Sniper

Rooted! Thank you so much to @5ysk3y @halfluke @eviltor13 and @metuldann. Seriously could not have done it without you guys. I learned a ton and had so much fun. @5ysk3y, you saved the day. RESPECT!

Spoiler Removed

Edited: Get root, still dont know why I******t dont work, learn a lot in settings and windows files
Initial: Understand how to set up a service server (xxx.conf) and debug it (log.xxxx)
User: in front of you
Root: read files and guess the flow, google it and try harder

Spoiler Removed

Finally rooted. That was quiet a ride. Super fun but I couldn’t have done without all the comments in this forum.

Foothold: Probably the most interesting part of this box. If you read through all previous comments and rely on native tools, you’ll be fine. Once you’re on the box, see what you can do with your new powers and use common networking tools to get a proper shell.

Priv esc from user 1 to user 2: Built-in Powershell commands are enough. Watch ippsec’s Arkham video if you need help.

Root: Look for that special file everyone keeps talking and read the CEO’s note very carefully. If your payloads aren’t working, a very nice n…… script will do 95% of the work for you.

Got root, nice ride on this Machine.
There are already a lot of useful hints here but I recommend the one in page 12 from @Countably.
If you are struggling to go from user1 to user2 don’t mess too much around scripting. I wasted 2 days on that and finally found a different way.

I’ve managed to get a webshell but struggling to get a reverse shell. Hope i get it soon.

anyone else getting issues with ps remoting.
i just get an error about computer name valid and firewall exception. its driving me mad.
tried 2 different PCs with same issue

Hi, Could someone explain to me why on the initial foothold i*******-s******** doesn’t work but s***** does ?

Hi,Stuck at root. non of scripts works for me,but they work when I test them in my computer,appreciate any help

Finally got a low priv reverse shell and escaped the terrible webshell (The webshell is great! But i always prefer netcat reverse shells!) Overcomplicated things so much, if you’re stuck somewhere on this box, the best thing would probably be step back for a second and look at your enumeration, and try different things.

Got user!

Finally got the box! Thank you MinatoTW and felamos ! Fun box.

I did get the root flag in the end, but no working shell. Any care to DM as to what payload would work to get an actual admin shell? THanks in advance.

Finally got root… i learned a lot of powershell an win on the way. Thanks!

Struggling with getting escalated to second user and getting a shell back. Tried everything i can think of. Running as - invoking - running script to pass creds. I’m out of ideas.
If someone can message me nad give me a hand it’d be much appreciated.
It will no doubt be something small that i’m missing. Cheers

I just got root on Sniper! What an amazing box! Loved every single thing about, love the initial foothold, loved the privesc! Every part of this box taught me something, if you’re stuck don’t hesitate to PM me for clues, everyone is welcome!

PS C:\Windows\system32> whoami
sniper\administrator
PS C:\Windows\system32>

Cheers! @MinatoTW & @felamos for my first win medium the box. I have learned a lot from this box.

All the hints have been mentioned;having a win vm will help along the way.

still can not get connection back to my ss*** , using I******T scripts, could use some advice before sniper goes away thanks

Type your comment> @bugeyemonster said:

still can not get connection back to my ss*** , using I******T scripts, could use some advice before sniper goes away thanks

Check your settings

ok I am still stuck on this,
I have the initial shell and credentials
I then try to use Windows Powershell to invoke however i get a generic error message

WinRM cannot complete the operation. Verify that the specified computer name is valid,
that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and
allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote
computers within the same local subnet.

I can trace route to sniper without any issues and can ping.

either I am trying something wrong or its my attacker machine however I have tried another 3rd machine and it does the same thing so it must be something I am doing.