous posts! I got “root” and learned that all files needs to be carefully reviewed, even those that you think “nah, that file has nothing!”

Would really appreciate a PM to discuss what I am doing wrong here.

I have created a VM on my side and installed the same “things” on the VM to mimic secnotes. I can get the reverse shell I want from my VM, but I cannot do the same with secnotes. Is my shell just not stable enough to run either of the EXE’s I am trying to run?

The four-letter EXE with no args runs fine on my VM, but kills my reverse shell when trying on secnotes. The six-letter EXE with the “run” flag does the same. No matter what I try, I cannot keep my shell alive.

EDIT: It was the reverse shell I was using. I had the “official” version from their site, but I grabbed a different version from GitHub, and it is now stable enough to run the four-letter EXE without crashing.

@MakoWish said:
Would really appreciate a PM to discuss what I am doing wrong here.

I have created a VM on my side and installed the same “things” on the VM to mimic secnotes. I can get the reverse shell I want from my VM, but I cannot do the same with secnotes. Is my shell just not stable enough to run either of the EXE’s I am trying to run?

The four-letter EXE with no args runs fine on my VM, but kills my reverse shell when trying on secnotes. The six-letter EXE with the “run” flag does the same. No matter what I try, I cannot keep my shell alive.

Seconded. I can get the four-letter exe running with no args but am not seeing how I can get Admin from that. Will keep poking if people would stop resetting the box XD