Control

Type your comment> @dag0bert said:

I am currently at the point where I do have a shell as I**R. No idea how to progress on to user. Am I missing something?

Did you get the creds from the same source that gave you the shell injection?

Type your comment> @TazWake said:

@syn4ps said:

How do you start it if you do not have rights to do so? I get access denied using net or wmic :confused:

@Crafty said:
I have the exact same problem…

If someone could throw a nudge for the trigger part, it will be very appreciated.

If you dont have the rights to do it, you might be in the wrong user account, the wrong service or maybe there is a problem with the tool.

First you need to find a thing you do have rights over.

Then its a registry tweak. I dont know what you are trying to do with net or wmic.

Then its start it up.

Then it should be shell dance.

Completely stuck here.
I found a few services I can see, actually was able to start one that wasn’t running but can’t stop it.

No idea what to do with it or if there’s another one.

Any nudges?

Type your comment> @gu4r15m0 said:

Did you get the creds from the same source that gave you the shell injection?
I did get a password from a different context, that does not seem to work for user h****r.

@dag0bert
If you got the creds you just need to fine a way to utilise them. They do work.
As others have said earlier, you can find some inspiration from ippsecs video about Arkham

Im currently stuck after getting user, if anyone is willing to give me a nudge as where to look then it would be greatly appreciated :slight_smile:

Struggling on root with code signing :frowning:
Anyone have nudges?

NVM… Got it.

Thanks @TRX for this great box!

@rholas said:
current Control set
This is a good nudge ^ ^

Right cheers, think Im past the “bruteforce” part now at least

Type your comment> @Watskip said:

@rholas said:
current Control set
This is a good nudge ^ ^

yup!
Just don’t know about this signing code thing. Any nudges?

UPDATE: Rooted!
That was quite a trip… learned a ton about PS against the Registry

PS C:\Windows\system32> whoami /all
whoami /all

USER INFORMATION
----------------

User Name           SID     
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------
...

Just rooted, didnt do anything about signing tho.

Maybe the signing part is a way to do it smarter than i did tho. Kinda just bruteforced the last step as well

Type your comment> @FailWhale said:

Just rooted, didnt do anything about signing tho.

Maybe the signing part is a way to do it smarter than i did tho. Kinda just bruteforced the last step as well

Yeah, no signing required, just well known reverse shell tool

Found that some s****** needs signature, but one doesn’t need and its setup can be change to run arbitrary command (like netcat reverse shell) when it is s******

Finally, rooted Control. Thanks to @kinone92. Was fun doing this one together.
But I have further Questions. The final root Shell is very unstable. can anyone who also rooted the machine qm me. Would be interesting to discuss a stable root shell.

Finally! User was fun and straightforward. Root was…well, it took me a lot longer than it probably should have! I got lucky and guessed the right avenue, but there are some PS commands you can run to narrow down the scope. Great box!

have a problem searching for ps history , it only shows me my command history , any help ?

Can someone pm me a hint for user? I can access the admin page, but im not a good webapp pentester yet XD. I’ve enumerated the page, but dont know how to progress.

NVM: i didn’t try to simplest thing.

is /uploads/shell.php someone else’s file?

NVM: reset the box, its someones file.

If someone can PM me a hint for initial foothold, I would be eternally grateful :slight_smile:

I have reached the admin panel and got files onto the server, but none that I have tried will connect back to me to provide a shell.

EDIT: Nevermind, got in :slight_smile:

stuck with s****** during rooting.
Could someone PM me on enum s******?
I am able to control some of ss’ I*******h. but still dont know how to get info of s. Many Access denied.… Thx

It’s been 2 days, I’m stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv***-C****, St***-P****. En***-P*** from my machine. I have the creds, but I can’t escalate to user. Any nudges will be great :frowning:

Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

Type your comment> @mostwanted002 said:

It’s been 2 days, I’m stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv***-C****, St***-P****. En***-P*** from my machine. I have the creds, but I can’t escalate to user. Any nudges will be great :frowning:

Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

That almost got me too :lol: