Finally got root, but more through trial and error than anything else. Could anyone else PM their enumeration process for the vulnerable service? Not sure if there’s a systematic way people are finding it or just luck/bruteforce.
Me too. Although I can write a pseudo script which can find that service, and I have found the instructions which are needed for the implementation, but I have no practice in Powershell.
The privilege escalation phase (including discovery) is superb. Thanks @TRX.
Can someone pls pm a nudge on initial foothold? Just have the wfuzz found php files, i believe a***n is the way to go but i can’t wrap my mind around it
Can someone pls pm a nudge on initial foothold? Just have the wfuzz found php files, i believe a***n is the way to go but i can’t wrap my mind around it
As usual enumeration is the key factor. There is information a little hidden, and another which sticks out a mile. You should join them.
Alright y’all, i’m a bit stuck on root. I have found C******_h******.txt with some old ps commands which I re-ran to see what it reveals. I can’t seem to find any info on how to manipulate the registry in a way that benefits me. hklm:\s*****\c****************\control seems interesting but still unsure what to do here. Never used the reg like this. Can someone drop me a PM?
For those who will ask me about user/initial foothold, just do a lot of my*** research and how to write to files. LMK if there is too much info disclosed in this comment plz. THX
I have a low priv shell and I’ve found something interesting that I’d like to tunnel to my external box, but I can’t seem to get p***k or the two-letter tool working.
I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.
Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified
logon session does not exist. It may already have been terminated.
Possible causes are:
....
And a bunch of other stuff
Any nudges? Feel free to PM, i can share what i have, in more detail.
Same here, PM for help pls
I wasted a few hours with this thing … (but got user now)
I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.
Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified
logon session does not exist. It may already have been terminated.
Possible causes are:
....
And a bunch of other stuff
Any nudges? Feel free to PM, i can share what i have, in more detail.
Same here, PM for help pls
I wasted a few hours with this thing … (but got user now)
one hint for this: domain
thanks… that really helped!!!..
but i didn’t get a fully working ps-session…
only invoke-command+script-block worked to get me the user-flag…
I have the foothold but i can’t escalate to user. I have 2 passwords. Using powershell to escalate to elevated reverse shell, the same way worked for sniper, i have tried variations also but no use. I get following error.
Connecting to remote server FIDELITY failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x8009030d occurred while using Negotiate authentication: A specified
logon session does not exist. It may already have been terminated.
Possible causes are:
....
And a bunch of other stuff
Any nudges? Feel free to PM, i can share what i have, in more detail.
Same here, PM for help pls
I wasted a few hours with this thing … (but got user now)
one hint for this: domain
thanks… that really helped!!!..
but i didn’t get a fully working ps-session…
only invoke-command+script-block worked to get me the user-flag…
hint: for ps: remember an earlier hint in this forum about a video… and you can create a full functional session…
Rooted! What a ride this box has been. Thanks a lot @ale98 for the nudges that helped me get there.
Some general guidance for once you get a shell: Windows Defender is watching. Try to think about how you can cleverly get files onto the box - smb may help, but impacket-smbserver may not be enough. As always, netcat is a lifesaver - in more ways than one…