Resolute

@H31D1 just running the d**c** command won’t do anything instantly. The DLL only gets loaded when the D** service restarts. Also be aware that if anyone else runs that command in between you doing it and restarting the service, it’ll overwrite your DLL path with theirs and so you won’t get any results. Quite an annoying “feature” on a box that has multiple people attacking it at once

@VbScrub I saw that happening a few times… at one point today it was a fight to keep my dll in there, so instead of holding up someone else’s progress I took a break haha.

@6a6d6c has given me some material to research that might be my solution need to rethink my dll …hopefully can root this soon.

Thanks for the feedback

@H31D1 said:

I thought because I could copy the dll from the Share to the user’s desktop, that everything was working, but when I run the dns tool, I am not seeing the connection in my server.

In addition to what @VbScrub has said, if you arent seeing the initial request on your server, the chances are you arent sending the payload.

Key things are how you call it and how you map the path to your payload via server and in the command.

Once you see the payload sent, you need to be pretty quick with the stop/start. I found it frustrating because it can take a while for the stop to work, so you never know if your start will be a start on your attack or someone else’s :smile:

I haven’t got root yet, but I’m close. I tried running my msvenom dll as the user and i an see why it’s failing…so I created simple dll and managed to get it to ping me…yay, but then my reverse shell code gets stopped for the same reason as the msvenom dll… just a heads up :slight_smile:

Tried to get some source from git for the d** (x64)
Uploaded to Resolute, and linked the d** to the service.
Restart, nothing happen.
Are there any trick to compile the file?

Finally!!

C:\Windows\system32>whoami & hostname
whoami & hostname
nt authority\system
Resolute

Did with d*l method, will try to find easy way now…

Just finished this one today with the d** method. Wondering what the “easy” way was? Also plenty of hints in here, i am TRASH at windows boxes and this thread saved me. PM if your totally stuck and i’ll see what i can do.

I was in the same boat as @H31D1. I got as far as testing a x64/s/rev payload with rundll and got a shell, but when I assign that same dll url to that service, I would see the payload get delivered when the service starts, but with no resultant session creation.

Stopping both resolute and msf and starting both fresh got me root when I tried again. :confused:

What makes these more difficult than they should be is not being able to trust the foundational stuff – broken tools, and shared servers in unknown states.

Speaking of broken tools, win*m through msf would not work, at least for this version of windows. I compared how evil was doing it, and ms is using XML payloads while evil isn’t. the XML payloads would get back 500 errors from the server. the ms winrm code in github shows 3 years old, so buyer beware.

Type your comment

Alright Ladies and Gents! I have been working on ROOT for quite a while now.! Im certain that I know the avenue of approach, it is just not working for me LOL. Regardless, I am USER number 2 as expected, I am using ev**-wirm and I have utilized msve*om to create my payload. I HAVE NO CLUE HOW TO CONTINUE!

Any help would be frikken fabulous! Im not familiar with D Inetion!

100% Nevermind!

USER: Enumerate according to all available cheat sheets and you WILL find what you need

ROOT: DO NOT and I repeat DO NOT overthink this! There is a tool that will quite literally walk you right into success without all the wild and unnecessary jazz!

HINT Thanks a bunch Rapid7, as always you have proven that trusting my “Equipment” is the true way to success!

@CandiedPixel said:

ROOT: DO NOT and I repeat DO NOT overthink this! There is a tool that will quite literally walk you right into success without all the wild and unnecessary jazz!

Maybe some people like learning about the “wild jazz” and figuring things out, rather than just running a single tool that does it all for them :wink:

Type your comment> @VbScrub said:

@CandiedPixel said:

ROOT: DO NOT and I repeat DO NOT overthink this! There is a tool that will quite literally walk you right into success without all the wild and unnecessary jazz!

Maybe some people like learning about the “wild jazz” and figuring things out, rather than just running a single tool that does it all for them :wink:

Fair enough! That being said, however, time management is key! in this instance, utilization of the appropriate avenues paves the way to understanding WHY the difficult avenue works. Instead of throwing a million different d**'s at the objective, I learned how and why. Perhaps it was a misunderstanding. No worries, happy hacking!

Finally got ROOT!!

Big THANKS to @6d6a6c @VbScrub @TazWake and @sgniner for the responses and guidance. I love being able to learn from people who are smarter than me.

Through this I learned a lot and can definitely say that if something does not work, it doesn’t necessarily mean the tools are the problem. Always check the simple stuff first. In my case it was me not using correct syntax.

Thanks @egre55 . I loved this box and am ready to have a go at my next windows box.

H

Anyone able to give me a nudge, I am right at the end part, but can’t seem to get the payload right to allow shell. Tried loads of different ways now and running round in circles forgetting what I have and haven’t tried! lol.

Nevermind, I worked it out! me being a plank!

I got the credential but my e***-w**** returns an error “An error of type W****::W****HTTPTransportError happened, message is Unable to parse authorization header.”.
Does anybody know why this error happens?

EDIT: I selected the wrong port.
EDIT 2 : I got the root:)

I am currently in r*** trying to move to get r*****. Identified that user can start stop ds and start it. Found a way to inject dll into the service. But it seems wd**r is killing all of my shells. Is there an easier way or do i just need to keep at it? A nudge would be appreciated.

I checked what payload options were available locally, narrowed down with a few greps, and tried different ones in the option that I moved across. got one to work just fine once I got over a stupid mistake I had made myself!

Can anyone send me a DM for how to proceed with 2nd user, got the creds and what i think is the higher port but i can not connect.