@VbScrub and @AzAxIaL , Thank you for your contributions to the thread. Helped me out.
Rooted.
I happened to go through the hard way of writing d** from msi* and using im******'s sbe****.py. If anyone used the easy tool me******t, please DM me
Initial: Find what services are running, figure out how to talk with them and see if they store any goodies
User1: I used CME for this but it doesn’t look like anyone else has, but draw basic lines between users and security
User2: Dig under ground, find some fat fingers
Root: understand your new role and all the power it provides. Then the ol google for how to advance that role.
@scaffolds said:
Grabbed the user flag from User1. Is User2 required for getting root? Spent some time looking around, but haven’t found the interesting files yet to make the move. If anyone wants to give me nudge towards User2 creds I would appreciate it.
anybody willing to dm me to look at my poc for root privesc on resolute? banging my head all day and i’m pretty certain i have the steps. i’ve tested my payload on a separate machine and it works, but i can’t get it to call back on the box
Anyone on willing to help with root? I have the second user. From the forum, it sounds like D** inj is the way forward. I have 0 exp with this. Studying now, but could use some guidance if you’re willing. thank you.
what the ■■■■■■ ■■■■ is going on with this root bit?.. I have tried all sorts of different ways to get the dll to restart but no call back, its driving me crazy!!!
EDIT - debugged and go it working…
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
Directory of C:\Users\Administrator\Desktop
12/04/2019 05:18 AM <DIR> .
12/04/2019 05:18 AM <DIR> ..
12/03/2019 07:32 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 30,961,541,120 bytes free
thank you @disastrpc …that switch stopped me from jumping out a window. couldn’t get why it would not call back. also thank you @beorn and @menorevs . first time in this area, i appreciate the nudge.
Is there someone who wants to take me along in the process of private esc for this box (and probably for another)
I have a low priv shell like m …
Now I have tried everything, read this thread twice already and I am getting more and more confused.
Suggestion 1: refers to a specific group of which we are a member. This could be exploited without file uploads.
Suggestion 2 refers to a certain attack technique. Now I think I understand that technique in theory, but it is completely unclear to me how I choose the right + the corresponding process.
Many techniques are new to me, many have been reading, so meanwhile an overload of info. No longer actually see the trees through the forest.
Rooted!
No need to hide your venom, just host it from your own share.
C:\Users\Administrator\Desktop>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
...