Resolute

Stuck with the r*** → root via *** service. Made a special reverse shell d** for the service, but cannot stop it because of Type 2.
That’s a wrong way or I do not know smth obvious?

The service is not stopping and starting correctly.

Also, at-least on the free server, the box is being very unstable for me.
Is anyone else facing similar issues, or is it just me ?

unlike other windows machines, here I can’t stop am**e interfering with uploads. Any hint?

i got the creds that were just “there”, but they dont seem to work. Are they decoy or someone changed the password?

I don’t know… maybe there are too many operations pending on the service, but remains that using the right architecture, the right injection… something goes wrong :frowning:

@BadRain said:
I don’t know… maybe there are too many operations pending on the service, but remains that using the right architecture, the right injection… something goes wrong :frowning:

Same to me…add to this that every now and then the key is superseded by someone else who’s trying to root and everything evaporates…

I can’t get a user shell now with exactly the same creds and setup I used earlier. I’m on eu vip 2. Feels like someone changed the password.

I think box is boken idid the same last command :
d**** to have my shell as system like other users , but it no working i caught an error
******ERROR_ACCESS_DENIED 5 0x5

it’s very upset , cause the box isbroken now

I’m seeing weird stuff too… my DLL did work at some point because i manage to run it within rundll32 as a check. It didn’t run within the targeted thing though… and now it doesn’t work even in my test…

this is my first box ever and I’m loving it so far :slight_smile:

almost done with root… having issues creating the DLL… not sure which arch/payload to use… any hints would be appreciated :slight_smile:

Can someone help me with the DLL ? i’ve litterally tried easily 20 versions, both archs to be sure, custom, MSF with various payloads, including cmd, none work, some partially work, in rundll32.exe, but never within that friggin service…

Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

@mike008 said:

Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

Yes, I’ve been able to stop/start the D** service with user R***.

Type your comment> @testmeister said:

I think i found the exploit for root.
But for executing this I need to compile some code with VS as far as I see. Since I dont have a Windows machine, is there a way to do this on linux?

m*****om is tool you should probably try

EDIT problem solved, was me being stupid.

Need a small nudge finding second user…
Been scouring C:\ for sometime now but still no luck.

If you need some nudges, DM me for a quick response.

after enum found this credentials : m****:W*******
how can i use these to get user ???
smb refuses connection with these
am brand new here

Done!

user: pretty easy after a small enum with basics and some try…
evil-winrm is really your friend
root: …oh sh*t , hard or not? if you know “who are you?” and know tools on the system to live with your “power” then easier to build-, and use your self stuff. If not, then ask a nudge and learn as me did it Thanks @bertalting , @doctoreleven , @tekkenpc :smiley:

thanks for this great machine :slight_smile:

DM me if you need nudge too

Type your comment> @marcandrer said:

@mike008 said:

Should we be able to restart the D** service as user R***? Do we need to do that to trigger the exploit? I think I have everything right but running into access denied when restarting - just making sure I am doing the right thing. Think the box might be hoarked/fubared but looking for validation.

Yes, I’ve been able to stop/start the D** service with user R***.

Is it so? I was under impression that the service was restarted in a given intervals.