Querier

Spoiler Removed

@Ishara1995 , please look at my comment ^^. It should help you.

I need a nudge with priv esc. Im blank xd

Type your comment> @jagomezg said:

I have creds from .xl file, but I cant connet to db, Im using ms***-cli, any hint?

Sorry, I need help, where do I get that .xl file?

@ntroot and @ZeroPath - the required method is part of some Windows priv esc checklists and scripts, but not mentioned in the shorter ones.

But I just checked: From the first page of search results on Windows priv esc several articles cover it.

Think like: What are the different ‘things’ in Windows a user can have access to?

Type your comment> @ecolmenaresb said:

Type your comment> @jagomezg said:

I have creds from .xl file, but I cant connet to db, Im using ms***-cli, any hint?

Sorry, I need help, where do I get that .xl file?

Enumerate more, you’ll find a very common port, then try to connect to.

I have the user (thanks @Ahm3dH3sham and @peek), time for root. Haven’t managed to get a shell yet though so a closer look is needed I think! If anyone needs help for user, feel free to DM me.

Quick question. I am in the db-service and trying to use a xp******** to capture a N*** hash. Unfortunately Querier does not seem to actually connect to my hackbox. Am I thinking entirely wrong?

Type your comment> @Maglok said:

Quick question. I am in the db-service and trying to use a xp******** to capture a N*** hash. Unfortunately Querier does not seem to actually connect to my hackbox. Am I thinking entirely wrong?

Giddy

Spoiler Removed

Type your comment> @mcruz said:

Type your comment> @ecolmenaresb said:

Type your comment> @jagomezg said:

I have creds from .xl file, but I cant connet to db, Im using ms***-cli, any hint?

Sorry, I need help, where do I get that .xl file?

Enumerate more, you’ll find a very common port, then try to connect to.

tcp,135,139,445,1433,5985, one that I’m not taking into account?

I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.

via xp_******> @sportsfreak said:

I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.

via xp*******L you can upload files and even get a big step on root

I’m totally stuck on this one. Found no default creds, no exploits from metasploit work and I get no information from smb. If anybody could help me, would appreciate

@4ndr34z said:
A great box!! But I really wish people stopped being assholes and deleting stuff… I wasted two days (mostly nights) because some motherfucker had deleted a file. And it was not done just once, because the box was reset multiple times in-between!! What gives?!? It is not the first time this has happened either. Yes, I should go VIP and I will… But this not ok!!

We were working on this box at the same time and this happened to me too! Extremely unstable after getting a shell due to the need to upload files to Querier and people constantly resetting the box.

For privesc, just keep enumerating the box until you find something obvious. I spent a lot of time on dead ends due to overthinking.

Special thanks to @ferreirasc for the assistance!
Great box, @egre55 and @mrh4sh! Learned a ton through trial and error.

Got user. Hints:

  1. Enumerate the ■■■■ out of SMB and any/all files you come into contact with
  2. When I feel like laughing, I get a little Giddy
  3. November Telecaster Lightning Manchester. Get those hashes, theres a great module in metasploit for this
  4. Impacket will make sense if you did steps 1-3 right
  5. Windows XP surely had a command shell, right?

Now onto root.

Type your comment> @peek said:

via xp_******> @sportsfreak said:

I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.

via xp*******L you can upload files and even get a big step on root

You referring to alamot? or something else? I think alamot uses ceu* to copy files but that didn’t work for me either :frowning:

I could really need a point in the right direction. I got access to the ml db with the credentials found in the file. These credentials does not give me access to run xc commands, and I really can’t find any way to escalate permissions. Checked a LOT of tables without any dice. What am i missing here?

Type your comment> @sportsfreak said:

Type your comment> @peek said:

via xp_******> @sportsfreak said:

I am now able to execute commands via xp_*****l and read contents of user flag. Wanted to understand how folks are taking it to the next level of getting a reverse shell so that I can further enum to get to root. I am trying to transfer files using f but it does not appear to be working. Any nudge will be great.

via xp*******L you can upload files and even get a big step on root

You referring to alamot? or something else? I think alamot uses ceu* to copy files but that didn’t work for me either :frowning:

alamot encrypted commands in b64 I think, but you can bypass stuffs with powershell

Type your comment> @kr0gh said:

I could really need a point in the right direction. I got access to the ml db with the credentials found in the file. These credentials does not give me access to run xc commands, and I really can’t find any way to escalate permissions. Checked a LOT of tables without any dice. What am i missing here?

Take a look at IPPSEC video on Giddy.