Json

Nice box, forced me to learn thing or two about Windows privesc. I got user fast (after I realized that there MUST be space after -n in MS ping…) and then I spent much more time on figuring out how to cook vegetable.

The non-vegetable way to root feels easier to me, more straight forward.

Did someone use the tool POC tool “yso…net”. Is that the right way?

Type your comment> @supercop89 said:

Did someone use the tool POC tool “yso…net”. Is that the right way?

Yeap, thats what i used!

Removed

Got root. The trickiest part of this for me was formatting my payload. Happy to help if anyone needs a nudge

Very good machine, thank you to the creator of the box for his work. :slight_smile:

User:

  • The user part is relatively simple, and do your research well, you will need a special tool to create your payload. The name of the box gives a good clue to continue your way.

Root:

  • There is an interesting program you need to understand (FTP). Try to understand how the program works, and read the functions that will allow you to decipher the information.

If you have any questions, do not hesitate to contact me. :wink:

Finally got there!

User: Cookies and Cereal …yummy! best off making your cereal on a windows box though :stuck_out_tongue:

Root: plain vegetable although for those unfamiliar like myself ensure you use the right OS variable

I am creating the payload and I have no problems with “formatting” but I can’t seem to get past other errors. Tried both of the payloads offered by the tool.

Edit: The cause of my problem was that I used the tool’s encoding function. It doesn’t work if I encode the payload that way but weird enough it works if I encode it with Burp. Wat?

Can anyone give me some suggestions on what source to read on? I think I get the idea, understand the tools that you guys are using, but just don’t understand how it fits in here… How could you pass the json data to the server, and why will it be interpreted in that way? Thanks for the help!

I was able to get command execution on the target but I’m not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

@gomeznap said:
I was able to get command execution on the target but I’m not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

Try Meterpreter!

Type your comment> @x000 said:

@gomeznap said:
I was able to get command execution on the target but I’m not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

Try Meterpreter!

Thanks for the comment!

I tried a couple different meterpreter payloads and they never connect back to the exploit handler. Is the anything special I have to do on a windows machine to run the executable once its dropped on there or should I just be able to run it with a command like “payload.exe”?

Edit: Got User thank you to @argal and @dr0ctag0n for the help!

edited

why not use powershell in memory payloads #empire?

Sorry for my last message… it seems i can’t delete it…
So,
I’m just a step before gomeznap i guess: I’ve managed to execute dos command and ping my IP with the help of ys*t. and… that’s all.
I can’t manage to execute powershell (and, by the way i know, can’t upload/download file).
Did I miss something ?
I’ve tried to launch powershell with “-c”, doesn’t seems to work. I’ve even tried to modifiy ys
t in order to execute powershell in place of cmd.
Well i’m bit lost.

Does anyone has a clue to where i can search/test further ? PM

Type your comment> @gomeznap said:

Type your comment> @x000 said:

@gomeznap said:
I was able to get command execution on the target but I’m not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

Try Meterpreter!

Thanks for the comment!

I tried a couple different meterpreter payloads and they never connect back to the exploit handler. Is the anything special I have to do on a windows machine to run the executable once its dropped on there or should I just be able to run it with a command like “payload.exe”?

sometimes, especially with blind RCE like this box, it helps to create some random folder somewhere on the remote machine to save it to in order to make sure that you have correct permissions. I tried my payload several times from typical directories and it wouldn’t work until i created a newC:\tmp folder with a mkdir command before sending the file. I think it was preventing me from outputting into the directory but without a shell you can’t see the errors or if the file is created.

You should be able to run it by just sending the full path as a command. for example C:\tmp\payload.exe

If anyone rooted the box via FTP decipher method please PM me.i an able to root via this potato method only.
If anyone need assistance let me know.i will be happy to help .

WOW Excelent Box. I Really enjoied

my hints

  1. User: Play with headers and read the forum
  2. Root: I did with a clasic windows explotation. Couldn’t take the other way, I don’t know why

Love it

Rooted. I did what seemed like the “easier” priv esc… I need to go back and try the other. Wonder if the former was intended.

If anyone needs a nudge, feel free to PM me.