finally rooted! user was honestly a lot harder than root imo, since the steps to it are pretty vague.
User/foothold: Enumerate like how you usually would, at some point you should stumble across something that will vaguely point you in the write direction. Now do some google fu. If youâre like me, make sure not to be lazy at reading and researching, youâll only waste your time if you copy something without understanding it.
root: Enumerate the target machine as usual. You might stumble across something that will give you deja vu. If not look at whats being used on the machine, and what ports are open. and google some stuff again. Once you connect the dots privsec is pretty straight forward and is the easier part of this box imo.
After a painfully long time I finally rooted it. A lot of it has to do with the fact that this is the first windows box Iâve attempted in months, but itâs still fairly difficult if youâre unaware of what youâre supposed to be looking for.
Tips for user: This one came to me fairly quickly, not sure if it was blind luck or what but itâs fairly easy to come by during your usual enumeration checklist. It may seem like a far reach to begin with, but doing a bit of googling will show you exactly what you need. In my case it was the first search result.
Tips for root: Honestly, without a sanity check from a helpful user I probably wouldâve ignored this or left it until last. As previous people have mentioned, this service is sending outbound connections, that information tied with a short winpeas search will hopefully give you all you need. It may take you a hot minute to figure out what to do with what you find from that service, but enumerating some common places in the user folder will lead you to your answer.
Iâm stuck on the foothold and would appreciate some help⊠I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
Iâm using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I donât know what to do anymore :neutral:
(Iâm using the flags -p, -f, -o (and -e when encoding)
I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.
Iâm stuck on the foothold and would appreciate some help⊠I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
Iâm using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I donât know what to do anymore :neutral:
(Iâm using the flags -p, -f, -o (and -e when encoding)
Would any of you know what could be the cause?
Thank you and happy hacking!
When getting the foothole, you may have to play with the .**l file a bit. Donât just follow the POC. Understand what the real vulnerability is. Then make your own exploit. Remember what a ânull byteâ is and that you have to remove bytes like them.
I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.
If still stuck let me know.
Pepe
Hi @pp123 , thank you for your answer! Well, Iâve been following the article from the start ⊠My file contains a " â " in its name, as indicated in the article. I also tried to exclude bad characters from the payload as suggested by @kavigihan , but it doesnât work either.
Iâm starting to wonder if the issue could come from Metasploit, because I had warnings when using mv*m (due to a recent ruby gems update I think). I resolved those warnings by tinkering with commands, but there may still be a problemâŠ
At this point Iâd be grateful if someone could just PM me their command to generate the payload.
Thank you!
Edit: I got it It worked with another payload⊠I was blindly following an advice to use a meterpreter one, but it worked with another one!
I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?
I finally found a command that works, but I ask by curiosity. Prior to finding that command, I tried various Powershell and ânormalâ Windows commands containing quotes in them and they all crashed my reverse shell (Session manipulation failed: Unmatched double quote). Do you guys know why?
Also, what .exe do you use? I just tried with x64 but it doesnât work (thatâs what I used in my msf***** payload).
Edit: I got it It worked with another payload⊠I was blindly following an advice to use a meterpreter one, but it worked with another one!
I got it working with a meterpreter payload.
Thatâs weird, I tried several different options and couldnât get it to work⊠Iâll try again and see if it worksâŠ
I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?
I didnât upload WinPEAS but I had a meterpreter shell and could just the upload option.
Ah right, I forgot we could do that with MeterpreterâŠ
There are a lot of ways you can send data to boxes though:
powershell
curl
LOLBAS
SMB
I didnât know about LOLBAS, thank you for the info. In my case HTTP was the easiest way of doing it, but Iâll try the other options you mentionned.
(Session manipulation failed: Unmatched double quote). Do you guys know why?
Sounds a bit like a typo in the command, possibly failing to escape something.
You might be right, however I found those commands in articles explaining file transfers from Kali to Windows, so itâs weird it doesnât work.
Rooted!
Very cool machine to make, I love Windows machines and the experience gained when trying to hack.
User: List and use google to find interesting things.
Careful when creating the pieces necessary for exploration, I hit my head and lost hours due to lack of attention.
Root: First time I make a machine where itâs easier than the user.
Feel free to send PM in case of help, if I donât respond immediately you can call me on the telegram @WhoamiAlves
Enraizada!
Maquina muito legal de fazer, adoro maquinas Windows e a experiĂȘncia adquirida ao tentar hackear.
UsuĂĄrio: Enumerar e usar o google para encontrar coisas interessantes.
Cuidado ao criar as peças necessårias para exploração, eu bati a cabeça e perdi horas por falta de atenção.
GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shellâŠ
Any help?
user done!
But holyy how slowly works this machine wtf
exactly how slowly? Iâve been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.
Yeah me too mate, every command that i write it took like 10 secs to execute. If i try to download something with powershell its impossible because never end the download⊠i donât know whats wrong with this machine
GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shellâŠ
Any help?
user done!
But holyy how slowly works this machine wtf
exactly how slowly? Iâve been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.
Yeah me too mate, every command that i write it took like 10 secs to execute. If i try to download something with powershell its impossible because never end the download⊠i donât know whats wrong with this machine
Cheers. Itâs gotten worse ten hours later. I think this box is getting hammered by folks trying to get it before it retires tomorrow. Reckon Iâll move on and forget about this one for points and CPEs. Onward!