Control

Can someone pm me a hint for user? I can access the admin page, but im not a good webapp pentester yet XD. I’ve enumerated the page, but dont know how to progress.

NVM: i didn’t try to simplest thing.

is /uploads/shell.php someone else’s file?

NVM: reset the box, its someones file.

If someone can PM me a hint for initial foothold, I would be eternally grateful :slight_smile:

I have reached the admin panel and got files onto the server, but none that I have tried will connect back to me to provide a shell.

EDIT: Nevermind, got in :slight_smile:

stuck with s****** during rooting.
Could someone PM me on enum s******?
I am able to control some of ss’ I*******h. but still dont know how to get info of s. Many Access denied.… Thx

It’s been 2 days, I’m stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv***-C****, St***-P****. En***-P*** from my machine. I have the creds, but I can’t escalate to user. Any nudges will be great :frowning:

Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

Type your comment> @mostwanted002 said:

It’s been 2 days, I’m stuck with initial shell. I tried almost everything powershell is capable to switch to h*****. Inv***-C****, St***-P****. En***-P*** from my machine. I have the creds, but I can’t escalate to user. Any nudges will be great :frowning:

Edit: Got User. Sometimes you should look at the house of a user. The way we need to address them :disappointed:

That almost got me too :lol:

Ok, now I’m stuck on root. Currently enumerating services with builtin windows tools. Thinking d** i******** in a service is the way to go, but not sure…

Tunnelled ewm to my own box for convenience…

Can someone PM me a hint for root? Currently researching…but the rabbit holes abound.

Hi, I’m stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :confused: Googled and tried implement but again no success.

Can anybody DM with educational kick, please.

Type your comment> @Ric0 said:

Hi, I’m stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :confused: Googled and tried implement but again no success.

Can anybody DM with educational kick, please.

Did you use a tool to get thosw creds??? That tool can do a lot more than that… And maybe you need to put up something

Type your comment> @mostwanted002 said:

Type your comment> @Ric0 said:

Hi, I’m stuck on initial shell. I extracted two users h*** & m***** and creds using sm.
I do not not how move forward. I tried we**l and evil but I feel I need proxy/tunnel something but do not know how :confused: Googled and tried implement but again no success.

Can anybody DM with educational kick, please.

If you used a tool to get thosw creds??? That tool can do a lot more than that… And maybe you need to put up something

Got user. Thanks @mostwanted002 @oliw. Tool is really more powerful I thought. Learnt new functionality. PS was much easier for me :wink:

Rooted.
A tip: Once you find what to exploit, be quick. It’s a game of Cat & Mouse chase. :wink:

Type your comment> @mostwanted002 said:

Rooted.
A tip: Once you find what to exploit, be quick. It’s a game of Cat & Mouse chase. :wink:

I thought I had it figured out but it still beats me,could I PM for a nudge on root?

Type your comment> @lesleybw said:

Type your comment> @mostwanted002 said:

Rooted.
A tip: Once you find what to exploit, be quick. It’s a game of Cat & Mouse chase. :wink:

I thought I had it figured out but it still beats me,could I PM for a nudge on root?

Sure!

Finally rooted this box after 3 days of hard moments.
Learned a lot from this box regarding win privesc.
Thanks all hints in here and in DM.

I think I found the ser***** but having a hard time figuring out how to exploit it. I dont understand how they can be exploited through AC*s

EDIT: Managed to get root thanks to some help! Did it through custom ps script that bruteforces all Ser***** so not really clean, but it did the job. Very nice box!

I found the s****** where I can inject a r** s****, but don’t know how to restart the s*******. Any hint will do.

Edit: Rooted! Thanks @TRX. PM If your stuck.

PS C:\Windows\system32> whoami
nt authority\system

Finally Rooted ! Root was tricky and hectic . Thanks to @mostwanted002 for the nudge on root .
PM for nudges !

Been working on the s****** angle for a while and I’m curious how a brute force proceeds after the i******** is updated? Trying to work it out in PS if I can. The normal PS function to do the thing doesn’t appear to work (or my shell is awful).

I could really use a nudge. I got the 2nd user, and saw the ps history that gives a clue. I know what I have to do, but am struggling finding how to actually manipulate it now that the normal ways to mess with this stuff are gimped on this box. Just need some nuts-and-bolts help, if someone has a few seconds.

If anyone needs nudges for initial foothold or help with pivoting to the other user, hit me up on discord- NeilTyson#6401

Can Anyone help me with initial foothold i got the admin.php page now stuck in next step?