Querier

Rooted
Really its a very nice box ,learned a lot from this Windows Box.
if anybody need hints ping me personally.

Well After Spending Much longer than I would like to admit on this box, I finally got root. I got hung up on many small things but learned a ton along the way. PM if anyone needs some hints

A good windows machine after a series of Linux ones under my belt. A good way to earn user though we have done it before. The reverse shell was nice in user. For root, I would suggest to give “Power” to yourself and then you will have what you want. Shoutout to @superfume for your brilliance in answering all the doubts I have.

P.S. execute what you have to get the Admin shell. :wink:

Enjoyed getting user, very realistic. root was a bit of a drag, all about the right script :wink:

Great box, learned a ton. Started pulling my hair about the root but in the end right (and primitive) tools did the job.

Finally rooted (shell). Big thanks to @Malone5923, @TheGrandPew, and @Baikuya for their much needed hints. Also a big thanks @mrh4sh and @egre55 for a good learning box. So much about windows I did not know.

As always, here are my pointers.

Pretraining: Yes, I have included something you should do before even looking into this box. I am a big fan of ippsec. Watch Gi***, Opt****, and Bas****.

Initial: Start with the known ports. For things that you find, one must look within to learn something worthwhile. Take some time to learn the different ways to authenticate a DB, specifically the two different ways related to OS. Impacket is your friend.

User: Gi*** is your guide. Impacket is your companion.

Root: Enumeration is key, especially if you have a ‘super mushroom’ lying around. For those wondering about the “uncles” reference that keeps cropping up, don’t think about it. When it is revealed to you, all will make sense. Impacket again can lead you over the finish line.

Again, if I have said too much, please let me know and I’ll edit this.

As always, PM me for more concrete hints. Don’t forget to tell me your progress so I don’t spoil it too much.

Finally rooted!! Thanks for @all partners that helped me with this challenge, as always, glad to help someone too vi PM.

Valuable learning!!

Finally! That was painful for me, I must have reread everyone’s post a dozen times. So many random things I kept messing up…hopefully I’ll remember. If anyone needs a hint, feel free to pm me.

Finally, root shell! Fun machine. Has anyone managed to get anything out of the dll? PM me pls.

[*] Encryption required, switching to TLS
[-] [(‘SSL routines’, ‘ssl_cipher_list_to_bytes’, ‘no ciphers available’)]

getting these error when connecting to mssql using Im***** mssql*****.py

Type your comment> @BigDaddy said:

[*] Encryption required, switching to TLS
[-] [(‘SSL routines’, ‘ssl_cipher_list_to_bytes’, ‘no ciphers available’)]

getting these error when connecting to mssql using Im***** mssql*****.py

Sounds like an OpenSSL problem you have on your client machine, but hard to tell without seeing the command you are using exactly (don’t post here). The client could possibly be trying to use TLS 1.3

Update / reinstall impacket to fix this error

Finally Got Root.txt after 3 days still shell pending thanks to @Baikuya He Helped Me a Lot Thanks Brother Once again :slight_smile:

Finally got root. What a great box - actually one I’ll probably do again. Thanks @mrh4sh and @egre55

Hints for root:
Enumerate - There’s a PowerShell Mafia out there who up your chances of rooting this box. Then go and watch Mantis.

As for the uncles, they’ll make sense when you see them :slight_smile:

This box was awesome. I managed to get the root.txt before user.txt though. This box is the perfect opportunity to play around with PoshC2 python by @benpturner and can be found here - GitHub - nettitude/PoshC2: A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.

I’ve been trying to get a user shell (already have the user flag) but I can’t, everything I try either can’t be executed or is blocked by some sort of AV. Are we supposed to get a user shell to move forward or can you get root through x*******ll?

I’ve tried ps scripts, I’ve tried .exe’s, I’ve tried python scripts… Any hints??

Type your comment> @doubledeed said:

I’ve been trying to get a user shell (already have the user flag) but I can’t, everything I try either can’t be executed or is blocked by some sort of AV. Are we supposed to get a user shell to move forward or can you get root through x*******ll?

I’ve tried ps scripts, I’ve tried .exe’s, I’ve tried python scripts… Any hints??

Same here :frowning: I cant execute uploaded files

Type your comment> @xeto said:

Type your comment> @doubledeed said:

I’ve been trying to get a user shell (already have the user flag) but I can’t, everything I try either can’t be executed or is blocked by some sort of AV. Are we supposed to get a user shell to move forward or can you get root through x*******ll?

I’ve tried ps scripts, I’ve tried .exe’s, I’ve tried python scripts… Any hints??

Same here :frowning: I cant execute uploaded files

You don’t necessarily need shell as you have what you need already, but if that’s the approach you want to take then I’d leave the more common shell tools behind.

PM me for hints … I have got root shell …

Can someone PM or can I PM someone about a certain tool’s syntax? I know what I’m doing should work but for some reason I keep getting a Connection reset by peer error, yet when I execute the same query on an ‘nc -lvnp 445’, I get a callback and have verified the query is valid and working.