Sniper

the box as of this post looks super unstable, i cant sustain a shell to save my life, earlier the database looked like it went down for a bit, is someone hammering it?

@Ad0n said:

the box as of this post looks super unstable, i cant sustain a shell to save my life, earlier the database looked like it went down for a bit, is someone hammering it?

Launch another reverse shell that doesn’t depend on PHP :smile:

Type your comment> @CodingKoala said:

@Ad0n said:

the box as of this post looks super unstable, i cant sustain a shell to save my life, earlier the database looked like it went down for a bit, is someone hammering it?

Launch another reverse shell that doesn’t depend on PHP :smile:

yep thanks, i ended up doing that a few minutes later after i posted it, and it’s smooth as butter!

Nice box :smiley: i next a other one

Banging my head getting root please pm me stuck for 3 days xD

Has somebody been able to do the root part on a linux machine ? Or do i need to install a windows machine?

Rooted !
I really learned a lot of things even if i think the root part isn’t related at all with real life.
Hints :
Foothold : Begin with looking at the url of every page you find until you notice the obvious.
User : Reverse shell but without the password prompt in a console
Root : Enumerate well, look at the extention and first result in google will gladly help you.

Great Job on this box! the frustration i endured was well worth the lessons learned and thanks all that nudged along the way, feel free to pm if you need help

PS C:\users\Administrator\Desktop> whoami
whoami
sniper\administrator
PS C:\users\Administrator\Desktop>

Hi Guys, DOES ANYONE KNOW WHY the root reverse shell I got says Ncat: Connection from 10.10.10.151:49708. but it does not responding against any command? It is just pending there forever

Found foothole, used it to enumerate, found the target User and found a password that I tested with the brazilian dance to confirm it’s the User’s password.
I’ve been trying to inject a reverse powershell but no luck, so I moved into trying Invoke-Command directly since the User is part of the proper group, but no luck either, I don’t even get error messages for this attempts.

I would appreciate any nudges please.

Edit: Got user earlier! but still no reverse shell, these injections are just annoying. An AV stopped my reverse PS :disappointed: . Looking for a way to download files.

Stuck with a ■■■■ shell atm trying to priv esc to user C***. Wondering if I could have got a better initial rev. shell or how to improve it…

Update - finally got a better shell as C***

Update: I got Evil connected with the User after finally realizing meterpreter was an option for the RFI.

@trab3nd0 said:

Root: go for the simplest option possible.

The simplest thing I could think of instead of a reverse Admin shell was to Copy the root.txt to my SMB share but it doesn’t seem to be even trying to connect or run my Payload at all :disappointed:

Any nudges?

Type your comment> @gu4r15m0 said:

Update: I got Evil connected with the User after finally realizing meterpreter was an option for the RFI.

@trab3nd0 said:

Root: go for the simplest option possible.

The simplest thing I could think of instead of a reverse Admin shell was to Copy the root.txt to my SMB share but it doesn’t seem to be even trying to connect or run my Payload at all :disappointed:

Any nudges?

You have to read what the CEO said, specifically the last sentence…

@cyberafro said:

You have to read what the CEO said, specifically the last sentence…

I did, I built the file and dropped it there, I’ve tried several things in my Payload but no luck

Type your comment> @kimleepark said:

Hi Guys, DOES ANYONE KNOW WHY the root reverse shell I got says Ncat: Connection from 10.10.10.151:49708. but it does not responding against any command? It is just pending there forever

strange sounds like a shell wasn’t offered to you, how did you execute the nc from sniper?

Type your comment> @gu4r15m0 said:

@cyberafro said:

You have to read what the CEO said, specifically the last sentence…

I did, I built the file and dropped it there, I’ve tried several things in my Payload but no luck

my initial mistake was making this too complicated, craft the simplest payload possible and it should work like a charm

Type your comment> @gu4r15m0 said:

I did, I built the file and dropped it there, I’ve tried several things in my Payload but no luck

Problem, should be with the payload, a typo made me waste 1/2 hour ?

Done!
I thought the only options for the Payload were PS cmdlets or scripts and that wasn’t working, but I can call cmd from there.
Thanks, @Ad0n @trab3nd0 @cyberafro

PS C:\Users\Administrator\Desktop> dir
dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/11/2019   8:13 AM             32 root.txt


PS C:\Users\Administrator\Desktop> whoami /all
whoami /all

USER INFORMATION
----------------

User Name            SID
==================== =============================================
sniper\administrator S-1-5-21-3952461944-2550723483-3555184078-500

Finally - Root Dance and that hurt, banging my head off the desk. Learned lots of new things, especially about Windows PS.

Fun box … frustrating at times but was all part of it … learnt a lot about defender. Spent more time testing things on a Windows VM than usual.