SecNotes

i am stuck hard on root flag all day now…i have a shell inside b*** but seems im not as root as i thought i was. anyone care to PM me a hint? i have read all in this thread(which makes me think i should have found it ages ago lol). im sure it’s something i overlooked.

Update:

so…box was just reset…logged back in…get my shells…read a file that i swear i read before.
Got root!

I currently have a reverse shell back to my linux machine. As others have mentioned, it drops when an error occurs or I try running the obvious executables. How can I get an interactive stable shell back to my machine ? I looked online and all I found were non interactive to ineractive shells for linux based victim’s. Any suggestions or nudges would help. Thanks!

EDIT:

I was using a different version of n****t.exe and that was effing things up. Thanks for the box.

(11) completed in 1 and 1/2 day with some direction
learned about linux subsystem vulnerability inside windows.

Very good box! I have learned a lot and thank you all for good advices! the tip:

  1. Do not overthink the solution. Try easiest options first.
  2. For point 1, when you find the thing check how you can expand it, how it works.
  3. Connect to the box and enumerate it. Once again the solution is straight forward. Once you will get it try to find how you can get more perm.

If anyone will need hints I’m happy to assist.

I stuck at the initial foothold. It was a long and intense struggle, but I learned a lot and finally I was able to find my way. This box was an amazing ride. Thank you 0xdf

Getting the initial foothold was the most confusing thing about this box, the user shell was comparatively easy. Tbh, I have no clue why so many people in the thread complained about unstable shells. Getting root read access was easy enough but I wanted a root shell. I even talked to a coworker because my usual tricks didn’t work out. Now it works and I’m happy :wink:

Rooted. If anybody can PM me to talk about the privesc, I think I got root in a slightly different way

Stuck at… well… the beginning :-). Anyone who could gimme a tip or something how to obtain user?

Got user, I have found a way to get root but can’t see any file. Can someone PM me to check if I am on the wrong path ? Thanks !
EDIT: Got root, learned a lot, thanks to @clmtn and to @0xdf for the box !

Rooted
New things, nice box :+1:

Cool box, was able to learn few things, got user and root.
Let me know if you guys have questions.

all day on this box, and finally got root, and root.txt. Thanks for hints @xterminal01 and @clmtn

Got root. It take me all the day :smiley:
I struggled most of the time with the first foot hold which was new concept to me.
I’d to thank @anina for the tips.

I have got user on this box. But could not find a way to get root. Can someone give me some hints on privilege escalation?

Just pwned the system. That was quite cool and I learned a bunch, mainly about win 10 ‘features’ :slight_smile: Great box!

@xoxoxo said:
I have got user on this box. But could not find a way to get root. Can someone give me some hints on privilege escalation?

Look for something that should not be on the Windows machine, but on the some other OS l… :slight_smile:

Can someone help me with shell i get Something went wrong. Please try again later.

I have found some has*** from inital foothold. Do i need to brute force with has****. I tried it for all the user but un successfull.

am i in right path? please guide

Type your comment> @Underworld said:

Rooted.

My feedback for areas I got stuck on (aside of my OVPN client not working and me thinking it was a flaky shell):

I got stuck on some injection right at the beginning. I sat down and wrote down what I thought was the query being executed, then wrote into that what I would do to bypass it. Copied and pasted and that worked.

Spin through Wikipedia’s page on new features to Windows 10. There are some really weird looking directories and files on the box. It should ring some bells when you see it in the Windows 10 feature listing.

When you know what you are looking for GO FIND IT.

At this point, start enumerating like you would do a new box.

Good luck!

Hey there,

I’m trying the injection route to eventually get to an initial foothold, and I did notice something after submitting a new note i.e. how the entry gets referenced to an id and ends with ". I looked online to see what that could be, either it’s a commenting out thing or something tied to php. Would you be able to provide any hints? I think I’m getting somewhere.

@darkrealm12 said:

Hey there,

I’m trying the injection route to eventually get to an initial foothold, and I did notice something after submitting a new note i.e. how the entry gets referenced to an id and ends with ". I looked online to see what that could be, either it’s a commenting out thing or something tied to php. Would you be able to provide any hints? I think I’m getting somewhere.

This box retired quite some time ago. You might find it easier to look through one of the write ups to find a solution (there are a lot of write ups).