Optimum

Hi guys, I have followed all your recommendations, I have the session on the right architecture but once I run the port recon it doesn’t show up any compatible plugging. any clue which will help to to escalate my privilege?

To own the optimum you should be good at code review.
hint:
1} Know what exploit does
2} Change what’s needed
3} Run exploit on machine
4} Bingooo…!!! you own the machine
:slight_smile:

Thanks guys, I was using the right post/exploit but wrong arch. Lesson learned!

i’m not sure what i was doing wrong, i got system few seconds ago with the same exploit, same arch, same payload that i was trying at the begin for two days with no success :confused:

Sometimes, you have to reset the box for an exploit to work because the machine is in a altered state (from previous exploits applied by other users).

Optimum is a fun simple machine to start with, get all the information about it jump on google and boom, what you need is there modify it and run the bad boy.

hey there! i’m totally stuck with this one. like so many others, i easily managed to own the user but can’t figure out how to escalate privs. the problem is i can’t even confirm if i’m on the right track since my meterpreter sessions always dies when running local exploits. i gave the exploit suggester a shot but the session dies before it finishes, so i’m basically down to trial and error. can someone gimme a hint on how to get my session stable? i’m aware of the x64 arch and stuck to x64 payloads and exploits, but to no avail.

@horrorshow1984 said:
hey there! i’m totally stuck with this one. like so many others, i easily managed to own the user but can’t figure out how to escalate privs. the problem is i can’t even confirm if i’m on the right track since my meterpreter sessions always dies when running local exploits. i gave the exploit suggester a shot but the session dies before it finishes, so i’m basically down to trial and error. can someone gimme a hint on how to get my session stable? i’m aware of the x64 arch and stuck to x64 payloads and exploits, but to no avail.

if you are using proper x64 payload,meterpreter and exploit, everything will be perfect and it will work like a charm. If you still cant do it, I suggest you try harder more and PM me then :wink:

alright, thanks! i’m trying yet another approach which looks quite promising so far

So, I’m stuck with priv escalation. I tried by myself and it always got stuck, so went and checked the video from ippsec and the writeup and using metasploit it always get stuck with exploit completed, but no session created? what can i do?

Just rooted it. Easy user, but I struggled the entire day with privesc… TBH, the solution blew my mind.

Is this machine changed ? I am not able to get root in this …Neither can i see Sysnative directory that ippsec mentions ?

I don’t, but I’ve followed the write-ups precisely, made sure all my payloads and targets are set for x64, and it always says “Exploit completed, but no session was created.”

I can get user on this box, but I am pretty sure the original image was modified after it was retired. Not sure why??? but you cannot follow @ippsec videos or any other walk-through for that matter since you can’t run IEX, or even powershell. Pretty frustrating…

I can’t get a ping response using %00{.exec|ping myip} in Wireshark? it is listening to the right interface and I am pressing forward in Burp ARGH it is so frustrating…I get TCP etc. Also wireshark does show ICMP. I also tried the encode that IPPsec uses later…I am so mad at this box for not working for me like it does everyone else.

The retired machine OPTIMUM has only one core and the privesc exploit needs at least 2 cores for the race condition to succeed.

So, yes, the machine has changed since IPPsec made the video tutorial.

It worked for me and I haven’t follow ippsec video nor the %00{.exec|ping myip} thing, just do it manually by using the MS* ps1 file.

can you pls share the script @d4rk3r ?

I don’t know if the processor has multiple cores , my google-fu needs more work, but it definitely doesn’t have a x64 powershell. It doesn’t even have a \SysNative directory to put it into. There are 4 powershell.exe programs: 2 in the normal x86 folders of \System32 and \SysWOW64 and 2 others in subfolders of \WinSxS.… with really long filenames that the system didn’t like me trying to run them.

When I got in to the box I could read the root flag already with no escalation steps?

I think someone has created a one step root exploit. I did think it was odd that the rhost was already correct in the script…