Control

Finally! User was fun and straightforward. Root was…well, it took me a lot longer than it probably should have! I got lucky and guessed the right avenue, but there are some PS commands you can run to narrow down the scope. Great box!

have a problem searching for ps history , it only shows me my command history , any help ?

Can someone pm me a hint for user? I can access the admin page, but im not a good webapp pentester yet XD. I’ve enumerated the page, but dont know how to progress.

NVM: i didn’t try to simplest thing.

is /uploads/shell.php someone else’s file?

NVM: reset the box, its someones file.

If someone can PM me a hint for initial foothold, I would be eternally grateful :slight_smile:

I have reached the admin panel and got files onto the server, but none that I have tried will connect back to me to provide a shell.

EDIT: Nevermind, got in :slight_smile:

stuck with s****** during rooting.
Could someone PM me on enum s******?
I am able to control some of ss’ I*******h. but still dont know how to get info of s. Many Access denied.… Thx

It’s been 2 days, I’m stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv***-C****, St***-P****. En***-P*** from my machine. I have the creds, but I can’t escalate to user. Any nudges will be great :frowning:

Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

Type your comment> @mostwanted002 said:

It’s been 2 days, I’m stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv***-C****, St***-P****. En***-P*** from my machine. I have the creds, but I can’t escalate to user. Any nudges will be great :frowning:

Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

That almost got me too :lol:

Ok, now I’m stuck on root. Currently enumerating services with builtin windows tools. Thinking d** i******** in a service is the way to go, but not sure…

Tunnelled ewm to my own box for convenience…

Can someone PM me a hint for root? Currently researching…but the rabbit holes abound.

Hi, I’m stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :confused: Googled and tried implement but again no success.

Can anybody DM with educational kick, please.

Type your comment> @Ric0 said:

Hi, I’m stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :confused: Googled and tried implement but again no success.

Can anybody DM with educational kick, please.

Did you use a tool to get thosw creds??? That tool can do a lot more than that… And maybe you need to put up something

Type your comment> @mostwanted002 said:

Type your comment> @Ric0 said:

Hi, I’m stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :confused: Googled and tried implement but again no success.

Can anybody DM with educational kick, please.

If you used a tool to get thosw creds??? That tool can do a lot more than that… And maybe you need to put up something

Got user. Thanks @mostwanted002 @oliw. Tool is really more powerful I thought. Learnt new functionality. PS was much easier for me :wink:

Rooted.
A tip: Once you find what to exploit, be quick. It’s a game of Cat & Mouse chase. :wink:

Type your comment> @mostwanted002 said:

Rooted.
A tip: Once you find what to exploit, be quick. It’s a game of Cat & Mouse chase. :wink:

I thought I had it figured out but it still beats me,could I PM for a nudge on root?

Type your comment> @lesleybw said:

Type your comment> @mostwanted002 said:

Rooted.
A tip: Once you find what to exploit, be quick. It’s a game of Cat & Mouse chase. :wink:

I thought I had it figured out but it still beats me,could I PM for a nudge on root?

Sure!

Finally rooted this box after 3 days of hard moments.
Learned a lot from this box regarding win privesc.
Thanks all hints in here and in DM.

I think I found the ser***** but having a hard time figuring out how to exploit it. I dont understand how they can be exploited through AC*s

EDIT: Managed to get root thanks to some help! Did it through custom ps script that bruteforces all Ser***** so not really clean, but it did the job. Very nice box!

I found the s****** where I can inject a r** s****, but don’t know how to restart the s*******. Any hint will do.

Edit: Rooted! Thanks @TRX. PM If your stuck.

PS C:\Windows\system32> whoami
nt authority\system

Finally Rooted ! Root was tricky and hectic . Thanks to @mostwanted002 for the nudge on root .
PM for nudges !

Been working on the s****** angle for a while and I’m curious how a brute force proceeds after the i******** is updated? Trying to work it out in PS if I can. The normal PS function to do the thing doesn’t appear to work (or my shell is awful).