This is my first box ever to try, so I’m totally new to this. I can’t even figure out how to get the foothold. I’ve spent probably 20 hours working on this so far. I’ve done my NMAP scans, found the open port(s), done a bunch of googling about the exploit path I think I need to take, but I cannot figure out where I’m supposed to go from here. I’ve been through the html, found the reference to p******_l****.*** but can’t find anything that is usable to me on google. Any help?
@mokrunka said:
This is my first box ever to try, so I’m totally new to this. I can’t even figure out how to get the foothold. I’ve spent probably 20 hours working on this so far. I’ve done my NMAP scans, found the open port(s), done a bunch of googling about the exploit path I think I need to take, but I cannot figure out where I’m supposed to go from here. I’ve been through the html, found the reference to p******_l****.*** but can’t find anything that is usable to me on google. Any help?
The short answer is it depends - it is likely you’ve over looked something.
Go back and look at everything you can find. If you find something which looks unusual google it.
If you find something that is exploitable, try using the exploit.
Type your comment> @TazWake said:
@mokrunka said:
This is my first box ever to try, so I’m totally new to this. I can’t even figure out how to get the foothold. I’ve spent probably 20 hours working on this so far. I’ve done my NMAP scans, found the open port(s), done a bunch of googling about the exploit path I think I need to take, but I cannot figure out where I’m supposed to go from here. I’ve been through the html, found the reference to p******_l****.*** but can’t find anything that is usable to me on google. Any help?
The short answer is it depends - it is likely you’ve over looked something.
Go back and look at everything you can find. If you find something which looks unusual google it.
If you find something that is exploitable, try using the exploit.
Thanks for the encouragement. I need to take a break, I’m going blind staring at this for the last 6 hours, and at this point am completely lost. None of the standard php-type sql exploits are working, and I’ve looked through the html so many times there must be something I’m not seeing.
@mokrunka said:
Thanks for the encouragement. I need to take a break, I’m going blind staring at this for the last 6 hours, and at this point am completely lost. None of the standard php-type sql exploits are working, and I’ve looked through the html so many times there must be something I’m not seeing.
It is. When you find it you will laugh about this. Read everything again. Dont try to over think it. Dont look for a vulnerability you can find. Look for information. If anything seems like you haven’t seen it before, google to see if it has an exploit.
If you are totally stuck DM me.
I’ve seen everyone else using plink.exe for the p*** ********g purpose, and after some messing around with my settings I too was able to establish a connection. However I’m still not sure what I’m looking for app-wise. Going to keep searching around the computer, perhaps using powershell, for installed programs
Very interesting learning experience reading about the use case of p*k.exe and the idea of reverse p ********g through ssh. Clever!
Okay, so on second thoughts maybe a nudge in the right direction might go a long way, if anyone is willing.
I’ve found C******e.exe running, but heavens knows where it is. I’ve not done much at all in the name of Windows privilege escalation so I hope these exploits aren’t too mind boggling haha
And then, this conversion one that people are talking about? No idea what that would be either, haha. Would love a walkthrough if anyone gets the chance once I’ve rooted the box.
@juL9M4hnAa5T said:
Okay, so on second thoughts maybe a nudge in the right direction might go a long way, if anyone is willing.
I’ve found C******e.exe running, but heavens knows where it is.
Have you looked in its default location?
I’ve not done much at all in the name of Windows privilege escalation so I hope these exploits aren’t too mind boggling haha
And then, this conversion one that people are talking about? No idea what that would be either, haha. Would love a walkthrough if anyone gets the chance once I’ve rooted the box.
Spoiler Removed
i tried using plink in parrot os but i see some fatal error about not agreeing on some keyexchange. am stuck here can anyone help me on this?
@ishansaha007 said:
i tried using plink in parrot os but i see some fatal error about not agreeing on some keyexchange. am stuck here can anyone help me on this?
double check you have SSH set up on your machine to accept the connection.
