Querier

Amazing box!
User: use bink and im**t script
Root: simple enum script

I have a reverse shell using powershell but whenever I run any of my powershell enumeration scripts, Powershell-Mafia, Sherlock or JAWS I get no output. Could someone please PM me? I am not sure what I am doing wrong.

I already have command execution with x ***** I try to upload any script and send me a time out, to any happened to that case?

I like this box!!!
Learned a lot from the creator)))!

Finally rooted this machine… it took me quite a while to figure out the root and the user.
Most of the hints has already been mentioned in the thread, but here are some of my extra tips:

  1. Keep enumerating and you shall find something.
  2. It is easy to differentiate the rabbit hole by identifying common services that were being exploited and also enumerate them.
  3. Don’t be blind like me, read every inch of the hints you found from the server, if you didn’t find anything related to it, then read it carefully again.
  4. Impacket will be useful at this stage, once you found something, the hint of giddy will then make sense for you.
  5. Finally all the hints for priv esec is already discussed here, read them, and do take care about the escape character properly.

need a nudge on the im******* script. i have run other scripts and successfully able to gather info from the server. the im***** for the DB, fails… Could someone provide a little assistance please.

I’m able to execute system commands on behalf of ms*****vc user, but trying for 2 days to achieve reverse shell and nothing is working (Defender is killing my payload)… Please, any nudge on this?

Got shell. Now onto root! Big thanks to @NoPurposeInLfe !!

I am able to connect to S******* with r******** but I am unable to find a way forward that would allow xp******. I have tried several escalations but none have worked. I am a bit lost. Please DM any suggestions.

picked up user and root flags, still looking to get root shell.

picked up user flag done ! getting shell :smiley: ! but still not get r00t glag ! :frowning:

r00t great box !! i liked !!!

Got User & Root, I like thix box ! more windows machine please :slight_smile:

PM if you need some help

I have found vba******.bin.

With a tool of the p*****-oletools package I have found a Uid=r*******g and a Pwd.
But I can not connect to mssql server…

The Uid & Pwd is it a rabbit hole?

What is the best tool to connect to the server? I use sqsh… ver basic.

Thanks in advance for any hint!

Type your comment> @hacklife said:

I have found vba******.bin.

With a tool of the p*****-oletools package I have found a Uid=r*******g and a Pwd.
But I can not connect to mssql server…

The Uid & Pwd is it a rabbit hole?

What is the best tool to connect to the server? I use sqsh… ver basic.

Thanks in advance for any hint!

You are on the good way search a good tools :wink:

Type your comment> @1c4re1337 said:

Type your comment> @hacklife said:

I have found vba******.bin.

With a tool of the p*****-oletools package I have found a Uid=r*******g and a Pwd.
But I can not connect to mssql server…

The Uid & Pwd is it a rabbit hole?

What is the best tool to connect to the server? I use sqsh… ver basic.

Thanks in advance for any hint!

You are on the good way search a good tools :wink:

Thanks… I just used impacket… and the same problem: Login failed…

I would appreciate any hint or PM :slight_smile:

Thank a lot

Thanks… I just used impacket… and the same problem: Login failed…

I would appreciate any hint or PM :slight_smile:

Thank a lot

Look the password :wink:

Finally rooted !

@dr0ctag0n many thanks for time spent to compare my Im…ket usage which was correct but didn’t work in my case. I found a workaround later on. Also thank you for confirmation that I am on right path for root.
If anybody needs help send a PM.

Struggling with the initial foothold. Both s** and m***l seem to be password protected. Am i going the right way?

Update: Found some cu****** re****.xl**, am i even on the correct smb? LOL…feels weird.

Type your comment> @jattion said:

Struggling with the initial foothold. Both s** and m***l seem to be password protected. Am i going the right way?

Update: Found some cu****** re****.xl**, am i even on the correct smb? LOL…feels weird.

You are and enumerate that file :slight_smile: