For anyone fighting with this box - use basic tools (not “The Framework”) for exploitation. In the end you need only 2 tools and one script to root it (script is optional part)
If you think it should work, maybe you are not using your tool correctly. Screwdriver can be hammer but you need to know which end you should use
Rooted this yesterday but just wanted to say what an awesome box Loved that you had to get in using services other than the usual suspects! I spent a good few hours afterwards playing around with the box trying other stuff out and building my own windows cheatsheet.
My hints would be:
For user: I spent way too long trying to get tools to work purely because a password included a character that needed escaping. I realised this later. I did manage to do the majority of this first part using M********* though and it worked well.
For root: I struggled because to me there was nothing standing out on the system. Turned out id already dismissed what I needed because I thought it didn’t apply to this certain system setup. Going through cheatsheets and common Windows attack vectors will get you there in the end, however, “uncles” won’t help you find what you’re looking for, only help you know you’re on the right track when you meet them
Got root.
this is my second windows machine. Really enjoyed solving through … learnt a ton of things … Would like to know if anyone root shell… PM please
Root shell!
This box was pretty fun, once I got past the sql client troubles.
@avetamine said:
Or you can simply escape it with a backslash "" , cause the “$” sign gets interpreted.
Hint for user: Ippsec’s writeup on Giddy is incredibly relevant to this box, just note that sometimes it might take a attempts before you find what you’re looking for. You’ll know it when you see it. Also, impacket is awesome.
Hint for root: This is one of those privescs that you’ll really kick yourself over, because it’s one of those things that depending on how well you enumerate the box and which list you use, it may take a while to get to root. Just focus on what you can see.
Also, again, Impacket is awesome.
Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format
Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format
Got root shell after a LOT of trouble using my own created Admin user, which I didn’t even manage to use at the end. My final solution was easier.
Still don’t understand what people calls ‘uncles’, didn’t need them to elevate.
I have a stable root shell on the system. I’d be glad to share methods to get root with anyone.
Super cool box, was looking for a windows box to lean stuff as I am super new to Windows boxes, learnt tons of stuff about PS, and about some of the ports that were open.
Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format