Remote

1252628303135

Comments

  • edited May 2020

    Hi all, got a bit stuck on the user part... I've found a lot of things and now I try to get the POC 46**.y working. I changed the basic information to the target and I tried to run it.

    After running it, I get the next error:

    VIEWSTATE = soup.find(id="_VIEWSTATE")['value'];
    TypeError: 'NoneType' object is not subscriptable

    (and yeah 8 coffie won't help anymore after working a few hours on this part....)

    not sure what the error means if I did not change other parts... Something wrong with the POC?

  • Finally Did remote with u****c way
    want to know about TV way.

    s1lv3rst4r

  • ROOT!Although this machine is very simple. I would give it medium because the shell I got is very limit: There is NO error message... I waste so much time on some detail issues :-(

  • rooted

    got my way to the root using the U****c method

    could anyone pm about the tv method?

  • Pleaseeeee someone ping me!!!! I am stuck with the root, I can not create a new user and I can not execute the reverse shell from powershell!! I already reset the machine couple of times but nothing, it´s incredible.... everyone say "it´s working" but is not working for me and we are doing the same command for sure because is not a difficult command, as I said, please send me a message!!

  • Got user. If you're struggling with the exploit - it didn't always work for me. I ran a payload, it worked and literally 3 minutes later it didn't so don't give up if it happens to you as well. Also the box hasn't been too stable recently (on EU1 at least). Some douchebag would change the password every now and then but just reset the box if it happens again.

  • Guys, I'm not able to get a initial foothold for the user, I went through all the links on the webpage. Not able to get any username or password. Any hints?

  • Type your comment> @X3522A said:

    Guys, I'm not able to get a initial foothold for the user, I went through all the links on the webpage. Not able to get any username or password. Any hints?

    As you already should know, there is no plain text password inside the files, but inside one of the most important files (you can read just partial information from this file) you will find a user followed by the hash.

  • for getting User, Enumerate well...after that..check the portal..its a product...it can have known flaws
    For Root...I see there are two ways to get it...the remote one worked but the other one didn't worked for me. Overall all a good box...PM me for nudges if you are stuck

  • Hey guys - literally stuck on root.. can someone give me a nudge ?
    i have a PS reverse shell, based on MSF with user but all outputs /errors whatever are surpressed in that reverse shell.. would be great to have a nudge for root

  • edited May 2020

    Amazing machine.

    Hints,
    User: Follow the leads and google a particular type of file. Don't overthink it, a single command like strings can help.

    Root: Even easier, try many things after the initial foothold holds your hand and tells you where you have to go.


    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:bfff%13

    c:\Users\Administrator>whoami
    whoami
    nt authority\system

    Hack The Box

  • edited May 2020

    I'm running across the VIEWSTATE error with the PoC. I understand that it's a clock sync issue but I can't seem to get it resolved as when I try to sync I'm getting

    no server suitable for synchronization found

    Would anyone be able to lend a hand?

    Edit: If you're having issues with this, make sure with the part you change in the PoC that you are looking at the rest of the exploit and aren't putting in something that will be added later.

  • edited May 2020

    OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this.... can someone explain how I would have zeroed in on that service in the first place. I checked the service path and there is nothing unusual and when I look at the service permissions I don't understand why the user shell I get is able to modify it. The most inclusive group in the permissions is Authenticated Users....I thought the user associated with the initial shell was excluded form that group. Would someone be willing to PM me with some details ( or a link to an article)

    (A;;CCLCSWRPLOCR;;;AU)(A;;CCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPWPLOCRRC;;;S-1-5-21-3799463084-4290437372-2261193466-500)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SU)

  • @CyberG33k said:

    OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this.... can someone explain how I would have zeroed in on that service in the first place.

    Depends on what you went for to root the box.

    If you went for the intended route, this is discoverable through enumeration and should stand out (certainly with experience it will). If you went for a slightly different approach, again, the characteristics of the service are unusual which should draw attention.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • guys, im having some problems here, i already know the "U****c" exploit for the root but when i run the ******-abuse and the command, i didn't get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :)

    any kind of help will be appreciated

  • I'm really struggeling with opening up a specific file i found on the s***_b******. It keeps giving me errors when I try to opening it locally on my attacker box. Any idea's how to enumerate it correctly? Or am I going the wrong way?

  • Type your comment> @bigfatpig said:

    guys, im having some problems here, i already know the "U****c" exploit for the root but when i run the ******-abuse and the command, i didn't get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :)

    any kind of help will be appreciated

    I have been stuck at the same point for hours, too. Could you already solve it?

