I’ve never been so angry and frustrated with a box. I’ve got reverse shell with the mc user, I used p**s to create a new admin account, and I can’t seem to sort out how to get to the flag.
If anyone has questions up to that point, I’ll do my best to answer despite my frustration.
*** Nevermind. I’m dumb. Big thanks to tehmoon for pointing out my stupid mistakes ***
hi guys can anyone give me pm about how to get the root …im feel to noob now at the end…i have get the pass and i connect in the 1st services r…t , there i own the c…e but i dont know what to do ? thank you
Update:
A great box i have learn a lot of things …very to get the user…
for root i was trying to connect but the box had some problems to get a connection, in the end i made it …
thanks for the guys they give me hint @tehmoon@phoenix2018
Got user, got a reverse shell on the m**-**c account and using P****U* I can add an admin user but I’m unable to log in to them using any of the I******t tools. Also tried running custom commands through I*****-S******A**** but that’s not working out either. I looked at P*****r\U********d.x** but it didn’t look like there was anything there. Any nudges?
Do i really need to crack what i got after using the G**** technique? Or i can use relay? But SMB relay signing is on, which prevents it. Am i on the right track? Thanks
Please can anyone help me with the box? I can’t understand how to use imet tool and met*****it module to grab user.txt. I have nv2 and valid creds for m***l service. Giddy box is a little different from this box, it was powershell service there. I don’t understand how to get shell at this box:( Any nudge via PM will be appreciated…
@ARainchik said:
Got user, got a reverse shell on the m**-**c account and using P****U* I can add an admin user but I’m unable to log in to them using any of the I******t tools. Also tried running custom commands through I*****-S******A**** but that’s not working out either. I looked at P*****r\U********d.x** but it didn’t look like there was anything there. Any nudges?
Got root, looks like I needed to enumerate more. Gonna group this technique up with my other steps for future machines.
For python purists or anyone attempting to pythonize this box using the common pypi project related to the DB, here’s a little note:
The API is not well documented and might lead you down a rabbit hole when going after user and getting a CONFIG error.
Each cursor object is an implicit transaction, and therefore is restricted to what commands can be run. This disallows you from ‘upgrading’ to exec. One hacky way around this is to specify your ‘upgrade commands’ in the conn_properties parameter of the connection object, which are treated as separate queries.
I don’t think any of that spoils anything, especially since most people are more likely to take the easier route. If the mods feel like it does feel free to bork my post.