Giddy

@saketsourav said:
trying for so long…but not able to find the proper syntax for xp_d*****.

Same boat, somebody able to give me a little push in the right direction?
Many thanks !

I got a s** inje***** on mvc… is it useful or a complete waste of time? I didn’t find any creds yet here. Only a bin file. neither privileges to get output from an os shell by a s** statement. I’ll appreciate if someone could p.m me

Greetings from Greece!!
I am still in the initial foothold, I’ve used sql-in****** on mvc, found all the db’s, 2 users and 1 pass and passwordsalt but I can’t crack it, any help would be appreciated!!
Thank you!

@manick69 said:
Greetings from Greece!!
I am still in the initial foothold, I’ve used sql-in****** on mvc, found all the db’s, 2 users and 1 pass and passwordsalt but I can’t crack it, any help would be appreciated!!
Thank you!

Use John The Ripper with a list of words very used in Kali Linux, it will not take more than 5 minutes to decipher it

Somebody Could help me please? I found the vid in the users folder. I found the exploit for it. But there is a task****.exe by default. That file should not exists according to the exploit… I reverted the machine But it is still there. I Can not delete because of running processes. Permission denied when I tries to stop the process…

Anyone willing to DM me discussing sqli??? In addition to the exposed path i’ve managed to get an actual user in traditional ‘DOMAIN\USER’ form as well as only 1 table name, but I’m at a stand still now, running out of ideas to try, gonna dig some more and read some more injection sources… would be nice to bounce ideas off someone…

@zauxzaux said:
Anyone willing to DM me discussing sqli??? check pm

I dont know what happend. Suddenly my approach started working as I wanted from the begining. “rooted” / “Administered” or whatever it is called in Windows environment. I think there were too many ppl trying to do the same…

Initial Foothold
The user’s part was really confusing, I lost a lot of time doing useless things, some clues of the thread as some say can be misinterpreted, to begin with you should list as usual and exploit one of the most common vulnerabilities of OWASP Top

User
This is where they mention the use of xp_de, it is also important to have knowledge of a new service that you do not see in Nmap, it is difficult to say more without spoiler, nevertheless I had to search a lot about xp_d e to combine two services and manage to exploit them … The rest is to use JTR and follow your instinct.

Administrator
The root part was easier, but I was also losing time with PS, the most important track is in the first directory, look it up in Google, when you know what to do keep in mind that if you already exploited a service you can take advantage of it again and not break head in more complex things…

Ok… so finally figured out how to start/stop services… but no dice…smh wtf lol

Anyone that didn’t get system by uploading a payload to target wanna DM me? I’m curious how it was done without this as this was the only way I was willing to get root… fun box for sure

Stuck on the web access :frowning: “Auth Fail…verifiy you are auth to conn…”.

I have the login details but no joy…please help me lol

@zauxzaux said:
Anyone willing to DM me discussing sqli??? In addition to the exposed path i’ve managed to get an actual user in traditional ‘DOMAIN\USER’ form as well as only 1 table name, but I’m at a stand still now, running out of ideas to try, gonna dig some more and read some more injection sources… would be nice to bounce ideas off someone…

I can’t even get this far, there seems to be length limiting or something, I can’t figure it out…

@umby24 this messed me up for a while, but the mistake was trying to get too much information out of it, which can be a rabbit hole… you should be focused on how you might be able to execute a command via that injection and how that might be useful… if you don’t know the tech behind it you’ll get stuck for hours… DM if you need a nudge.

@zauxzaux said:
@umby24 this messed me up for a while, but the mistake was trying to get too much information out of it, which can be a rabbit hole… you should be focused on how you might be able to execute a command via that injection and how that might be useful… if you don’t know the tech behind it you’ll get stuck for hours… DM if you need a nudge.

I knew the tech, I just didn’t enumerate fully.

Took a couple of hours after getting user, but I got root!

Could someone please PM me and provide me with some resources to read for the PowerShell segment of this box.
As I am stuggling to escalate privileges
Any help is a appreciated!
Thanks in advance.

I really enjoyed this box and learnt some valuable lessons along the way. Many thanks to @lkys37en for a great learning experience.

Initial foothold:

Enumeration was the key, upon discovering the right area you can search for a new bicycle tire (perhaps yours had been punctured?).

User:

Using a common method should reveal some interesting information. Something you see can guide you on the right path but you must go out of band and understand how to respond to the situation. If you get lucky with your research (as I did) a familiar four legged friend (with the help of a little bird) can show you the way. I imagine this was intended(?) and if so was a great lesson concerning the importance of reconnaissance.

After obtaining the desired information hashcat is your friend and you can use the result to access a different service. There are plenty of guides about how to access the service online and don’t be discouraged if your login attempts fail at first, you just need to deal with the how the creds need to be entered.

Admin:

Once in, the clue needed for privesc is in front of you.

I wanted an admin reverse shell using the exploit as I wanted to practice some evasion techniques. It is indeed helpful (although not strictly necessary) to have a windows VM available for testing if you do this and some trial and error with different tools may be required. https://developer.microsoft.com/en-us/windows/downloads/virtual-machines.

I read that some people managed to achieve privesc without uploading anything. If anyone who did this is willing to share please could you DM me. If anybody wants to discuss techniques or needs a sanity check then I’m happy to help in DM. I hope there are no obvious spoilers in the above but if you have got this far into the thread then most of what I have said has already been covered.

@gongol nice wording… I was curious about the lack of upload as well; haven’t heard from anyone about this… methinks it’s BS

I’m partially through the initial foothold. I’ve found some services, the MVC and a way to get information out. Hints here seem to refer to the use of SPs to get RCE. This isn’t working for me however. Something wrong with my syntax, or maybe I’m exploiting the wrong endpoint. A DM and some nudges are welcome!