Control

Rooted yesterday forgot to mention sorry , changed the s******* but still very unstable box even after i had my PS it crashes after 1min, anyway thanks @cyberafro for the advice and thanks @Watskip

Actually I was able to advance without it :smiley:

Finally got root on this box. A crazy train of trial and error! Hints in this thread are very helpful in directing efforts, but finding information from the AC*s was challenging and I ended up bruteforcing certain steps as others suggested. I’m not sure I could have solved without seeing some other users’ scripts floating on the server.

For anyone with (Windows) server admin experience, I would like to ask how the privesc vulnerability in this box might come about in a real-world scenario? Would it be reasonable to look for issues like this in a real-world pentest, and if so, how far down the list of checks might it be priority-wise?

Feel free to PM for hints on user or root.

A fun and educational machine. Thanks to @Propolis for giving advice on pretty much penultimate part towards root. The machine will make you dig really deep and lets you automate the stuff yourself. Good practice for people who like to automate using PS.

I am currently at the point where I do have a shell as I**R. No idea how to progress on to user. Am I missing something?

Type your comment> @dag0bert said:

I am currently at the point where I do have a shell as I**R. No idea how to progress on to user. Am I missing something?

Did you get the creds from the same source that gave you the shell injection?

Type your comment> @TazWake said:

@syn4ps said:

How do you start it if you do not have rights to do so? I get access denied using net or wmic :confused:

@Crafty said:
I have the exact same problem…

If someone could throw a nudge for the trigger part, it will be very appreciated.

If you dont have the rights to do it, you might be in the wrong user account, the wrong service or maybe there is a problem with the tool.

First you need to find a thing you do have rights over.

Then its a registry tweak. I dont know what you are trying to do with net or wmic.

Then its start it up.

Then it should be shell dance.

Completely stuck here.
I found a few services I can see, actually was able to start one that wasn’t running but can’t stop it.

No idea what to do with it or if there’s another one.

Any nudges?

Type your comment> @gu4r15m0 said:

Did you get the creds from the same source that gave you the shell injection?
I did get a password from a different context, that does not seem to work for user h****r.

@dag0bert
If you got the creds you just need to fine a way to utilise them. They do work.
As others have said earlier, you can find some inspiration from ippsecs video about Arkham

Im currently stuck after getting user, if anyone is willing to give me a nudge as where to look then it would be greatly appreciated :slight_smile:

Struggling on root with code signing :frowning:
Anyone have nudges?

NVM… Got it.

Thanks @TRX for this great box!

@rholas said:
current Control set
This is a good nudge ^ ^

Right cheers, think Im past the “bruteforce” part now at least

Type your comment> @Watskip said:

@rholas said:
current Control set
This is a good nudge ^ ^

yup!
Just don’t know about this signing code thing. Any nudges?

UPDATE: Rooted!
That was quite a trip… learned a ton about PS against the Registry

PS C:\Windows\system32> whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------
...

Just rooted, didnt do anything about signing tho.

Maybe the signing part is a way to do it smarter than i did tho. Kinda just bruteforced the last step as well

Type your comment> @FailWhale said:

Just rooted, didnt do anything about signing tho.

Maybe the signing part is a way to do it smarter than i did tho. Kinda just bruteforced the last step as well

Yeah, no signing required, just well known reverse shell tool

Found that some s****** needs signature, but one doesn’t need and its setup can be change to run arbitrary command (like netcat reverse shell) when it is s******

Finally, rooted Control. Thanks to @kinone92. Was fun doing this one together.
But I have further Questions. The final root Shell is very unstable. can anyone who also rooted the machine qm me. Would be interesting to discuss a stable root shell.

Finally! User was fun and straightforward. Root was…well, it took me a lot longer than it probably should have! I got lucky and guessed the right avenue, but there are some PS commands you can run to narrow down the scope. Great box!

have a problem searching for ps history , it only shows me my command history , any help ?

Can someone pm me a hint for user? I can access the admin page, but im not a good webapp pentester yet XD. I’ve enumerated the page, but dont know how to progress.

NVM: i didn’t try to simplest thing.