Rooted! Went down a rabbit hole after getting initial foothold which cost me a day of wasted effort, but woke up this morning and remembered to go back to basics, and then it all fell into place. Got a bit hung up looking trying to shift user identities, until I realised I didn’t need to to get user. Once you get user, root is like 3 mins more work.
My advice - don’t get ahead of yourself thinking you’ve got it in the bag once you get the initial exploit - you still need actual user creds to get the flags.
Can someone drop a note with some nudge, already got a reverse shell but expending many hours looking around files/directories but finding are not working to get root :neutral:
If you have a reverse shell which got you the user flag, then you do a very similar thing to get root.
If you haven’t got user yet, you need to enumerate quite hard on this box. There are good techniques for searching for what you need and it helps a lot if you have a powershell shell.
Thanks TazWake, already rooted this machine, lot of enumeration
Rooted! That was a fun box and I learned a lot doing it. It was interesting being that root was the exact same as user. If you get one, you have the other too.
The hardest part was the ‘hashes’. If you’re struggling with that, read the file more and read up on the class you see.
Took some time off this box after getting stuck on a reverse shell part. Found my reverse shell issue was just an issue involving slashes (so mad I had the right way about it but just making a stupid mistake wasted hours and caused me to try alternate routes). After that it is pretty simple.
Running the script, I’m able to view the host file, run basic commands, ping myself, download files from my hosted web server, but not able to write to a file or execute scripts directly from memory. I’m using PS for commands on the box, as CMD output was unreliable. I’m searching for a writable directory to save my shell binary but am not finding anything. I’ve tried diff variations of temp directories, but not seeing any indications from script output that files are saving. Any nudges on writable directories or course correction to gain initial shell?
I understand I am a little out of practice, but what I’m missing in here is beyond the rustiness I could have. Could someone ping me and assist with nudges? I have a remote shell and certain files. I can’t import certain xml file to then try and retrieve the creds as it errors out.
I understand I am a little out of practice, but what I’m missing in here is beyond the rustiness I could have. Could someone ping me and assist with nudges? I have a remote shell and certain files. I can’t import certain xml file to then try and retrieve the creds as it errors out.
Happy to help if I can but I dont know what XML file you are trying to import.
I am having troubles with the last part too, I got into the machine, and I am having troubles to find the right file or maybe I have seen it but I dunno how to use it
ROOTED!! Wow, that was definitively a nice ride and a different kind of machine. Thanks to @TazWake for the nudge and congrats to @egre55 for another great box!
Some help over here !! … this OS is very peculiar I have the shell but I´m not be able to see any User on Users folder also y tried something like SystemInfo with my terminal and it does not exist. I tried in the userprofile folder and it doesn´t have anything !!! currently I have the shell but without any User :S …
currently I have access to both user moving to other part of the disk !! the last part comes with Cryto… right ?
I´m stuck even after login with user and password when I try to import the flags I have this error Error occurred during a cryptographic operation. and before I had this message Access to the path ‘***********’ is denied.
I did all my research and look that I must import but I have those errors
am I missing something else or cryptographic operation is not working properly ?
I am able to write Powershell files, execute the Powershell scripts written, but I am failing to execute any of the usual PS reverse shells I’ve used in the past. Could someone PM me with some help. Thanks.