OSCP Journey Part 8

Day: -51
PDF: 90%
Videos: 95%
Boxes: 5

Well I’m a bit more ubeat as I’ve put in a good amount of hours this week though would have liked to have done more. Work getting in the way of my learning! Anyways, I’ve just popped a Windows Box and it was a real struggle but finally got there in the end. Anyways just a blog while I’ve got the NT Authority\System horn. Here is some info I’ve used while popping this box;


Good resource = http://www.fuzzysecurity.com/tutorials/16.html 

The difference between Staged and Non-Staged payloads:

Staged = windows/shell/reverse_tcp = spawn a shell connect back to attacker
try to use this one more…i think.

Non-Staged = windows/shell_reverse_tcp = connect back to attacker and spawn a shell
useful if bandwidth is an issue

Once you get logged in as a low priv shell find what hotfixes have been installed and see if they have any exploits


A useful command I’ve come across to pull info about the box + the proofs is:

echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: &  type "C:\Documents and Settings\Administrator\Desktop\proof.txt"

Sometimes though the whoami or %hostname% won’t work for some reason. If it doesn’t do

tasklist /v

and get look for the user that your shell is logged in as.

Side note, always set FTP to binary mode by typing binary. This will stop anything you upload being corrupted, eg nc.exe.

Windows XP add admin user

c:\> net user /add rowbot rowbotpassword

c:\> net localgroup administrators rowbot /add

I need to learn more about post exploitation, as in quickly grab anything of interest. If anyone can point me to a resource that would be great.

Now to start the write up for this box.



Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.