Control

1456810

Comments

  • @dag0bert
    If you got the creds you just need to fine a way to utilise them. They do work.
    As others have said earlier, you can find some inspiration from ippsecs video about Arkham

    Im currently stuck after getting user, if anyone is willing to give me a nudge as where to look then it would be greatly appreciated :)

  • edited March 2020

    Struggling on root with code signing :-(
    Anyone have nudges?

    NVM... Got it.

    Thanks @TRX for this great box!

  • @rholas said:
    current Control set

    This is a good nudge ^ ^

    Watskip

    < Soli Deo Gloria >

  • Right cheers, think Im past the "bruteforce" part now at least

  • edited March 2020

    Type your comment> @Watskip said:

    @rholas said:
    current Control set

    This is a good nudge ^ ^

    yup!
    Just don't know about this signing code thing. Any nudges?

    UPDATE: Rooted!
    That was quite a trip... learned a ton about PS against the Registry

    PS C:\Windows\system32> whoami /all
    whoami /all
    
    USER INFORMATION
    ----------------
    
    User Name           SID     
    =================== ========
    nt authority\system S-1-5-18
    
    
    GROUP INFORMATION
    -----------------
    ...
    

    Hack The Box

  • Just rooted, didnt do anything about signing tho.

    Maybe the signing part is a way to do it smarter than i did tho. Kinda just bruteforced the last step as well

  • Type your comment> @FailWhale said:

    Just rooted, didnt do anything about signing tho.

    Maybe the signing part is a way to do it smarter than i did tho. Kinda just bruteforced the last step as well

    Yeah, no signing required, just well known reverse shell tool

    Hack The Box

  • edited March 2020

    ...No longer relevant....

  • I came further now but struggle with the last tiny bit. I get Code Execution as admin through a s***** but neither can spawn a netcat reverse shell nor access the flag. I also managed to escalate user h***** to the administrator group but still cant access the flag, which is super weird. All help welcome.

  • Found that some s****** needs signature, but one doesn't need and its setup can be change to run arbitrary command (like netcat reverse shell) when it is s******

  • I think I completely messed up the box in the end, once h**** became Admin I was able to change a lot more s******* then I was supposed to, my bruteforce changed them all :D Well but still not able to reverse to root or read the flag. Gonna take a break now, still hoping for that little nudge for the last bit.

  • Could you please not DOS the box, that would be helpfull!

  • Finally rooted. Thanks to everyone for helping and support ;)

    After all it turned out my exploit would have worked all the time, just made a crap ton of stupid mistakes like misspelling etc. due to being tired and hasty. Lesson learned.

    Thanks to the creator, after all it was a smooth box, but pretty hard.. Couldn't have made it without one or the other nudge.

  • Finally, rooted Control. Thanks to @kinone92. Was fun doing this one together.
    But I have further Questions. The final root Shell is very unstable. can anyone who also rooted the machine qm me. Would be interesting to discuss a stable root shell.

  • Finally! User was fun and straightforward. Root was...well, it took me a lot longer than it probably should have! I got lucky and guessed the right avenue, but there are some PS commands you can run to narrow down the scope. Great box!

  • have a problem searching for ps history , it only shows me my command history , any help ?

    mitoOo

  • edited March 2020

    Can someone pm me a hint for user? I can access the admin page, but im not a good webapp pentester yet XD. I've enumerated the page, but dont know how to progress.

    NVM: i didn't try to simplest thing.

  • edited March 2020

    is /uploads/shell.php someone else's file?

    NVM: reset the box, its someones file.

  • edited March 2020

    If someone can PM me a hint for initial foothold, I would be eternally grateful :)

    I have reached the admin panel and got files onto the server, but none that I have tried will connect back to me to provide a shell.

    EDIT: Nevermind, got in :)

  • stuck with s****** during rooting.
    Could someone PM me on enum s******?
    I am able to control some of s******s' I*******h. but still dont know how to get info of s******. Many Access denied.... Thx

    Arrexel

  • edited March 2020

    It's been 2 days, I'm stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv-C****, St-P****. En-P from my machine. I have the creds, but I can't escalate to user. Any nudges will be great :(

    Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

  • Type your comment> @mostwanted002 said:

    It's been 2 days, I'm stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv-C****, St-P****. En-P from my machine. I have the creds, but I can't escalate to user. Any nudges will be great :(

    Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

    That almost got me too :lol:

  • Ok, now I'm stuck on root. Currently enumerating services with builtin windows tools. Thinking d** i******** in a service is the way to go, but not sure...

    Tunnelled ewm to my own box for convenience...

    Can someone PM me a hint for root? Currently researching...but the rabbit holes abound.

  • Hi, I'm stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
    I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :/ Googled and tried implement but again no success.

    Can anybody DM with educational kick, please.

  • edited March 2020

    Type your comment> @Ric0 said:

    Hi, I'm stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
    I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :/ Googled and tried implement but again no success.

    Can anybody DM with educational kick, please.

    Did you use a tool to get thosw creds??? That tool can do a lot more than that.. And maybe you need to put up something

  • Type your comment> @mostwanted002 said:

    Type your comment> @Ric0 said:

    Hi, I'm stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
    I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :/ Googled and tried implement but again no success.

    Can anybody DM with educational kick, please.

    If you used a tool to get thosw creds??? That tool can do a lot more than that.. And maybe you need to put up something

    Got user. Thanks @mostwanted002 @oliw. Tool is really more powerful I thought. Learnt new functionality. PS was much easier for me ;)

  • Rooted.
    A tip: Once you find what to exploit, be quick. It's a game of Cat & Mouse chase. ;)

  • Type your comment> @mostwanted002 said:

    Rooted.
    A tip: Once you find what to exploit, be quick. It's a game of Cat & Mouse chase. ;)

    I thought I had it figured out but it still beats me,could I PM for a nudge on root?

  • Type your comment> @lesleybw said:

    Type your comment> @mostwanted002 said:

    Rooted.
    A tip: Once you find what to exploit, be quick. It's a game of Cat & Mouse chase. ;)

    I thought I had it figured out but it still beats me,could I PM for a nudge on root?

    Sure!

  • Finally rooted this box after 3 days of hard moments.
    Learned a lot from this box regarding win privesc.
    Thanks all hints in here and in DM.
Sign In to comment.