Giddy

i think there is a antivirus removing the paylaods…
Pm me…rooted !

@devloop said:
hey can you give me hint i found MVC and done sql injection but only find username ? unable to find anything else whar to do next?

@Impulse said:

i found sql injection but unable to find any thing interesting. Kindly help what to do ?

@parteeksingh said:
@Impulse said:

i found sql injection but unable to find any thing interesting. Kindly help what to do ?

Pm me

For getting priv esc for root did anyone find any methods that did not require uploading payloads?

I’m curious as to other methods besides the one the system clues you on.

@Phr33fall said:

@iswearimnotalu said:
I’ve managed to get the classic Windows hash through Resr and xp_* of \G****\s***y, but cracking it with john I get ‘NO PASSWORD’, so doesn’t seem to me the right road.

Any hints? :anguished:

Use hashcat with rockyou.txt and best64.rule :wink:

why does my hashcat always give me this
Dictionary cache built:

  • Filename…: /usr/share/wordlists/rockyou.txt
  • Passwords.: 14344391
  • Bytes…: 139921497
  • Keyspace…: 1104517568
  • Runtime…: 4 secs

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => Segmentation fault

amazing box , brainfuck lvl 7/10 lolz

Thanks to everyone who has posted thus far! Little nudges here and there have helped me learn a bunch.

If anyone wouldn’t mind nudging me a little bit, I am struggling with the s***. I found a user and enumerated the db, but I wasn’t able to find a hash. I’m trying to use x**********, I think I’m missing something regarding the syntax because I keep getting errors.

My comments:

USER:

The biggest hurdle was as usual for me a small problem. Use the FULL username ¬_¬

I found this helpful: Wendel's Small Hacking Tricks - Microsoft SQL Server Edition | Trustwave | SpiderLabs | Trustwave

tbfh if you havn’t see this before you have no chance :frowning:

ROOT:

My biggest hurdle was using the wrong name AGAIN! Other than that pretty straight forward.

I rooted this one. As a bit of a hint for the privesc google basic antivirus evasion techniques.

Feel free to pm me if you need any hints.

i’m on root’s way now :disappointed:
can i ask how to bypass :Program ‘*****.’ failed to run: This program is blocked by group policy. For more information, contact your syste
m administrator.?

For me the root was easier than the user part. Feel free to pm me if you need any hints.

I think I have a method of getting a root shell, i’ve attempted it, but I didn’t work as I exepcted - can someone DM me regarding this, run my hypothesis by them?

Never mind! root shell… XD

Awesome box.

nvm, got user.

This was an excellent box. I learned something completely new to me for each step from foothold to privesc. Thanks @lkys37en ! More plz!

@sickwell said:

Type your comment> @avetamine said:

 hint for user : Do it manual, don't overthink it.

You mean if i do it manually, I probably receive hash in more friendly format?

I mean, I couldn’t find a way to retrieve output from the browser, so i used sqlmap using custom query.

I though i was going to miss the chance to get root in this challenging box but, i could. i learned tons. Enumeration is the key, also i tried several AV evasion techniques, Veil, hyperion, encryption… but no one of them worked, unless a simple C# script did the work… The thing is the connection is not stable enough to carry a meterpreter i think…

yes, this is sad that machine is going to be retired.

I think I just about have this one rooted. Can someone give me a nudge on getting t********* to execute correctly?

Fun box. I tried it after watching IppSec’s walkthrough. Few points regarding the walkthru that might help if you are a noob like me

  1. IppSec’s vid is pretty good, but I suggest going through his full vid before you try attempting his techniques. He had quite a few trial and error and it’s good to understand the thought process, but no point just replicating the dead ends he got.

  2. For privesc, he relies on his Windows machine to compile an easily available “bypass AV” reverse shell code. You can actually compile this code on Giddy itself as it has the required .Net framework installed (maybe not the same version as shown in the vid, I think). So you don’t need to exit your Kali. Also for this type of shell, this article helps understand the concepts: Undetectable C# & C++ Reverse Shells | by Bank Security | Medium

  3. Both user and root owns use common techniques useful for other boxes. For beginners, his video has a lot of valuable lessons like

  • easy to follow SQL injection using Burp
  • Exec methods via MSSQL
  • obtaining and then cracking NTLMv2 hash
  • Serving a file to remote machine via SimpleHTTP and also SMBServer
  • Options to detect execution authority, and options to bypass AV detection
  • PS methods to search configured services in Windows box and start/stop services
  • Setup simple listener