Control

Type your comment> @rholas said:

Type your comment> @clubby789 said:

Rooted, very interesting box. Thanks to @YaSsInE and @ALK for helping me work through the root.
Foothold: Look around the site carefully and poke at every hole. Seems to be a bit inconsistent, so try a few methods.
User: Try invoking something you likely found earlier to upgrade to user.
Root: Have a look at what H***** has been doing in PS before you arrived

Most useless root hint ever

Why do you say that? This hint helped me find what I was looking for!

I am trying to figure out this root. upgraded my shell and have dont alot of enumeration. Cant figure out a good bypass or ser**** to exploit. Please send a PM if you can get me on the right track :slight_smile:

what a nice box! thanks to @rholas and @YaSsInE and @TRX

TIL about all the possibilities and services that windows actually deliver…

Rooted, PM for help
Hack The Box

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Type your comment> @tang0 said:

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Thanks guys for the help. Got user. I was trying the wrong password. Now onto root.

Type your comment> @tang0 said:

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Same here, PM for help pls

finally got user, thanks to @rholas and @tang0

well root was a long painstaking journey for me but well worth it. the exploit technique in the end is very standard but requires a different way to enumerate than one may be accustomed too. thanks @TRX !

R00ted. Thank you @TRX for the very informative box!!! Windows OS is not my thing (hence why I took on this box to learn more) … Thank you to everyone for their help, provided words of advice, comments, etc… especially: @rholas @naveen1729 @tang0 @0byte @darn0b

I am having trouble getting past through the protected page. Anyone free to discuss what I am working on? I think I’m causing myself to go down a rabbit hole. So many positions and so little returns on the actual requests that I am not sure if I am making progress or not.

Thank you for any and all who have the time to consult.

EDIT:
Made it a little deeper!

I lost 7hours doing ■■■■, cause idk whether it is an intended way or not. But THINGS which u need to exploit, are NOT BEING RESET. After someone exploits them, or messes with them, it’s not possible to get root. The best hint gave someone in forum before, about history)) but remember RESET before trying to mess with this **** (not a hint, just a swear word)

@EnDeRuCn said:

I lost 7hours doing ■■■■, cause idk whether it is an intended way or not. But THINGS which u need to exploit, are NOT BEING RESET. After someone exploits them, or messes with them, it’s not possible to get root. The best hint gave someone in forum before, about history)) but remember RESET before trying to mess with this **** (not a hint, just a swear word)

I was able to get root 10 times in a row with the same thing, I think there are other factors stopping it from working.

One ■■■■ of a box , just got root!!

Is it intended that v***_p*******.php is not fully loaded?

Type your comment> @Impulse said:

@badman89 said:
Hey can someone please point me in the right direction for powershell running command as another user

Watch ippsec’s arkham video or the process is similar to sniper once u have similar kind of shell
Last step for user was easy thanks to this comment :slight_smile:

Not sure where look for user’s activity, common examples from google don’t want to work yet.

EDIT: created python/powershell script which throws me directly to root.

Thanks for the nudges and explanations @rholas & @YaSsInE !

I found some commands.

Now what to do with them… I am working on understanding that.

Type your comment> @heuvosenfuego said:

I found some commands.

Now what to do with them… I am working on understanding that.

Edit:
I have User on to root!

If not for my Stream Deck this box would be very tedious to start over with.

what a ride.