  • Type your comment> @redbird said:

    Type your comment> @bigfatpig said:

    guys, im having some problems here, i already know the "U****c" exploit for the root but when i run the ******-abuse and the command, i didn't get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :)

    any kind of help will be appreciated

    I have been stuck at the same point for hours, too. Could you already solve it?

    Got stuck there for a while too, i think that route has been patched. Had to do it the other way.

  • edited May 2020

    After a nudge please. Managed to get final password via the T******** service. Can't seem to login anywhere, even at that high port. Evil tool doesn't work either.
    Thanks!

    EDIT: Argh, user error on my part. Got root.

  • Hi everybody! I'm stuck on privesc from the last week. Powershell works 1 time outta 10 and the vm keep resetting. I've tried abusing U****c but it's now working, at least I don't get the resverse shell execution... So I tried also with T********r-S*****e . I see that it is running as NT AUTHORITY\SYSTEM and I tried to switch the executable with an msfvenom payload that should pop a reverse shell. I can't see the error output on my shell so I suppose that the file is locked because it is running; i tried to move it, rename it, delete it with no luck. I read that is possible retrieve T********r 7 password and someone has been able to do it... can someone please point me in the right direction???

    |GPEN|CEH|eJPT|CySA|

  • edited May 2020
    @waldemaro said:
    > Hi everybody! I'm stuck on privesc from the last week. Powershell works 1 time outta 10 and the vm keep resetting. I've tried abusing U****c but it's now working, at least I don't get the resverse shell execution... So I tried also with T********r-S*****e . I see that it is running as NT AUTHORITY\SYSTEM and I tried to switch the executable with an msfvenom payload that should pop a reverse shell. I can't see the error output on my shell so I suppose that the file is locked because it is running; i tried to move it, rename it, delete it with no luck. I read that is possible retrieve T********r 7 password and someone has been able to do it... can someone please point me in the right direction???

    A Google search for that exact thing you are trying to extract, should give you all you need ;)

    Hack The Box
    GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

    Currently busy with AWAE

  • edited May 2020

    Type your comment> @HomeSen said:

    @waldemaro said:

    A Google search for that exact thing you are trying to extract, should give you all you need ;)

    waldemaro is spot on, have just completed the same google search and then escalation from there in the last hour. It's specific to T********r 7.

  • yes, maybe I'm not able to search things on google... ...Before asking, I found c++ or python script (no python installed on remote ) ,msfmodule that are not working, without mentioning that all the poc's video that I've found are for version 13 and 14... the only cve I've found is dated 2019 ...

    |GPEN|CEH|eJPT|CySA|

  • Type your comment

  • edited May 2020

    ROOTED FINALLY! After a short little rage here at home I finally figured out a way to transfer files to the box using the PoC. I dropped my veggies got root 5 minutes later. Jesus this box was a pain in the ass. User took me ages but root was easy peazy.

    Alright, I'm here again to help my fellow warriors. If you need a nudge please PM and mention which box you're trying to pwn since I got many PM's on boxes I did recently.

  • rooted!
    https://media.tenor.co/videos/6ed80590a4d0b91b0198e112cf3afd94/mp4

    thank to @HomeSen to pointing me in the right direction

    |GPEN|CEH|eJPT|CySA|

  • edited May 2020

    User:
    Always scan all ports, the more information the better.

    Root:
    I did the T******** exploit I found to get creds, but I wasn't able to find where I could use that. Instead used a standard Windows priv. esc. tool. After that ran into the shell issue people talk about throughout there, my workaround for this required a bit of waiting to get what I wanted.

    This box was a lot of fun. Thank you to the creator, excellent work.

  • Somebody's got this problem with u***********.*y ?

    Traceback (most recent call last):
    File "u***********.*y ", line 53, in
    VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
    TypeError: 'NoneType' object is not subscriptable

  • @X013 said:

    Somebody's got this problem with u***********.*y ?

    Traceback (most recent call last):
    File "u***********.*y ", line 53, in
    VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
    TypeError: 'NoneType' object is not subscriptable

    It massively depends what is in u***********.*y but it looks like the script is missing something or has been misconfigured.

    The best option is to read through the code, try to work out what is happening & where it happens, then you might be able to work out a solution.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Hello All.
    So I'm having a bit of a weird issue, I'm able to run the script (Starts with U) for the user and get to user.txt but after exploiting the US and getting a shell I'm not able to run more that 1 command. Is anyone else having the same issue or am I just the lucky one?
    Any help is greatly appreciated.

Sign In to comment.