Spoiler Removed
@Ishara1995 , please look at my comment ^^. It should help you.
I need a nudge with priv esc. Im blank xd
Type your comment> @jagomezg said:
I have creds from .xl file, but I cant connet to db, Im using ms***-cli, any hint?
Sorry, I need help, where do I get that .xl file?
@ntroot and @ZeroPath - the required method is part of some Windows priv esc checklists and scripts, but not mentioned in the shorter ones.
But I just checked: From the first page of search results on Windows priv esc several articles cover it.
Think like: What are the different ‘things’ in Windows a user can have access to?
Type your comment> @ecolmenaresb said:
Type your comment> @jagomezg said:
I have creds from .xl file, but I cant connet to db, Im using ms***-cli, any hint?
Sorry, I need help, where do I get that .xl file?
Enumerate more, you’ll find a very common port, then try to connect to.
I have the user (thanks @Ahm3dH3sham and @peek), time for root. Haven’t managed to get a shell yet though so a closer look is needed I think! If anyone needs help for user, feel free to DM me.
Quick question. I am in the db-service and trying to use a xp******** to capture a N*** hash. Unfortunately Querier does not seem to actually connect to my hackbox. Am I thinking entirely wrong?
Type your comment> @Maglok said:
Quick question. I am in the db-service and trying to use a xp******** to capture a N*** hash. Unfortunately Querier does not seem to actually connect to my hackbox. Am I thinking entirely wrong?
Giddy
Spoiler Removed
Type your comment> @mcruz said:
Type your comment> @ecolmenaresb said:
Type your comment> @jagomezg said:
I have creds from .xl file, but I cant connet to db, Im using ms***-cli, any hint?
Sorry, I need help, where do I get that .xl file?
Enumerate more, you’ll find a very common port, then try to connect to.
tcp,135,139,445,1433,5985, one that I’m not taking into account?
I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.
via xp_******> @sportsfreak said:
I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.
via xp*******L you can upload files and even get a big step on root
I’m totally stuck on this one. Found no default creds, no exploits from metasploit work and I get no information from smb. If anybody could help me, would appreciate
@4ndr34z said:
A great box!! But I really wish people stopped being assholes and deleting stuff… I wasted two days (mostly nights) because some motherfucker had deleted a file. And it was not done just once, because the box was reset multiple times in-between!! What gives?!? It is not the first time this has happened either. Yes, I should go VIP and I will… But this not ok!!
We were working on this box at the same time and this happened to me too! Extremely unstable after getting a shell due to the need to upload files to Querier and people constantly resetting the box.
For privesc, just keep enumerating the box until you find something obvious. I spent a lot of time on dead ends due to overthinking.
Special thanks to @ferreirasc for the assistance!
Great box, @egre55 and @mrh4sh! Learned a ton through trial and error.
Got user. Hints:
- Enumerate the ■■■■ out of SMB and any/all files you come into contact with
- When I feel like laughing, I get a little Giddy
- November Telecaster Lightning Manchester. Get those hashes, theres a great module in metasploit for this
- Impacket will make sense if you did steps 1-3 right
- Windows XP surely had a command shell, right?
Now onto root.
Type your comment> @peek said:
via xp_******> @sportsfreak said:
I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.
via xp*******L you can upload files and even get a big step on root
You referring to alamot? or something else? I think alamot uses ceu* to copy files but that didn’t work for me either
I could really need a point in the right direction. I got access to the ml db with the credentials found in the file. These credentials does not give me access to run xc commands, and I really can’t find any way to escalate permissions. Checked a LOT of tables without any dice. What am i missing here?
Type your comment> @sportsfreak said:
Type your comment> @peek said:
via xp_******> @sportsfreak said:
I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.
via xp*******L you can upload files and even get a big step on root
You referring to alamot? or something else? I think alamot uses ceu* to copy files but that didn’t work for me either
alamot encrypted commands in b64 I think, but you can bypass stuffs with powershell
Type your comment> @kr0gh said:
I could really need a point in the right direction. I got access to the ml db with the credentials found in the file. These credentials does not give me access to run xc commands, and I really can’t find any way to escalate permissions. Checked a LOT of tables without any dice. What am i missing here?
Take a look at IPPSEC video on Giddy.