Giddy

1234568

Comments

  • is there anyone alive. Please, help with root.

    Hack The Box

  • For those struggling with ideas for the SQLi you'll find handy methods in https://www.exploit-db.com/papers/12975

  • edited February 2019
    > @isuckathacking said:
    > For those struggling with ideas for the SQLi you'll find handy methods in

    https://www.exploit-db.com/papers/12975

    Although nice paper but making emphasis more on the general techniques

    I believe this one suits more in the particular situation.

    https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wendels-small-hacking-tricks-microsoft-sql-server-edition/
  • Finally got root. Was overcomplicating things on Privesc.


    fbbc

  • i have exploit, payload, i just need the right command to trigger the whole, can someone help me in pm ?

    peek

  • can someone give a hand with the SQLi and hash exfiltration, I'm stuck for the last two days, most probably lack of enough experience on this

  • thank to people who helped me, finally got root.

    peek

  • edited February 2019
    Also rooted, a very well made box and a nice touch of realism, really liked the approach of sqli something i've never done before at least not in this way.
    I expected to see an output in the browser and i thought i was doing something wrong.

    hint for user : Do it manual, don't overthink it.

    root : i felt so dumb after tried everything but was using the wrong name for the service, i really don't know what i was thinking.
    Hint : Once you gain access through that poweshell web access, it is really right in front of you, google it ;)
  • I'm stuck on root, got the service I need but somehow it doesn't execute my payload, could someone give a hint

  • edited February 2019

    @npaskov said:
    I'm stuck on root, got the service I need but somehow it doesn't execute my payload, could someone give a hint

    Make sure you are using the correct service name, no, not the one from the output of "ps".
    I suppose you have figured out by now that msf payloads wouldn't execute "as is"

  • good

    I am sure I have the service that is exploitable. I create an exe file and upload it. When I start and stop the service the exe file disappear from the server and I am also not getting a reverse shell. The exe was created with msfvenom using shikata_ga_nai option.

    Any nudge would be appreciated
    B.

  • don't want to read all topic because don't want obtain a spoiler :)
    Could you please provide following - i found * databases with *****p but can't found any creds or somethins usefull excepts few logins (which i setup for bruteforce with w***m msf module - but don't have any result). Now it's seems as rabbit hole. Could you please confirm, i'm on right direction or not?

  • With some help I finally got my unpriv user shell. I'll drop the hint that in these environments DNS resolution isn't always available to services on a remote server.

    You can use Linux to get access to the remote service. Windows VM is not required.

  • Hey guys,

    Still no root! I am able to compile and get reverse shell after doing what it seems to be right with the proper service, but that shell is still under unprivileged user and nothing higher.

    Can I obtain some assistance to validate what i am missing in the process?

    PP

    pp123

  • i think there is a antivirus removing the paylaods..
    Pm me..rooted !

  • @devloop said:

    hey can you give me hint i found MVC and done sql injection but only find username ? unable to find anything else whar to do next?

    Hack The Box
    If i helped you and tried to explained you! just give me a respect. click on the img to get my profile link.!
    Profile : https://www.hackthebox.eu/home/users/profile/17564

  • @Impulse said:

    i found sql injection but unable to find any thing interesting. Kindly help what to do ?

    Hack The Box
    If i helped you and tried to explained you! just give me a respect. click on the img to get my profile link.!
    Profile : https://www.hackthebox.eu/home/users/profile/17564

  • > @parteeksingh said:
    > @Impulse said:
    >
    >
    >
    >
    >
    > i found sql injection but unable to find any thing interesting. Kindly help what to do ?

    Pm me
  • For getting priv esc for root did anyone find any methods that did not require uploading payloads?

    I'm curious as to other methods besides the one the system clues you on.

  • @Phr33fall said:

    @iswearimnotalu said:
    I've managed to get the classic Windows hash through Res*****r and xp_****** of \G****\s***y, but cracking it with john I get 'NO PASSWORD', so doesn't seem to me the right road.

    Any hints? :anguished:

    Use hashcat with rockyou.txt and best64.rule ;)

    why does my hashcat always give me this
    Dictionary cache built:

    • Filename..: /usr/share/wordlists/rockyou.txt
    • Passwords.: 14344391
    • Bytes.....: 139921497
    • Keyspace..: 1104517568
    • Runtime...: 4 secs

    [s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => Segmentation fault

    mitoOo

  • edited February 2019

    amazing box , brainfuck lvl 7/10 lolz

  • Thanks to everyone who has posted thus far! Little nudges here and there have helped me learn a bunch.

    If anyone wouldn't mind nudging me a little bit, I am struggling with the s***. I found a user and enumerated the db, but I wasn't able to find a hash. I'm trying to use x**********, I think I'm missing something regarding the syntax because I keep getting errors.

  • My comments:

    USER:

    The biggest hurdle was as usual for me a small problem. Use the FULL username ¬_¬

    I found this helpful: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wendels-small-hacking-tricks-microsoft-sql-server-edition/

    tbfh if you havn't see this before you have no chance :(

    ROOT:

    My biggest hurdle was using the wrong name AGAIN! Other than that pretty straight forward.

  • I rooted this one. As a bit of a hint for the privesc google basic antivirus evasion techniques.

    Feel free to pm me if you need any hints.

  • i'm on root's way now :disappointed:
    can i ask how to bypass :Program '********.***' failed to run: This program is blocked by group policy. For more information, contact your syste
    m administrator.?

    mitoOo

  • For me the root was easier than the user part. Feel free to pm me if you need any hints.

  • edited February 2019

    I think I have a method of getting a root shell, i've attempted it, but I didn't work as I exepcted - can someone DM me regarding this, run my hypothesis by them?

    Never mind! root shell.... XD

    Awesome box.

  • edited February 2019

    nvm, got user.

  • This was an excellent box. I learned something completely new to me for each step from foothold to privesc. Thanks @lkys37en ! More plz!

    x0xxin

  • @sickwell said:
    > Type your comment> @avetamine said:
    >
    > hint for user : Do it manual, don't overthink it.
    >
    >
    >
    >
    >
    > You mean if i do it manually, I probably receive hash in more friendly format?

    I mean, I couldn't find a way to retrieve output from the browser, so i used sqlmap using custom query.
Sign In to comment.