I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?
I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.
What am I missing? Is this in the right direction?
Just log in with those credentials
Probably I’m over thinking this but I have tried regular f** client, s** client, nf*, win** with a python script which gives me (the specified credentials were rejected by the server).
I thought on using TV client and connecting to the information I got on r*****. But that doesn’t to work too.
Can someone jump into DM so I can explain what I have been doing? Thanks in advance.
I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?
I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.
What am I missing? Is this in the right direction?
Just log in with those credentials
@HomeSen Thanks for pointing that I was using the wrong encoded value!
ROOT Hint: There is more than one value encrypted, so pay attention on which one to use
Hi there, can someone help with the TV approach? Found pwd, but don’t know where to use it. And about enumeration method, ps says it did use “service” ps1 command thing, but it does nothing. Strange, cuz a lot of people been able to elevate via enum method.
UPD: Rooted using TV method. Really intrested how to root it the other way
PM for nudge. But really have no idea why US method doesn’t work. It doesn’t add user nor run a cmd via abuse, weird
Neglected to add notes previously -
I’ve re-rooted box using the TV way (after first time going via service).
The second way is also nice
Thanks again…
Root hint for u****c way:
Don’t forget to stop “the thing” before trying anything on it, and also forget the “PS thing” if you’re using it to exploit the vuln. The manual way works better.
Also this page may help you Windows elevation of privileges
Rooted. First tried the u****c way, but I couldn’t get it working. Was it patched or something, as user creation did not work? Then tried the TV way, rather straightforward. Very nice box overall.
I have gotten the creds from N** directory but logging into UM***** Gives a complete white page, trying the POC always results in “Connection Reset by Peer”. Although printing the cookies tells me its logged in.
It always resets on
I have user, have a shell, used P***U.**1 to abuse a service - worked but cannot for the life of me get logged in as administrator. runas didn’t work … I am sure I am over thinking this.
Could someone give me a hint about root? I think I’ve tried with both approaches and still I can’t get it, it fails at the last step. PM if you want and I tell you what I’ve been trying!!
Nice Windows box, it’s very realistic and the software you have to exploit is quite common and widespread. Below some hints:
Foothold: it’s easy to identify the first service, it’s also easy to get access to a not protected share, then just Google where the juicy information is stored.
User: if you are here you know what to do now so read the PoC and think what can be more useful to run on a Windows box instead of calc.exe
Root: I owned the box following the “Remote” way, so again identify the service that is not on a default Windows installation and google for vulnerabilities of that particular version, then there is a msf module to complete the task.