Querier

Got root.
this is my second windows machine. Really enjoyed solving through … learnt a ton of things … Would like to know if anyone root shell… PM please

Can anyone assist with connecting to the sql service? All of my normal options haven’t been able to connect :confused:

Got root, PM if you need help.

Root shell!
This box was pretty fun, once I got past the sql client troubles.

@avetamine said:
Or you can simply escape it with a backslash "" , cause the “$” sign gets interpreted. :wink:
Hint for user: Ippsec’s writeup on Giddy is incredibly relevant to this box, just note that sometimes it might take a attempts before you find what you’re looking for. You’ll know it when you see it. Also, impacket is awesome.

Hint for root: This is one of those privescs that you’ll really kick yourself over, because it’s one of those things that depending on how well you enumerate the box and which list you use, it may take a while to get to root. Just focus on what you can see.
Also, again, Impacket is awesome.

Simply a great machine. Very real life. Loved all of it! Great job mrh4sh and egre55 :slight_smile:

rooted, finally i know what people meant when i read ‘uncles’.

feel free to pm.

Type your comment> @mcruz said:

Type your comment> @Un4gi said:

Did anyone run into this error when trying to use i******* m**********?:
[-] [(‘SSL routines’, ‘ssl_do_config’, ‘bad value’)]

I was able to get the necessary info another way, but think I may have an issue with openSSL?

What about other methods of auth that mssql has?

It’s not an auth issue… it’s an issue with openSSL or python. Just not sure how to fix it

EDIT: Reinstalled i******* and it works fine

Is it normal to just get a reset connection during the protocol negotiation using the giddy method?

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

Type your comment> @supercop89 said:

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

I dont get anything so… no hints there :smiley:

Got root shell after a LOT of trouble using my own created Admin user, which I didn’t even manage to use at the end. My final solution was easier.
Still don’t understand what people calls ‘uncles’, didn’t need them to elevate.

I have a stable root shell on the system. I’d be glad to share methods to get root with anyone. :smiley:

Super cool box, was looking for a windows box to lean stuff as I am super new to Windows boxes, learnt tons of stuff about PS, and about some of the ports that were open.

Rooted At last! Awesome box :smiley:

Type your comment> @supercop89 said:

Is it normal that with the technique with re****** and xp_di***** every time there is another hash? I’m on the right way? maybe the wrong technique or tool? Very short hash format :confused:

any hints?

ok i found it … thanks :slight_smile:

I have the valid user for the xp… but i’m on the right way with a reverse shell via xp…? :confused:

I managed to get root on the box (feel free to message for nudges!) but I found it weird that for the very first step when using s*****lient I was able to get the listed shares without creds, but when trying to do something similar for s****ap I dont. I tried replicating this situation on my own Windows machine but unable to.

Had an interesting group meeting with uncles “L” and “M”. :wink:

Really enjoyed completing this box, props to the creators @mrh4sh and @egre55.

Thanks to those that provided a nudge and discussing the root shell method. Happy to pay it forward to those that are stuck!

I could use a nudge to see if I’m on the right path. I’ve got xp_ enabled and user.txt is mine. I’m trying to get a shell by uploading a file, I can see via tcpdump that my upload command is working but I get an error no matter where I try to write the file to that permission is denied. Am I on the correct path, can anyone message me a hint on where to upload?

Type your comment> @tiltedtimmy said:

Got root.txt but not shell…

Whoever has got root.txt can you pm me if you got a shell and maybe give me some pointers how to get it. Thanks!

Use p***** .py from I*******

Type your comment> @GordonFreeman said:

Can anyone assist with connecting to the sql service? All of my normal options haven’t been able to connect :confused:

Try using domain name too

@alg42 said:
I could use a nudge to see if I’m on the right path. I’ve got xp_ enabled and user.txt is mine. I’m trying to get a shell by uploading a file, I can see via tcpdump that my upload command is working but I get an error no matter where I try to write the file to that permission is denied. Am I on the correct path, can anyone message me a hint on where to upload?

I believe ,You can execute file without writing anywhere … I am a NOOB …beware