#junior-pentester-path

@idle bison thanks

Gave +1 Rep to @idle bison

@steel nymph thanks

Hello

HELLO

Hi.

hey

Hi guys. I don't understand a certain Windows Privilege Escalation technique. It is about "Unquoted Service Paths". As a negative example, a service
sc qc "disk sorter enterprise"
is listed. Since the name of the folder "Disk Sorter Enterprise" contains spaces, the command is said to be ambiguous.

The SCM tries the following 3 commands through. My question: Why is it ambiguous? After all, that is exactly why there are in quotes.

If I wanted to attach the arguments, I would have thought one would write it that way:
sc "disk sorter" enterprise
I'm a little confused by that.

sry, i dont understand your question

It is the service name

sry I haven't quite figured it out yet. So once we have the service path and the service name.

sc asks (to my knowledge) for the service name.

SCM is now trying to find the service path?
But based on the service names, right?

When I type sc qc "disk sorter enterprise", why would SCM look in C:\MyPrograms\Disk.exe?
I understood that pathname and service name are not the same. But then where is the connection between them?

omg, you just opened my eyes in something!

I thought it was the quotes in the sc qc command. It is the quotation marks in the BINARY_PATH_NAME.

i focused on the wrong quotation marks.

@steel nymph Thank you

Gave +1 Rep to @steel nymph

just got my tryhackme Jr pentester certificate! course was great

Windows privesc was the hardest part but very important. I needed to do some windows fundamentals rooms first

I am currently on the Windows privilege chapter "SeTakeOwnership" where utilman.exe is exploited. The following steps:

1. we take ownership of utilman.exe
2. we set the permission of utilman.exe to (F), Full Control, so that our user has full rights to it.
3. We overwrite (cmd-command copy) utilman.exe with cmd.exe.

Why did the overwritten utilman.exe (which is really the CMD) take the settings from the previous utilman.exe? The rights are (F). Shouldn't it normally have the permission properties of cmd.exe, because copy?

I have a hunch. Copy creates a copy. However, if a file with the name already exists, then Copy overwrites the contents. Is that correct?

Because I thought that instead of overwriting the file contents, copy would delete the old file and then create a new file.

if you copy cmd.exe to cmd.exe. then it overwrite

same with utilman.exe

i think Ease of Access button on Lock Screen starts Utilman service as the SYSTEM, so when you copy cmd.exe and replace it to Utilmain.exe you trick the SYSTEM to open cmd.exe as SYSTEM

and get all the Loot!

yes, thanks 🙂

Gave +1 Rep to @tidal belfry

I finished my Jr pentest path now, too. Incredible knowledge and mass of fun! ❤️

learned a lot from Jr pentester really cool path

What will be your next mission?

i did web fundementals path > jr pentester (just finished few days ago) > now starting offensive pentester path

what you doing next boxes or taking a path

I will harden my previous knowledge. I have made my own notes on each module. Repeat and crack machines at my level.

Added the shebang, still the reverse shell won't execute

What are the permissions of the file you want cron to execute ?

it's antivirus.sh. I did do chmod +x to it

Where is your antivirus.sh located ?

/home/karen

Then check the crontab again, /home/karen is not in the PATH variable for the crontab

Thus it's not looking in /home/karen for it for the cron job that hasn't specified a path for antivirus.sh

but then I don't have the permission to create an antivirus.sh file in the root, where the cronjob would run. Unless we're talking about another fi....ouuuuh! Got it. Thanks star!

Gave +1 Rep to @shadow echo

Hello

any body knows if the jr pentester path gives you the skills for the ejpt certification?

Hi
I'm on the linux privesc part and noticed that in the PATH section when the gcc is done, the user doing it is root. but unless I'm mistaken we're trying to get root access at this point.
So am I missing something or is this part a bit misleading ?

Ok, ok. no problem. I was still able to do it. I'll try my hand at the Capstone Challenge now

hi

i'm confusing the difference between search and searchsploit in metasploit

what do they each preference to?

searchsploit is a cli tool which can be used without msf, search is specific to the msf console

so they are the same if i used in msf console, right?

probably 🤷‍♂️

😂 ok

thanx a lot

searchsploit searches for the vulns and shows the asociated script that you can use. so IE you can search for CVE xxxx and it will give you something like 6574654.py then youd do like searchsploit -m 6574654.py to download and use

SEARCH is for msf just searches the CVE and is an injection for vulns telling you what it does

so youd search "blue" or "apache 2.x.x" and itd list all the vulns and what they do and allow you to set up options instead of using the py scripts

ohhhh i got it

Can any one help me with jr penetration testing rooms > windows privileged escalation> task 6 abusing dangerous privileges

How to deploy this machine as the task is related to windows but when i am starting the machine in that room and start attack box it gives me linux machine

The attackbox is not the target

Not all rooms have in browser access

And in task 7 of the same i am not able to run the script after adding the user pwnd

net user pwnd SimplePass123 / add & net localgroup administrators pwnd /add

I am using this command in powershell

-warn @opal hawk Do not send unsolicited direct messages, it is against rule 1 of the discord

⚠ Warned Akbar Khan#6138

Ok sorry i wasnt aware