Sniper

Michae1 · March 9, 2020, 1:58pm

I’m stuck on moving from user1 to user2. I have a reverse shell for user1, credentials for the da****** with a dump but I have no idea what these “credentials” for user2 are that people are talking about. I might need a nudge on the Po******** part here.

Watskip · March 10, 2020, 3:56am

@Michae1 said:

I’m stuck on moving from user1 to user2. I have a reverse shell for user1, credentials for the da****** with a dump but I have no idea what these “credentials” for user2 are that people are talking about. I might need a nudge on the Po******** part here.

Admins are often lazy and re-use credentials

MariaB · March 10, 2020, 9:38am

Rooted!
Actually root took me 5 mins after i realized that cannot do it without a Windows box on which to create what was needed .
Cool box in general.
The initial foothold was a lot of trials for me but in the end did it

MariaB · March 10, 2020, 9:40am

I had to create a windows VM but i guess we need it from time to time .

Michae1 · March 10, 2020, 12:54pm

@Watskip said:

Admins are often lazy and re-use credentials

Thank you! You just saved me hours of searching for something which doesn’t exist! On to the next part!

nando740 · March 11, 2020, 4:05pm

Ok, identified foothold vuln. Setted up a s** share with a py script, I see SNIPER connecting to it in the logs, but the dreaded 404 still persists.

EDIT: done. Permissions etc.

Ric0 · March 11, 2020, 6:02pm

SNIPER takes me down? error on sm****r or payload?

Can anybody DM me?

Ric0 · March 11, 2020, 7:08pm

Type your comment> @Ric0 said:

[] Incoming connection (10.10.10.151,50145)
[] AUTHENTICATE_MESSAGE (,SNIPER)
[] User SNIPER\ authenticated successfully
[] :::00::4141414141414141
[] Handle: [Errno 104] Connection reset by peer
[] Closing down connection (10.10.10.151,50145)
[*] Remaining connections

SNIPER takes me down? error on sm****r or paylod?

Can anybody DM me?

Fixed. I***t issue.

Ric0 · March 11, 2020, 8:33pm

Got reverse shell but is unresponsive. I used mv*** to generate injection. I stuck. Tried one-liners but have must missed some details.

r1ley07 · March 12, 2020, 12:11am

Just got user! Onto root

COLLECT · March 12, 2020, 5:55pm

I have reached out to numerous people on this forum to help with getting the initial foothold and have tried all of their suggestions but without success. I starting to wonder if I am somehow being blocked from getting that initial foothold. If anyone is wiling to help me get through this please PM me. I promise I have exhausted all tips and tricks but still cannot get “connected”

cyberafro · March 12, 2020, 6:40pm

Type your comment> @COLLECT said:

I have reached out to numerous people on this forum to help with getting the initial foothold and have tried all of their suggestions but without success. I starting to wonder if I am somehow being blocked from getting that initial foothold. If anyone is wiling to help me get through this please PM me. I promise I have exhausted all tips and tricks but still cannot get “connected”

Hum, weird, if you follow all tips, you should be ok

nando740 · March 12, 2020, 7:59pm

Stuck on user. At this point, I can generate a reverse shell from different methods. I have one idea, but can’t execute PS.

A nugget is appreciated.

Razzty · March 12, 2020, 9:53pm

Stuck on elevation from i*** to C****. Any nudge appriciated - I know about wi**m service working locally, but don’t have any idea to connect to it with found creds. PS C*M is blocking me and downgrade is not an option.

Watskip · March 13, 2020, 2:07am

@Razzty said:

Stuck on elevation from i*** to C****. Any nudge appriciated - I know about wi**m service working locally, but don’t have any idea to connect to it with found creds. PS C*M is blocking me and downgrade is not an option.

Think about a cmdlet that will allow you to call commands with the creds that you have

TeRMaN · March 13, 2020, 12:01pm

Guys please help me, i stucked root part. I create .c** file on my windows box. nc is listening, when i upload .c** file to C:\D**s directory i need to get admin shell but nothing happened. I tried 20-30 times

COLLECT · March 13, 2020, 12:34pm

I have my foothold. Thanks to ShellInt0x80 I was able to get in. Also thanks to cyberafro, nando740, Michae1, Ad0n, MariaB and VbScrub for getting back to me in my desperate time of need.

Watskip · March 13, 2020, 12:59pm

Type your comment> @TeRMaN said:

Guys please help me, i stucked root part. I create .c** file on my windows box. nc is listening, when i upload .c** file to C:\D**s directory i need to get admin shell but nothing happened. I tried 20-30 times

If You tried 20-30 times with the same payload to get a shell back, try first using a more simple payload to confirm that you do have code execution. After confirming that check if you can get a shell back using nc

TeRMaN · March 13, 2020, 2:27pm

Type your comment> @Watskip said:

Type your comment> @TeRMaN said:

Guys please help me, i stucked root part. I create .c** file on my windows box. nc is listening, when i upload .c** file to C:\D**s directory i need to get admin shell but nothing happened. I tried 20-30 times

If You tried 20-30 times with the same payload to get a shell back, try first using a more simple payload to confirm that you do have code execution. After confirming that check if you can get a shell back using nc

I’m trying on my Windows box but cant get shell. Trying some payload codes but nothing…

EDIT: Rooted thanks.

nando740 · March 13, 2020, 3:01pm

Phew Got user. Needed a lot of help.
Respects to @cyberafro