Official Love Discussion

123468

Comments

  • After a lot of frustration (and hours of trying) I managed to get the root as well!!

    The thing is that I actually happened to open a win priv esc website at the correct chapter, and after checking some registry keys I knew what to do. BUT.. no matter what I did, it just didn't work. Among others, I tried everyone's favorite hacking console ;), which even said the target is vulnerable, but still wouldn't give me a session. I tried via cmd and powershell, but the furthest I got was an error message stating "The Windows I*******r Service could not be accessed. This can occur if the Windows I*******r is not correctly installed." I even started suspecting that someone is messing with this box, but a restart didn't solve the problem.

    After starting over from the very beginning I found out that there is actually another very different way to get in to the system as user!! This second route is a bit longer, but the correct one. Repeating everything here works like a charm. I can root the box using all of the above methods, which neither of worked when accessing the system differently.

    So here is my question to you gurus: why don't the e*****i command (the last command which gives the root) work on the same exact payload file planted in the system, when the system is accessed via winrm? I did some studying and learned that this method executes in session 0 where as the correct route executes in session 1. I am kind of guessing this relates to the explanation, as everything else looks the same (I have two meterpreter consoles open side by side and can not find any other differences). Is someone able to explain this? Would appreciate much, thanks :)

    ps. the rabbit hole was too deep!!

  • User: Just read the output of the nmap line-by-line, you will find another way. Now if you found this new place , see what things you can do with tool/service present there. Try to access those things which are forbidden for you in first place. This will give you a set of creds, be careful where are you using these creds.

    Root: This is the easy part. Try to "Elevate" yourself from user to admin. :wink:

    DM me for the hints.

  • Type your comment> @divyansc said:

    User: Just read the output of the nmap line-by-line, you will find another way. Now if you found this new place , see what things you can do with tool/service present there. Try to access those things which are forbidden for you in first place. This will give you a set of creds, be careful where are you using these creds.

    Root: This is the easy part. Try to "Elevate" yourself from user to admin. :wink:

    DM me for the hints.

    @divyansc Thank you man, you made me remember to read G******r output.. i got the creds, but coulnd login said wrong pw.. but your be careful where are you using these creds, made me remember i saw 2 same PAGES in dir discovery, and yep it worked! tnx for the nudge man, really needed it!

  • This is a fun box.

    It's nice to see a box where good, basic, steps work and it rewards following a pentest methodology.

    Big thank you to @pwnmeow for putting it together.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Need help priv escing to root. I got initial foothold and got the user flag (I didnt priv esc to user). This is my first time privescing on a windows machines and I am lost in the sauce.

    Vibing Potato

  • @AstheticPotato said:

    Need help priv escing to root. I got initial foothold and got the user flag (I didnt priv esc to user). This is my first time privescing on a windows machines and I am lost in the sauce.

    Its hard to give a hint here. If you are in the user account, the privesc is fairly simple - and can be found with some common enumeration (registry keys are always interesting).

    If you aren't in that account, you might still be able to do it - but I am curious how you got a shell in a different account. (Or do you mean you used the webservice to read the user flag rather than get "on the box" ?)

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I got it, welcome PM me

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    
  • Type your comment

  • Can any one explain why winPEAS.exe not working on this machine?

    Thanks

  • Type your comment> @VSOP said:

    Can any one explain why winPEAS.exe not working on this machine?

    Thanks

    It worked for me. What happens when you try to execute it?

  • it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it

  • @VSOP said:

    it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it

    Are you sure that it's not just that your shell is unstable? I used the "non-obfuscated any" version of winpeas, if that is any help.

  • Type your comment> @Jac0lius said:

    @VSOP said:

    it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it

    Are you sure that it's not just that your shell is unstable? I used the "non-obfuscated any" version of winpeas, if that is any help.

    Yeah. i tried same version with you and also tried winPEAS.bat too but same issue. i used php reverse shell from Ivan Šincek. i dont know what happening

  • @VSOP said:

    Type your comment> @Jac0lius said:

    @VSOP said:

    it ran few line and show All Microsoft Updates and kicked my out of machinel when i execute it

    Are you sure that it's not just that your shell is unstable? I used the "non-obfuscated any" version of winpeas, if that is any help.

    Yeah. i tried same version with you and also tried winPEAS.bat too but same issue. i used php reverse shell from Ivan Šincek. i dont know what happening

    I just tested again and the shell I am using is the "mini" version from the same guy. Everything worked as should.

  • Getting stuck on the rev upload.. When clicking update the site doesn't respond, it just keeps loading until eventually a request time out occurs. I've reset the box and same problem. Any others experiencing this?

  • Bit tricky one, had to look into the forums and notice other players do one special thing in a subdir, to see why my ev**-***m didn't allow me to do the privesc. Actually I still don't understand why it's like that, happy for explanation.

  • Type your comment> @netbanger said:

    Getting stuck on the rev upload.. When clicking update the site doesn't respond, it just keeps loading until eventually a request time out occurs. I've reset the box and same problem. Any others experiencing this?

    had 2 vpn instances running instead of 1. Worked immediately after I disconnected from the vpn that isn't needed lmao

  • edited June 5

    Okay, it just happened, I made a decision to ask some help on this box.... I got the user flag as user... Now I need to do some privilege escalation. Windows boxes are not my thing (yet). That's why I want to do this one.

