Resolute

I can no longer connect to winrm. Took a couple weeks off the box so perhaps something was changed, or maybe something wrong on my end? I have the valid user/pw combo for the two users and previously had been using the evil tool to connect to the box successfully (with both the aforementioned users). Just trying to work on root privesc.

I reset the box a couple times to no avail. If someone knows what’s up please shoot me a msg, thanks.

Type your comment> @bodyrot said:

I can no longer connect to winrm. Took a couple weeks off the box so perhaps something was changed, or maybe something wrong on my end? I have the valid user/pw combo for the two users and previously had been using the evil tool to connect to the box successfully (with both the aforementioned users). Just trying to work on root privesc.

I reset the box a couple times to no avail. If someone knows what’s up please shoot me a msg, thanks.

I can confirm the evil tool is still working to connect as I have been using it all day trying to get root.

Mouse51180 said:

I can confirm the evil tool is still working to connect as I have been using it all day trying to get root.

Thanks for letting me know, maybe it has to do with me switching servers earlier in the day.

EDIT:
Haha, wow. Note to self. Take better notes and thoroughly read the help blurb for tools. Was using -ip flag for the ip instead of -i. YEEEESH! Anywho, crisis averted.

Type your comment> @Mouse51180 said:

Type your comment> @glezo1 said:

Hummm I’m completely stucked here…
I think I shall upload a payloaded d-- and compromise the d–c-d program, but, no matter how I generate the payloaded d-- with m–v—m, the AV keeps detecting it.
Any word of advice by PM, pleeease?

I think im in the same boat as you. Cant seem to get my privilege escalation to work. How do you know its the AV that keeps detecting you? Is there something you are checking or see that states the AV picked it up?

Hey!
My d-- files keeps being deleted… so… there’s a really funny user, or, more likely, the AV is cathing the payloaded d–, no matter what I try.

Rooted! :smiley: Hoorray!!!

C:\Users\Administrator\Desktop > getuid
Server username: NT AUTHORITY\SYSTEM
C:\Users\Administrator\Desktop > dir
100444/r–r–r-- 32 fil 2019-12-03 16:31:54 +0100 root.txt

Wow! Finally rooted!! :smiley:

The user.txt has been challenging because I didn’t enumerate enough initially :wink:
The root part has been super easy once found the right ms*t module!

By the way, I also tried the D** Inj******* method but had troubles with the AV; I’d be really interested if someone could please explain how to bypass it…

Root Owned!
Thanks to @EvilT0r13 for helping me at the last parts. Got a new tool in my arsenal to use now.

When i run d*md command it does not contact my smbserver do not know why but stuck here. I have everything to get root but can’t get my D to resolute. Any help would be very much appreciated.

Hey all!!
I can’t get my privilege escalation to work and i don’t know why, i did :
d** in through dd ,payload generated with mm.Everything seems working normally but it just doesn’t give m*** user the access :neutral: . Any help please ??

Rooted it now. I tried the same technique for privesc several times and it didn’t work at first but after the 7th or 8th time it worked out. Does anybody know why?

I have access to the machine with the user m… and read on some post here they needed to search on C:\ but I don’t know what to look for… Can you give me some tips

I got the same issue @DeadFish could you pm me when you find the solution ? or any could nudge me please

Rooted, what a great box. Leant loads on this one so a massive thanks to the creator,

User hint : enumerate the obvious services and you will find some creds to use.

Root hint : This took me ages but look at the key service running on the box (the box name helps here) and the group membership of the user. Then google the service and how it can be configured from the command prompt. Dont give up on first attempt.

Enjoy.

Nugget!

Fun box, had a good time with it.

User: easy, just make sure you enumerate everything you can’t see.

I did root both ways, first method: Look at the users and groups they belong to. From there you can leverage yourself.
Second method: easy script, nothing to add.

Hit me up for more nudges.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt

PM if you need help

I have been looking for hours and cant find any info for 2nd user. Any help/nudge is appreciated.

im on 2nd user trying to execute the next step to root and hitting a wall for hours. if anyone can check my syntax or provide nudges offline I’d appreciate it

EDIT: rooted. Thanks to the author, learned a lot on this box :slight_smile:

Finally Rooted…pheww

C:\Windows\system32>hostname && whoami
hostname && whoami
Resolute
nt authority\system

Ajjj! I have remote shell, user got, but dont know to try privesc