Hello, on root I have tried the exploit for the correct service after tunneling back many many times, but never seem to catch the shell. I get a connection and shell code runs and exits. I believe my shellcode is wrong and I have tried several different payloads. If someone could help me with a nudge on how to create the right shell code it would be greatly appreciated. I am using the well known tool but I believe with the wrong arguments.
@learning2911 said:
Hello, on root I have tried the exploit for the correct service after tunneling back many many times, but never seem to catch the shell. I get a connection and shell code runs and exits. I believe my shellcode is wrong and I have tried several different payloads. If someone could help me with a nudge on how to create the right shell code it would be greatly appreciated. I am using the well known tool but I believe with the wrong arguments.
The exploit I used had a comment with the exact syntax you need to make the shell code. All you have to change is the IP address and port.
Type your comment> @TazWake said:
@learning2911 said:
Hello, on root I have tried the exploit for the correct service after tunneling back many many times, but never seem to catch the shell. I get a connection and shell code runs and exits. I believe my shellcode is wrong and I have tried several different payloads. If someone could help me with a nudge on how to create the right shell code it would be greatly appreciated. I am using the well known tool but I believe with the wrong arguments.
The exploit I used had a comment with the exact syntax you need to make the shell code. All you have to change is the IP address and port.
I have tried three exploits and have only found two that work for windows 10 and only one of those being 64 bit. I took this one and changed the payload to match output from its syntax that it gives but i can still only see it outputting the buffer. I think I am using the wrong exploit but I have tried and edited three of them to no avail.
Type your comment> @ishansaha007 said:
i tried using plink in parrot os but i see some fatal error about not agreeing on some keyexchange. am stuck here can anyone help me on this?
Had a similar issue and used the 32-bit version of plink 
@learning2911 said:
Hello, on root I have tried the exploit for the correct service after tunneling back many many times, but never seem to catch the shell. I get a connection and shell code runs and exits. I believe my shellcode is wrong and I have tried several different payloads. If someone could help me with a nudge on how to create the right shell code it would be greatly appreciated. I am using the well known tool but I believe with the wrong arguments.
PM me, I’ve been through this kind of ■■■■ for so much time I was about to quit…
deleted
Type your comment> @daemonzone said:
Type your comment> @ishansaha007 said:
i tried using plink in parrot os but i see some fatal error about not agreeing on some keyexchange. am stuck here can anyone help me on this?
Had a similar issue and used the 32-bit version of plink
This had me banging my head against the desk messing with config files on my machine and all-sorts. THANK YOU. Again, comes down to enumeration really doesn’t it, because I should have known what the OS was (although I didn’t realise my plink binary was not the right one)
@daemonzone and @JonnyGill said:
Type your comment> @ishansaha007 said:i tried using plink in parrot os but i see some fatal error about not agreeing on some keyexchange. am stuck here can anyone help me on this?
Had a similar issue and used the 32-bit version of plink
Personally I added the old key algo’s to my ssh config.
Read: ssh - How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0? - Unix & Linux Stack Exchange (note: I had trouble getting the ssh service to restart with the longer version that added a whole host of other algorithms, but the singular one adding diffe-helleman worked fine)
The problem is caused by (presumably Parrot) and the fact that older key algorithms aren’t supported as well as they used to be, especially in 64-bit mode. I don’t know the specifics.
However, 32 bit plink.exe might work also.
@TazWake said:
@juL9M4hnAa5T said:Okay, so on second thoughts maybe a nudge in the right direction might go a long way, if anyone is willing.
I’ve found C******e.exe running, but heavens knows where it is.
Have you looked in its default location?
I’ve not done much at all in the name of Windows privilege escalation so I hope these exploits aren’t too mind boggling haha
And then, this conversion one that people are talking about? No idea what that would be either, haha. Would love a walkthrough if anyone gets the chance once I’ve rooted the box.
Thanks for the input, I am looking for the default location but am coming up dry. I’ll spin the app up on a Virtual Machine to investigate further.
Update: According to the installer it should be in Apa\Ll\Pr******\C******\ but the folder Pr***** does not exist.