Control

This machine was HARD to me anyway. Being a Linux guy mostly it was super hard. PM me for nudges for any machines I’ve rooted.

Type your comment> @n4gyl4j0s said:

Type your comment> @darn0b said:

Type your comment> @tang0 said:

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Same here, PM for help pls

I wasted a few hours with this thing … (but got user now)

one hint for this: domain

thanks… that really helped!!!..
but i didn’t get a fully working ps-session… :frowning:
only invoke-command+script-block worked to get me the user-flag…

Type your comment> @brueh said:

Type your comment> @n4gyl4j0s said:

Type your comment> @darn0b said:

Type your comment> @tang0 said:

I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.

Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the 
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified 
logon session does not exist. It may already have been terminated.  
 Possible causes are:
....
And a bunch of other stuff

Any nudges? Feel free to PM, i can share what i have, in more detail.

Same here, PM for help pls

I wasted a few hours with this thing … (but got user now)

one hint for this: domain

thanks… that really helped!!!..
but i didn’t get a fully working ps-session… :frowning:
only invoke-command+script-block worked to get me the user-flag…

hint: for ps: remember an earlier hint in this forum about a video… and you can create a full functional session… :wink:

.

Type your comment> @dasland said:

Is it intended that v***_p*******.php is not fully loaded?

I have the same question.

does anyone have problem uploading files to the server in PS reverse shell ?

I am lost, not able to access any weblink a***n.php file , access denied header missing. Any suggestions ? need help

Got root. Feel free to pm me for any questions

Rooted! What a ride this box has been. Thanks a lot @ale98 for the nudges that helped me get there.

Some general guidance for once you get a shell: Windows Defender is watching. Try to think about how you can cleverly get files onto the box - smb may help, but impacket-smbserver may not be enough. As always, netcat is a lifesaver - in more ways than one…

Feel free to PM for nudges!

That was a really nice box. Really nice.

User: Basic enumeration, some server knowhow and basic hacktricks.
Root: ■■■■ i was in deep water and used ALOT of google based on users history.

got user, there are tips on the site, there are similar cars

Type your comment> @bumika said:

Type your comment> @ssklash said:

Finally got root, but more through trial and error than anything else. Could anyone else PM their enumeration process for the vulnerable service? Not sure if there’s a systematic way people are finding it or just luck/bruteforce.

Me too. Although I can write a pseudo script which can find that service, and I have found the instructions which are needed for the implementation, but I have no practice in Powershell.

The privilege escalation phase (including discovery) is superb. Thanks @TRX.

Rooted too but kinda felt CTF-y in a sense where there were too many things to make sense of with limited privileges so in the end I too wrote a PS script to bruteforce my way through. Also found there is more than 1 s*****e that is vulnerable.

If anyone has a proper methodology in terms of correctly identifying the vuln please let me know as I can’t seem to make sense of it and bruteforcing doesn’t feel very clean.

Anybody got a few mins to spare, a touch stuck, have some creds, have an idea how to use them, could be syntax …

Got Shell and some creds, but cant seem to get to H using the invoke, could someone PM me with some help.

@SpiderKid said:

Got Shell and some creds, but cant seem to get to H using the invoke, could someone PM me with some help.

I found opening a new shell forwarded to a vulnerable service allowed access as that account.

NVM I misspelled my Header… Thanks @GBakaev

Need some final hint. I think I’m on the final step to root, If I’m on the right path. Even with brute-forcing the services, does this step requires somehow a reboot of the machine in order to catch the revshell?

@h3xal00t said:

Need some final hint. I think I’m on the final step to root, If I’m on the right path.

You probably are on the right path. It is largely down to what you have control over.

Even with brute-forcing the services, does this step requires somehow a reboot of the machine in order to catch the revshell?

You dont need to restart the machine

Got user, but no idea where to start for root. Will save that for another day.

Tip for initial foothold: The error message tells you what to do, but when you’re doing that you’ll need to supply a specific IP address which seemed irrelevant when you first found it (thanks to @TazWake for pointing me in the right direction here)

Type your comment> @clomic said:

NVM I misspelled my Header… Thanks @GBakaev

I did the same stupid thing. VbScrub sorted me out.