Control

Hi guys need a little help with control for the root foothold, i currently have a stable foothold with the user H***** , currently enumerating the system with the u

@ricanlinux said:
Hey has the box been changed? Last night I was able to get shell by loading c**.*** and running some commands. Now I am doing the exact same thing and getting nothing back…

lol this is the reason why i finally went to a vip account.

Finally rooted was super cool box . A lot of added value . Learnt more stuff in Windows exploitation .BIG THANKS @Ad0n for the nudge for my approach to root

Very good machine,

A great lessons for a Windows guy.

I took my time to understand what happen at the beggining, after my first injection I cam see where use my creds.

Root was to informative, this really show you how to use permissions and after check history everything its straigh forward.

Thanks to @TRX for the challenge …

Got user, thanks to a nudge from @chvancooten

On to root…

I’m on root, i found a s****** that i can change in the r******* whose : N**
The problem is nothing happens when i run the s****** with sv*****.exe, is it a rabbit hole ?

I am trying to figure it out which is the required thing to access admin page

@Selcius said:

I’m on root, i found a s****** that i can change in the r******* whose : N**
The problem is nothing happens when i run the s****** with sv*****.exe, is it a rabbit hole ?

If nothing happens, try with another one, there are a few more.

@zyaya said:
I am trying to figure it out which is the required thing to access admin page

Use your head :wink:

Rooted yesterday forgot to mention sorry , changed the s******* but still very unstable box even after i had my PS it crashes after 1min, anyway thanks @cyberafro for the advice and thanks @Watskip

Actually I was able to advance without it :smiley:

Finally got root on this box. A crazy train of trial and error! Hints in this thread are very helpful in directing efforts, but finding information from the AC*s was challenging and I ended up bruteforcing certain steps as others suggested. I’m not sure I could have solved without seeing some other users’ scripts floating on the server.

For anyone with (Windows) server admin experience, I would like to ask how the privesc vulnerability in this box might come about in a real-world scenario? Would it be reasonable to look for issues like this in a real-world pentest, and if so, how far down the list of checks might it be priority-wise?

Feel free to PM for hints on user or root.

A fun and educational machine. Thanks to @Propolis for giving advice on pretty much penultimate part towards root. The machine will make you dig really deep and lets you automate the stuff yourself. Good practice for people who like to automate using PS.

I am currently at the point where I do have a shell as I**R. No idea how to progress on to user. Am I missing something?

Type your comment> @dag0bert said:

I am currently at the point where I do have a shell as I**R. No idea how to progress on to user. Am I missing something?

Did you get the creds from the same source that gave you the shell injection?

Type your comment> @TazWake said:

@syn4ps said:

How do you start it if you do not have rights to do so? I get access denied using net or wmic :confused:

@Crafty said:
I have the exact same problem…

If someone could throw a nudge for the trigger part, it will be very appreciated.

If you dont have the rights to do it, you might be in the wrong user account, the wrong service or maybe there is a problem with the tool.

First you need to find a thing you do have rights over.

Then its a registry tweak. I dont know what you are trying to do with net or wmic.

Then its start it up.

Then it should be shell dance.

Completely stuck here.
I found a few services I can see, actually was able to start one that wasn’t running but can’t stop it.

No idea what to do with it or if there’s another one.

Any nudges?

Type your comment> @gu4r15m0 said:

Did you get the creds from the same source that gave you the shell injection?
I did get a password from a different context, that does not seem to work for user h****r.

@dag0bert
If you got the creds you just need to fine a way to utilise them. They do work.
As others have said earlier, you can find some inspiration from ippsecs video about Arkham

Im currently stuck after getting user, if anyone is willing to give me a nudge as where to look then it would be greatly appreciated :slight_smile:

Struggling on root with code signing :frowning:
Anyone have nudges?

NVM… Got it.

Thanks @TRX for this great box!

@rholas said:
current Control set
This is a good nudge ^ ^

Right cheers, think Im past the “bruteforce” part now at least