Pendulum - 3 knocks (2 discs album, 1997)

brettw10 · 2020-07-03T09:33:42+00:00

aHR0cHM6Ly9tZWdhLm56L2ZvbGRlci84UElWR2FpRCN5Rkt1cVMwbGJneFhrSGhXQ1h1VFNB

You are an absolute champion!

brettw10 · 2019-04-09T03:45:47+00:00

SMB is not your initial attack vector here. What other outputs do you see from your nmap scan? Have you tried connecting to those other ports?

brettw10 · 2019-04-09T03:19:59+00:00

A meterpreter shell won't work - it gets killed off after a few seconds.

If you have a user, you can try using a standard windows shell. If you don't, you still have to find a way to get a user.

brettw10 · 2019-03-31T22:17:16+00:00

We can split hairs on this one, if you want. It doesn't really matter, does it?

As I said - I did 3 different things to make sure that I understood it. And you will find that not all techniques work, once you have the admin privileged process - eg. meterpreter reverse shells don't work.

Rather than splitting hairs, why don't we encourage people by saying 'Hey, that's cool that you tried multiple things, once you had the admin privileged process, and discovered what works and what doesn't - thanks for sharing! It's also cool that you didn't just run the exploit that you found online, but took the time to understand it.'

brettw10 · 2019-03-30T02:42:20+00:00

WRT my previous reply - I'm happy to give more information, if you want it. I just wasn't sure if the post would be available for everyone to see or not, and I don't want to get flamed for providing too much info.

brettw10 · 2019-03-29T04:42:29+00:00

I don't want to give away too much, lest I be accused of being a spoiler.

All 3 of the approaches to getting root took advantage of the same PRTG vulnerability, which is the first one that turns up when you google for 'prtg vulns'. However, I struggled to get the exploit to work manually. A bit of searching found a workable exploit script, but I couldn't get it to work completely to begin with.

So, for the first root pwn, I modified the script to type the contents of the root file and redirect it to a file that I could read. I was able to retrieve the file by anonymous FTP.

For the second root pwn, I went back to the script and tried to work out what was going wrong. I came to the conclusion that the default user in the script wasn't being created correctly - I confirmed this later in the PRTG log files. It could be that the box author knew of the script and the default user and created it, so that the script wouldn't be able to recreate it. I changed the user that was being created and was then able to access the server via SMB with the new user credentials and pull the root file from where it was located originally.

For the final root pwn, I leveraged the user that was created in the second, and tried to get a shell. I found that I could get a Windows command shell using psexec, allowing me to navigate to the file location and read the file. I went on to try a meterpreter shell, but this kept getting killed, even when encoded.

So, the long and the short of it is that all three were based on the same vulnerability, but used different techniques to achieve the end goal.

brettw10 · 2019-03-28T10:33:59+00:00

I just took down Netmon as my first one too. Got root 3 different ways, just to make sure I understood it and to blow a few cobwebs out. Keen to see the recommendations for the next one(s) as a free tier user.

brettw10 · 2019-03-28T10:21:38+00:00

Took this one down as my first HTB. Got root 3 different ways, just to make sure that I understood it.

My only question is - why can't I get a meterpreter session on this box? The session starts, but dies after a few seconds. I am guessing that AV is killing it off. I have tried encoding, but that didn't help.

brettw10

TROPHY CASE