I'm using off-the-shelf code to get root. It requires me to make a dns query, which i do using nslookup but nothing happens (the code is not executed upon the query). I have uploaded everything to the target.
Any hints? I can elaborate further in P…
I have the foothold but i can't escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.
Connecting to remote serve…
I have been stuck on root for way too long. I have the output from dog and i can see some kind of path. But the recommended exploitation paths don't work on target.
Can anyone please PM with some hints? very new to AD.
Type your comment> @bipolarmorgan said:
I tries both PS and regular cmd but dog doesn't give me anything. No zip or json file is created. I got the pre-compiled dog from the hub.
What am i missing?
I am onto root, I can see the odd process, but i can't execute it, download it or dump it. Is there some other way to interact with it, that i'm missing?
Edit: Found what to do with it (thanks to @keyos1 ), but i can't forward anything to me, as so…
Type your comment> @HAL9000B said:
I tried the priv esc via database but stuck at copying the shared lib in the right dir. Got errors. I am not sure why? i wrote to @askar to ask about it. Waiting to hear back.
However, i haven't found …
First question, what kind of enumeration one needs to perform to get to blog?
Second: I know the basic idea for initial foothold, so should i manipulate the strings inside msf rev shell to bypass y*** r****? Is this the right direction?
Finally rooted. Turns out i wasn't using sudo with the correct script xD;
-Do use sudo
-Use absolute path
-You don't need another reverse shell
-Try replicating the $y=$x scenario in your shell.
PM for help.
Big thanks to @cyberpat…
Ok, this box is weird. I have the new username and all passwords. According to one of the aux scanners, one login combination works fine but it fails while using any winrm shells.
Am i missing something obvious here?
I have exploit working on local machine. I believe the issue with remote exploit is the fixed offset to string b****h. But i am stuck as to how to retrieve the correct offset, specially when the application does not send errors over the socket.
I have been trying to crack the password for b****.**g but hashcat shows no progress. It stays stuck at 0% forever. I have even tried to generate a subset of relevant words as suggested by @MinatoTW. But hashcat is not trying any of them. I am using…