Official Love Discussion

Could someone DM with assistance. I need to understand what I am missing. I have the workings of the foothold, just unsure what exactly I should be targeting. Thank you in advance.

Edit: I played around a little more and got my start.

Edit Edit: Rooted. Priv Escalation is Easy Peasy.

Got user, enjoyed that, however struggling on PrivEsc.

Shell doesnt seem to be stable whatsoever. My mr shell doest even spawn, even with encoding, and the only successful shell has been a standard non-mr, but even that dies after a few minutes… any nudges? Dont need much, just a stable platform to start PrivEsc from.

Rooted

Can I DM someone? I’m still having issues… I have what I believe is what I need to proceed, but nothing is working…

Type your Would someone give me a hand? I’m stuck in user, I’ve used dirb but I don’t see anything, just several shells already uploaded that I don’t know how to take advantage of

Type your comment> @quantumtheory said:

I found Vote Admin Creds… but I’m not able to login with them??

Make sure you are logging to the correct website.

There’s one that asks for the user id and one that asks for the username. Make sure you are loging into the later one

Finally rooted after a couple of days banging my head against the wall trying to find user.
Privilege escalation on the box isn’t exactly a walk in the park if you’ve never done Windows boxes before imo, but nothing extremely fancy either.

Either way, fun box!

DM if you need any nudges

Finally I got user and root. I spent too many hours trying to get the initial steps through the enumeration using S**F. From there, it was easy to get a shell, and the privesc was done by following the steps you can google easily for windows enumeration.

Pepe

Type your comment> @quantumtheory said:

Type your comment> @Ob1lan said:

Type your comment> @quantumtheory said:

I found Vote Admin Creds… but I’m not able to login with them??

Make sure you copy/paste correctly… Some pesky characters can follow sometimes :wink:

I get the same error whether I try pasting, typing manually, with/without the extra spaces, etc… Not sure how else to go about it really. Was thinking I just had the wrong creds, but I’ve seen elsewhere that the creds I found are indeed the correct ones. I duno

@quantumtheory i have the same problem dude, i’m on right page, right creds, i tried removing the !! part also, tried with hydra, tried curling, tried any virutal possible solution to this problem and still it gives me incorrect password but i id l********:**00 like you probably in “secret” page for file checking… and man it won’t budge it’s driving me nuts man, is 1AM and i work at 6AM and i still don’t wanna go to sleep… ■■■■ my life :frowning:

After a lot of frustration (and hours of trying) I managed to get the root as well!!

The thing is that I actually happened to open a win priv esc website at the correct chapter, and after checking some registry keys I knew what to do. BUT… no matter what I did, it just didn’t work. Among others, I tried everyone’s favorite hacking console ;), which even said the target is vulnerable, but still wouldn’t give me a session. I tried via cmd and powershell, but the furthest I got was an error message stating “The Windows Ir Service could not be accessed. This can occur if the Windows Ir is not correctly installed.” I even started suspecting that someone is messing with this box, but a restart didn’t solve the problem.

After starting over from the very beginning I found out that there is actually another very different way to get in to the system as user!! This second route is a bit longer, but the correct one. Repeating everything here works like a charm. I can root the box using all of the above methods, which neither of worked when accessing the system differently.

So here is my question to you gurus: why don’t the e*****i command (the last command which gives the root) work on the same exact payload file planted in the system, when the system is accessed via winrm? I did some studying and learned that this method executes in session 0 where as the correct route executes in session 1. I am kind of guessing this relates to the explanation, as everything else looks the same (I have two meterpreter consoles open side by side and can not find any other differences). Is someone able to explain this? Would appreciate much, thanks :slight_smile:

ps. the rabbit hole was too deep!!

User: Just read the output of the nmap line-by-line, you will find another way. Now if you found this new place , see what things you can do with tool/service present there. Try to access those things which are forbidden for you in first place. This will give you a set of creds, be careful where are you using these creds.

Root: This is the easy part. Try to “Elevate” yourself from user to admin. :wink:

DM me for the hints.

Type your comment> @divyansc said:

User: Just read the output of the nmap line-by-line, you will find another way. Now if you found this new place , see what things you can do with tool/service present there. Try to access those things which are forbidden for you in first place. This will give you a set of creds, be careful where are you using these creds.

Root: This is the easy part. Try to “Elevate” yourself from user to admin. :wink:

DM me for the hints.

@divyansc Thank you man, you made me remember to read G******r output… i got the creds, but coulnd login said wrong pw… but your be careful where are you using these creds, made me remember i saw 2 same PAGES in dir discovery, and yep it worked! tnx for the nudge man, really needed it!

This is a fun box.

It’s nice to see a box where good, basic, steps work and it rewards following a pentest methodology.

Big thank you to @pwnmeow for putting it together.

Need help priv escing to root. I got initial foothold and got the user flag (I didnt priv esc to user). This is my first time privescing on a windows machines and I am lost in the sauce.

@AstheticPotato said:

Need help priv escing to root. I got initial foothold and got the user flag (I didnt priv esc to user). This is my first time privescing on a windows machines and I am lost in the sauce.

Its hard to give a hint here. If you are in the user account, the privesc is fairly simple - and can be found with some common enumeration (registry keys are always interesting).

If you aren’t in that account, you might still be able to do it - but I am curious how you got a shell in a different account. (Or do you mean you used the webservice to read the user flag rather than get “on the box” ?)

I got it, welcome PM me

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Type your comment

Can any one explain why winPEAS.exe not working on this machine?

Thanks

Type your comment> @VSOP said:

Can any one explain why winPEAS.exe not working on this machine?

Thanks

It worked for me. What happens when you try to execute it?

it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it