    While reading the posts in this thread, I get the idea I took a different path. So let me explain a bit.

    I've performed a port scan and with those details I've decided to check the source code of the logon page. While using my Google-Fu skills I've found an S--I bypass which give me access as a-----n on the a-----n-page. Because it's a Windows box using a particular development language I was thinking about uploading a rev--- s---l and a n-.--e because of a known b---ss up---- exploit in this tool. Via this way I got the user P----e and the user flag. While enumerating the directories and files I've found the username and password for the user on the a-----n-page, but I don't need them because of my earlier step... And another one for P----e.... but not sure if I can reuse this one and if I need this on as I am this user.

    Uploading winpeas.exe and winpeas.bat are working for me, but running them not... that part didn't give me any clue... So i decided to see if anyone had the same issues. While reading the posts before me I started thinking that I got another user account then others.... especially because I saw something about checking privileges, policies and a certain hint about "Windows I*******r is not correctly installed."....

    So I am thinking I walked another path and I am stuck... Can anyone help me back on track again...

  • Type your comment> @eMVee said:

    Okay, it just happened, I made a decision to ask some help on this box.... I got the user flag as user... Now I need to do some privilege escalation. Windows boxes are not my thing (yet). That's why I want to do this one.

    Manual enumeration works well here. If you look at the hacktricks website, the steps you need are in there.

    Once you find the exploitable setting, the hints might make more sense to you. Then it's a fairly easy exploit.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    Type your comment> @eMVee said:

    Okay, it just happened, I made a decision to ask some help on this box.... I got the user flag as user... Now I need to do some privilege escalation. Windows boxes are not my thing (yet). That's why I want to do this one.

    Manual enumeration works well here. If you look at the hacktricks website, the steps you need are in there.

    Once you find the exploitable setting, the hints might make more sense to you. Then it's a fairly easy exploit.

    Okay, i've the root flag.... but I used a framework which automate a lot of things and that's nice. However I want to do it manual as well.. One of the options manual I tried, but is didn't work. Probably my windows skills which sucks... can I DM you about this?

  • edited June 6

    ugh...feels like I should have got user earlier...comment by @anir08 set me on the right path...completely forgot about the configuration part. Also spend too much time on the ***i path but the link in that post got to where I could use what I knew. Make sure to take notes on all the machines you do...chances are you've already used this trick.

    On to admin access...hit me up if you need a nudge.

    Cheers

    update: got system...lots of good hints in the forum..thanks! Fun box!

  • edited June 6

    Hi. Not sure what I'm doing wrong. I have the user. I'm pretty sure I've found the way to privesc. My shell is very unstable and I cannot use the r###s /u###: command to execute anything. Any ideas what I'm doing wrong?

    Edit: I have a stable shell and I am a part of the "in" group, but still can't access the flag.

    EDIT: Nevermind. Tried harder and got it.

  • @eMVee said:

    can I DM you about this?

    yes

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I just got user but it doesn't feel satisfying when I don't have a full understanding of why it worked. If someone has a chance to DM me and explain why 3 out of 4 shells (all using the same language) didn't work but the 4th one did it would be much appreciated. I almost gave up on that route because I thought it wasn't viable.

  • Been struggling on getting a foothold for a couple of days now. I found the secret area that everyone has been talking about by observing my map. I found a thing, that just echos back what you throw at it. However I don't know what to specifically throw at it to make it echo back what i want to know.

    Honestly a DM in the right direction would be greatly appreciated!

  • edited June 10

    Hi I don't usually come over to the forums asking for help but I am completely stuck trying to find initial foothold I've found the service everyone is talking about via the nmap output I've tried enumerating the directories/files but most are forbidden. I also enumerated the ad**n directory using gob****r and I managed to read a file that showed a v***er ID but I have nothing else and I'm completely stumped. If anybody has any good resources to read up on that will help me get through this blockage it would be much appreciated.

    EDIT:
    No worries I got some help from the discord I can't believe that I was so close but forgot to use something from my n**p

  • edited June 12

    I found the box very finicky, so if what you think you are doing should work for root and it's not, try a reboot, as after wasting a bunch of time, what I was doing worked the very first time after rebooting.

    heh, I hesitate to mention this because I don't want to lead anyone down a gopher hole, but I got user by changing stored info because I completely missed the easier intended method.

    Hilbert

  • Spent the whole night trying to get into it. Here are the hints

    User: If you're like me and looking into various services or injections, that's not the way to go (or maybe it is an unintended way who knows). Scan thoroughly, go through the results with a fine comb, maybe even adjust the normal flags you'd use in your standard nmap scans.

    Root: If you're using our pride and join, metasploit, it's pretty easy to do, you just gotta ELEVATE the privileges.

    Fun box, loved it. If anyone is stuck please ping me, will reply in a few hours, have to go to sleep right now

  • Fun box.

    User: Use all you have in scans.

    Root: With metasploit is very easy to exploit, enumeration key, as always

    For any nudges DM.

  • That was so nice after a long break from HTB! Easy and fun box, but it's easy to get stuck on some rabbit holes. Feel free to send me a DM if you need a nudge

Sign In to comment.