Chatterbox

Best thing to do is to spin up a Windows 7 VM, install the vulnerable service and keep messing with it by testing and restarting until you get a solid shell back. Just got user without Metasploit, working on root

no open ports found…what to do

is there a user.txt? or just root.txt?

@n0tl33t said:
is there a user.txt? or just root.txt?

Nvm. Reset the box and the user.txt showed up, also need to do something before being able to read root.txt now. Almost missed a chance to learn something

Got a meterpreter connection, but for every commands it returns:
Error running command command_name: Rex::TimeoutError Operation timed out.

Any hint?

try masscan guys. Its the fastest

@F2F said:
Got a meterpreter connection, but for every commands it returns:
Error running command command_name: Rex::TimeoutError Operation timed out.

Any hint?

I’ve been having the same problem since yesterday, I got the user.txt then decided to go back for root, not Im getting crashes every time I get a session.

any info to start looking for? I don’t know where to start on this machine. Found a port, a service and a exploit, buuut it’s failing, so I think I’m gonna start reading about the exploit. Any recomendation?

Have managed to get a stable shell on this and taken the user flag, however privesc to system is baffling me, don’t know where to start. Feel like I’m missing something obvious ?

hi folks
i have get the user.txt and the root.txt file
now the questions is… how get an Administrator shell?
some suggestions?

@Ben83 said:
Have managed to get a stable shell on this and taken the user flag, however privesc to system is baffling me, don’t know where to start. Feel like I’m missing something obvious ?

dont over think it, think basics. it has been mentioned already but research cacls :wink:

@Ar3s said:

@Ben83 said:
Have managed to get a stable shell on this and taken the user flag, however privesc to system is baffling me, don’t know where to start. Feel like I’m missing something obvious ?

dont over think it, think basics. it has been mentioned already but research cacls :wink:

Thanks, managed to get the root flag this a short while after i posted that by doing just that.

@pennega said:
hi folks
i have get the user.txt and the root.txt file
now the questions is… how get an Administrator shell?
some suggestions?

I’m wondering the same thing…is it really fully pwned if you don’t actually have SYSTEM privs? This took me forever to solve as I was trying to privesc…

@Alexander1212 said:
no open ports found…what to do

use masscan . worked for me

DEFINITELY DEFINITELY DEFINITELY recommend installing a local copy of whatever you find and testing your own payloads on it. (as some others have mentioned)

Also helps to read what the bad characters are (I think I wasted an hour or two wondering why nothing was working…). I used the python script.

My first attempt doing it on the box ( after figuring stuff out locally) went off flawlessly.

Totally agree. Install a local copy of vulnerability service and try on a local vm. Once you find the correct exploit, it really is a simple machine. I 100% recommend a reset before launching it on the lab, because it only works once.

you can use sparta for recon and enumeration, it’s amazing toolkit.
full port scan will reveal sufficient info for you to go ahead with.
I am stuck with the exploit right now, wasted 2 days to figure out what is missing.

ok so I got root.txt without actually spawning an Administrative shell. I’d like to understand how to go about using the privileges I have to get an interactive shell as Admin. Anybody willing to PM me a hint to point me in the right direction?

@peek said:
try allports

Great advice if you could even scan the thing without being fucked over by reset. Sorry for the language but I’ve spent weeks on this piece of ■■■■, even wrote scripts to automatically scan small blocks of ports spanning the entire range just to find a single open port. Only to find zero in the morning.

For all of those complaining about the slow port scanning, I’d recommend reading up on some nmap flags/options to help get around what’s causing the slow down. With the proper flags, you should be able to port scan the entire box fairly quickly.