Remote

1202123252635

Comments

  • edited April 2020

    Have user, and have REMOTE service password in clear. No idea what to do from here? I can't connect to the REMOTE service, so not sure how to leverage that password. Anyone able to nudge me in the right direction?
    EDIT: Have Root via another method but would love to know the method via the REMOTE service

  • i got hash but i am unable to crack it. I am using rockyou.
    A little nudge will be helpful.

    s1lv3rst4r

  • Type your comment> @s1lv3rst4r said:

    i got hash but i am unable to crack it. I am using rockyou.
    A little nudge will be helpful.

    Try using an online cracker for the hash

  • Type your comment> @Tatik said:

    python3 exploit.py -u a***********l -p b************** -i 'http://10.10.10.180' -c ipconfig

    url_login = host + "/u********/#/l*****"
    loginfo = { "username": login, "password": password}
    s = requests.session()

    url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
    r3 = s.get(url_xslt)

    Traceback (most recent call last):
    File "exploit.py", line 59, in
    VIEWSTATE = soup.find(id="__VIEWSTATE")['value']

    my computer clock is the same as the system clock.

    Stop uploading active machines to youtube. You should get banned

  • edited April 2020

    U****c - c** r. >*.**t from P****U* am I on the right track any nudge pls

  • Hey guys , need a liitle nudge for root ..

  • Type your comment> @MacCauley said:

    Type your comment> @Tatik said:

    python3 exploit.py -u a***********l -p b************** -i 'http://10.10.10.180' -c ipconfig

    url_login = host + "/u********/#/l*****"
    loginfo = { "username": login, "password": password}
    s = requests.session()

    url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
    r3 = s.get(url_xslt)

    Traceback (most recent call last):
    File "exploit.py", line 59, in
    VIEWSTATE = soup.find(id="__VIEWSTATE")['value']

    my computer clock is the same as the system clock.

    Stop uploading active machines to youtube. You should get banned

    WHAT?

  • Stucked trying to root. Got the user and identified the TV. Any hints in how to escalate?

  • Anyone have a hint on getting payload to call back? I have found ways to upload and run commands. Just cant seem to get the shell.

  • Type your comment> @Tatik said:
    > python3 exploit.py -u a***********l -p b************** -i 'http://10.10.10.180' -c ipconfig
    >
    > url_login = host + "/u********/#/l*****"
    > loginfo = { "username": login, "password": password}
    > s = requests.session()
    >
    > url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx"
    > r3 = s.get(url_xslt)
    >
    > Traceback (most recent call last):
    > File "exploit.py", line 59, in <module>
    > VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
    >
    > my computer clock is the same as the system clock.
    >

    problem solved. thanks Ja4V8s28Ck
  • I'm stuck at Payload section, I am able to send limited and one line command to machine. But can't got next step. I tried everything I know, Can someone give me hint ?

  • Rooted using ........c way. Was not able to figure out T**** way.
    User - the most difficult part, took me few days and a lot of try and errors to get it right...
    Root - ****c service is pretty strightforward. windows priv esc, read it up.

    Thanks for an interesting machine! learned a lil bit of PS lol

  • edited April 2020

    Hello there, i've got a problem in the user part
    Found a payload and tried it, it works i can upload nc into the machine but the reverse shell just refuse to get good, if someone got the same problem please
    Edit : nevermind i found a better exploit

  • edited April 2020

    Rooted!

    C:\Windows\system32>whoami
    nt authority\system
    

    Box was easy BUT My connections was dropped every time. I also migrated to another process and still DROP!
    a Few moments Later got Admin priv. Navigated to Admin home folder. There is no root.txt. Ok, Open Desktop folder and... FREEZE! Only in next day I got root.txt file...

    Kirzaks

  • REMOTE Rooted .. really interesting machine, I had to fight in real time with other attackers to compromise services and get to root .. Woow

    Hack The Box

  • can't believe how much harder I made this lol.
    That was so easy in the end. lol /facepalm

  • Rooted!
    Hints:

    User: 1) It's all about sharing.
    2) Think configs, configs everywhere... important information stored in the relevant
    file.
    3) Searchsploit and Github are your friends.

    Root: 1) Microsoft is all about service delivery and "users on the net".

  • for Root..
    try using power. It will help with something and google will help later.

  • i need help with root, i am using a nishang rev shell, msf generated exe shell didn't worked for me and enumeration bat files are not working, kindly help.

  • Rooted..!
    USER: Services says alot, looks closely and learn about them, see what you can do to get some files! reads everything!
    ROOT: With stable shell you can do things faster, look for the services running and search the net!

    All the hints are in the recent comments!

    If need any help, feel free to DM! :smile:

  • edited April 2020

    Could I please get a hint with privesc? I have user and I see the TV service but not sure what to do with it. And not able to find the u....c service as mentioned here in the forums. Please DM with a nudge. Would be much appreciated. Thank you.

    Edit: Got root using u........c. Would be interesting to know TV way.

  • edited April 2020

    i don't find u....c service but i can find TV service with version

    Edit : got root with TV service. easy when msf is your best friend.
    DM if you stuck.

  • rooted.
    fun box, very easy.
    user: everything is in plain sight once you get it.
    root: enumerate and get the low hanging fruit

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • Spoiler Removed

  • edited April 2020

    So I managed to get user shell and user.txt.

    Was hanging out with the power rangers and was informed of potential usage of u******c method to get root but when they recommended the way I should use the command, i receive no cat shell. If I pull out the terp, I get a shell for a quick sec and then it dies, no time to fly to a new direction either.

    Also I know there a TV I can use and was trying to do as an alternative since the first way has been giving me issues, and doing some research I cant for the life of me find anything relating to it.

    Can anybody give me a nudge on my issues with my first method or for my alt method? If its too much, please DM me if you can.

    EDIT: Nvm got root, looks like my vm had an issue and i was not flying fast enough. Thanks for the tips guys!

  • Hey folks i am having a real hard time with the T* service is there someone that could maybe just give me a nudge in the right direction?

  • edited April 2020

    Spoiler Removed

  • edited April 2020

    Rooted! Interesting box! Learned a lot about windows privesc and still need to learn more! Thank you @mrb3n it was really good for a n00b like me. Feel free to PM for help!

  • Hi, I could use a little help for root. I've found the TV service but don't find a way to use it...

Sign In to comment.