Giddy

I really enjoyed this box and learnt some valuable lessons along the way. Many thanks to @lkys37en for a great learning experience.

Initial foothold:

Enumeration was the key, upon discovering the right area you can search for a new bicycle tire (perhaps yours had been punctured?).

User:

Using a common method should reveal some interesting information. Something you see can guide you on the right path but you must go out of band and understand how to respond to the situation. If you get lucky with your research (as I did) a familiar four legged friend (with the help of a little bird) can show you the way. I imagine this was intended(?) and if so was a great lesson concerning the importance of reconnaissance.

After obtaining the desired information hashcat is your friend and you can use the result to access a different service. There are plenty of guides about how to access the service online and don’t be discouraged if your login attempts fail at first, you just need to deal with the how the creds need to be entered.

Admin:

Once in, the clue needed for privesc is in front of you.

I wanted an admin reverse shell using the exploit as I wanted to practice some evasion techniques. It is indeed helpful (although not strictly necessary) to have a windows VM available for testing if you do this and some trial and error with different tools may be required. https://developer.microsoft.com/en-us/windows/downloads/virtual-machines.

I read that some people managed to achieve privesc without uploading anything. If anyone who did this is willing to share please could you DM me. If anybody wants to discuss techniques or needs a sanity check then I’m happy to help in DM. I hope there are no obvious spoilers in the above but if you have got this far into the thread then most of what I have said has already been covered.

@gongol nice wording… I was curious about the lack of upload as well; haven’t heard from anyone about this… methinks it’s BS

I’m partially through the initial foothold. I’ve found some services, the MVC and a way to get information out. Hints here seem to refer to the use of SPs to get RCE. This isn’t working for me however. Something wrong with my syntax, or maybe I’m exploiting the wrong endpoint. A DM and some nudges are welcome!

Rooted! I really liked this box. Great mix of paths, common/realistic exploits and rabbit holes. A good Windows box that no one should need meterpreter or any other msf post exploit modules for.
I would add this to an OSCP-like list for anyone gearing up for that. Granted it’s a more modern OS, but the techniques are universal and its good Windows practice.
It can be completed 100% from Kali with the right tools.

Is the 500 normal when trying to gain an initial foot hold? Or am I just too dumb to use my tools correctly? I’d appreciate a hint.

@dmaendlen said:
Is the 500 normal when trying to gain an initial foot hold? Or am I just too dumb to use my tools correctly? I’d appreciate a hint.

If you’re referring to the P* page - then yes, that’s normal. Check the error message displayed, which should give you an idea on what to do next.

@clmtn said:
If you’re referring to the P* page - then yes, that’s normal. Check the error message displayed, which should give you an idea on what to do next.

I know the vuln and I’m actively trying to exploit it. The thing is, the tool I’m using usually gives up citing too many 500 errors.

Sorry for phrasing it a bit vague but I’d like to avoid spoiling it for others, even though most of the thread doesn’t care about that, obviously. :frowning:

Cool box, was able to learn a lot of things, got user and root.
PM me if you have questions.

Hi, Im working on giddy for last 3 days. I was able to do sqli with un*** s*****, gather some info, username sty, db name Icn, etc, now on to shell xp_cl. Some folks here also mention about xp_d**. Appreciate any hints, which way I should go.
thx

Got System. IMO this is one of the best machines.

I am stuck. I’m still not able to stop or start or even list any services. This is required to run my exploit. Can anyone help?

@starcraftfreak said:
I am stuck. I’m still not able to stop or start or even list any services. This is required to run my exploit. Can anyone help?

well…Thanks to some help, I realized I did not need to run a powershell cmdlet to list the services. The service name I needed is found in some files on the machine. Box rooted. :slight_smile:

So I’m stuck on the last piece, I can start/stop service but none of my payloads will run. Anybody able to nudge?

@voncount said:
So I’m stuck on the last piece, I can start/stop service but none of my payloads will run. Anybody able to nudge?

I’ll send you a PM.

Thanks @clmtn, I’d give you another respect if I could :slight_smile:

Hey friends stuck on finding identification info
So far I found the path rxxxtx and the m **
In addition I also found the S*** but stuck in finding identification information

plz pm me

Got User. Thanks @clmtn and @Impulse for help.

Got root. PM me for hint. Thanks again @clmtn and @Impulse for hints. This is my 4-5 windows machines. Not able to proceed faster. Thanks for your hints.

Fun box. First one I’ve done that didn’t feel like another CTF.

stuck… found the right service, found the right file, uploaded my file, did something to make it work…
output says it worked, but it actually did not. may i get some help with fine-tuning the attack?

EDIT: systemed. be patient - it takes a while to spawn a shell.

I’m not sure what was said in this thread, but make sure to Google for the service name when doing the PrivEsc!!
I wasted so much time trying to figure out the service name and I found it immediately after google’ing some keywords. The vulnerability is known and can be found in Kali and online.