Shooted. Dm for any help.
I am completely stuck. I have created my l*****.y** file, uploaded it where it needs to go, I can see the server request my exe, and then nothing. Tried a million different shells and modification to my .y** file. Any nudges? Feel free to PM.
Type your comment> @s00ner said:
I am completely stuck. I have created my l*****.y** file, uploaded it where it needs to go, I can see the server request my exe, and then nothing. Tried a million different shells and modification to my .y** file. Any nudges? Feel free to PM.
try to use m********r payload created with msfvenom
try to use m********r payload created with msfvenom
Thatās what Iāve been trying (among other payloads) with no luck so far.
*edit: I figured it out. I was missing a flag in msfvenom the whole time.
Took me forever to get the initial foothold since I was trying to copy an article a bit too much. Getting to root was relatively smooth after I fixed how I was asking for information from the other service. Feel free to message me for a nudge!
So my listener is picking up the connection after pushing the .y*, but no response after that Anyone else run into this?
Growing increasingly frustrated with this box. I checked with several people who have gained a foothold on what to do, and the method Iām employing seems to be correct (using the l*****.y***). Just like @3xxu5 i can see the requests coming into my server, but no response. Tried multiple payloads, multiple methods and even several computers - none work.
Any help with this box would be greatly appreciated. Perhaps Iām missing somethingā¦ DM-me if you think you can help?
Rooted!!.. That was the hardest medium box I have ever doneā¦The user was quite obvious after the right google search tho but the root was a pain.
Initial-foothole/User
- Portable Document Formats files can give you a lot of information
- Sometimes following the exact same thing you see may not be usefulā¦Play with it a bitā¦See where the real vulnerability is
Root
- Go back to your scansā¦See what services may use passwords.
- If you download a movie, where would it be saved?
Hope these hints would help you a bit. If you need help, DM me. I will try to get you on track.
Finally got user ā¦ this took SO much fiddling for me. I knew exactly what the exploit was but all these different little details were killing me.
Rooted !
User : basic scanning and enumeration will tell you what to do and what to look for,
you will find something which will give some information to further go on.
Root : look for the installed applications/application files and the opened ports,
connect this two, you may find a way.
DM me for nudges
finally rooted! user was honestly a lot harder than root imo, since the steps to it are pretty vague.
User/foothold: Enumerate like how you usually would, at some point you should stumble across something that will vaguely point you in the write direction. Now do some google fu. If youāre like me, make sure not to be lazy at reading and researching, youāll only waste your time if you copy something without understanding it.
root: Enumerate the target machine as usual. You might stumble across something that will give you deja vu. If not look at whats being used on the machine, and what ports are open. and google some stuff again. Once you connect the dots privsec is pretty straight forward and is the easier part of this box imo.
After a painfully long time I finally rooted it. A lot of it has to do with the fact that this is the first windows box Iāve attempted in months, but itās still fairly difficult if youāre unaware of what youāre supposed to be looking for.
Tips for user: This one came to me fairly quickly, not sure if it was blind luck or what but itās fairly easy to come by during your usual enumeration checklist. It may seem like a far reach to begin with, but doing a bit of googling will show you exactly what you need. In my case it was the first search result.
Tips for root: Honestly, without a sanity check from a helpful user I probably wouldāve ignored this or left it until last. As previous people have mentioned, this service is sending outbound connections, that information tied with a short winpeas search will hopefully give you all you need. It may take you a hot minute to figure out what to do with what you find from that service, but enumerating some common places in the user folder will lead you to your answer.
Hello everyone,
Iām stuck on the foothold and would appreciate some helpā¦ I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
Iām using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I donāt know what to do anymore :neutral:
(Iām using the flags -p, -f, -o (and -e when encoding)
Would any of you know what could be the cause?
Thank you and happy hacking!
Hi,
I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.
If still stuck let me know.
Pepe
Type your comment> @Netpal said:
Hello everyone,
Iām stuck on the foothold and would appreciate some helpā¦ I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
Iām using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I donāt know what to do anymore :neutral:
(Iām using the flags -p, -f, -o (and -e when encoding)Would any of you know what could be the cause?
Thank you and happy hacking!
When getting the foothole, you may have to play with the .**l file a bit. Donāt just follow the POC. Understand what the real vulnerability is. Then make your own exploit. Remember what a ānull byteā is and that you have to remove bytes like them.
If you get stuck DM me.
@pp123 said:
Hi,I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.
If still stuck let me know.
Pepe
Hi @pp123 , thank you for your answer! Well, Iāve been following the article from the start ā¦ My file contains a " ā " in its name, as indicated in the article. I also tried to exclude bad characters from the payload as suggested by @kavigihan , but it doesnāt work either.
Iām starting to wonder if the issue could come from Metasploit, because I had warnings when using mv*m (due to a recent ruby gems update I think). I resolved those warnings by tinkering with commands, but there may still be a problemā¦
At this point Iād be grateful if someone could just PM me their command to generate the payload.
Thank you!
Edit: I got it It worked with another payloadā¦ I was blindly following an advice to use a meterpreter one, but it worked with another one!
Hey everyone!
I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?
I finally found a command that works, but I ask by curiosity. Prior to finding that command, I tried various Powershell and ānormalā Windows commands containing quotes in them and they all crashed my reverse shell (Session manipulation failed: Unmatched double quote). Do you guys know why?
Also, what .exe do you use? I just tried with x64 but it doesnāt work (thatās what I used in my msf***** payload).
Thanks!
@Netpal said:
Edit: I got it It worked with another payloadā¦ I was blindly following an advice to use a meterpreter one, but it worked with another one!
I got it working with a meterpreter payload.
I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?
I didnāt upload WinPEAS but I had a meterpreter shell and could just the upload
option.
There are a lot of ways you can send data to boxes though:
- powershell
- curl
- LOLBAS
- SMB
(Session manipulation failed: Unmatched double quote). Do you guys know why?
Sounds a bit like a typo in the command, possibly failing to escape something.
Type your comment> @TazWake said:
Hi @TazWake, thank you for your answer
@Netpal said:
Edit: I got it It worked with another payloadā¦ I was blindly following an advice to use a meterpreter one, but it worked with another one!
I got it working with a meterpreter payload.
Thatās weird, I tried several different options and couldnāt get it to workā¦ Iāll try again and see if it worksā¦
I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?
I didnāt upload WinPEAS but I had a meterpreter shell and could just the
upload
option.
Ah right, I forgot we could do that with Meterpreterā¦
There are a lot of ways you can send data to boxes though:
- powershell
- curl
- LOLBAS
- SMB
I didnāt know about LOLBAS, thank you for the info. In my case HTTP was the easiest way of doing it, but Iāll try the other options you mentionned.
(Session manipulation failed: Unmatched double quote). Do you guys know why?
Sounds a bit like a typo in the command, possibly failing to escape something.
You might be right, however I found those commands in articles explaining file transfers from Kali to Windows, so itās weird it doesnāt work.
Have a nice day!
got user and root. Fun machine