Remote

1262729313235

Comments

  • I'm trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

    I was trying to run something like "sudoo" on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

    What am I missing? Is this in the right direction?

  • @matheusbrat said:

    I'm trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

    I was trying to run something like "sudoo" on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

    What am I missing? Is this in the right direction?

    Just log in with those credentials ;)


    Hack The Box
    OSWE | GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • Can somebody help me, please?
    I'm stuck with the u*******.** script.

    I still have this answer:

    VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
    TypeError: 'NoneType' object is not subscriptable

    Thank you in advance

  • @X013 said:

    Can somebody help me, please?
    I'm stuck with the u*******.** script.

    I still have this answer:

    VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];
    TypeError: 'NoneType' object is not subscriptable

    Thank you in advance

    its mentioned a lot in this thread - the search tool helps:

    https://forum.hackthebox.eu/discussion/comment/73219/#Comment_73219

    https://forum.hackthebox.eu/discussion/comment/68260/#Comment_68260

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @waldemaro said:
    rooted!
    https://media.tenor.co/videos/6ed80590a4d0b91b0198e112cf3afd94/mp4

    thank to @HomeSen to pointing me in the right direction

    I'm in the same point where you were earlier can you help me

  • Type your comment> @HomeSen said:

    @matheusbrat said:

    I'm trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

    I was trying to run something like "sudoo" on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

    What am I missing? Is this in the right direction?

    Just log in with those credentials ;)

    Probably I'm over thinking this but I have tried regular f** client, s** client, nf*, win** with a python script which gives me (the specified credentials were rejected by the server).

    I thought on using TV client and connecting to the information I got on r*****. But that doesn't to work too.

    Can someone jump into DM so I can explain what I have been doing? Thanks in advance.

  • edited May 2020

    Type your comment> @HomeSen said:

    @matheusbrat said:

    I'm trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

    I was trying to run something like "sudoo" on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

    What am I missing? Is this in the right direction?

    Just log in with those credentials ;)

    @HomeSen Thanks for pointing that I was using the wrong encoded value!

    ROOT Hint: There is more than one value encrypted, so pay attention on which one to use

  • edited May 2020

    got the remote key have to connect it seems and thank you @waldemaro for guiding me

    Rooted!

    root hint: Think like an evil

  • anyone could help me with the TV proccess?
    i rooted already using the US method.

  • The TV process is annoying af, definitely drinking a bottle after that one lol PM me if you need a nudge

  • I cannot for the life of me figure out how to run the enumeration script! Can someone give me a hint?

  • edited May 2020

    Hi there, can someone help with the TV approach? Found pwd, but don't know where to use it. And about enumeration method, ps says it did use "service" ps1 command thing, but it does nothing. Strange, cuz a lot of people been able to elevate via enum method.

    UPD: Rooted using TV method. Really intrested how to root it the other way
    PM for nudge. But really have no idea why US method doesn't work. It doesn't add user nor run a cmd via abuse, weird

  • edited May 2020

    EDIT: found the creds!

    Hack The Box

  • Neglected to add notes previously -
    I've re-rooted box using the TV way (after first time going via service).
    The second way is also nice :)
    Thanks again...

    Hack The Box

  • Root hint for u****c way:
    Don't forget to stop "the thing" before trying anything on it, and also forget the "PS thing" if you're using it to exploit the vuln. The manual way works better.
    Also this page may help you https://guif.re/windowseop

  • edited May 2020

    Rooted. First tried the u****c way, but I couldn't get it working. Was it patched or something, as user creation did not work? Then tried the TV way, rather straightforward. Very nice box overall.

    Hack The Box

  • edited May 2020

    I have gotten the creds from N** directory but logging into UM***** Gives a complete white page, trying the POC always results in "Connection Reset by Peer". Although printing the cookies tells me its logged in.
    It always resets on

    url_xslt = host+"/umbraco/developer/Xslt/xsltVisualize.aspx";
    r3 = s.get(url_xslt);

    Any nudges on how to proceed?

    EDIT:
    Nevermind figured it out, EU servers FTW

  • Im trying the U***C service way but it fails.

    [SC] StartService FAILED 1053:
    The service did not respond to the start or control request in a timely fashion.

    Any hints?

  • Type your comment> @JKLOVE said:
    > how to get root
    > someone can give me tips?

    The name of the box itself is a hint.
    A service is used for this operation.
    Check its version and Google it.
    You will get.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Hint for the u****c
    absolution is key

  • edited May 2020

    Hi any hints with the TV approach? I have the pwd, but don't know where to use it.

    EDIT: Rooted TV way, appeared like the password had been changed. Remember to be Evil with the password, and that admin are lazy!

  • I have user, have a shell, used P****U*.**1 to abuse a service - worked but cannot for the life of me get logged in as administrator. runas didn't work ... I am sure I am over thinking this.

  • Could someone give me a hint about root? I think I've tried with both approaches and still I can't get it, it fails at the last step. PM if you want and I tell you what I've been trying!!

  • ROOTED!

    Nice Windows box, it's very realistic and the software you have to exploit is quite common and widespread. Below some hints:

    Foothold: it's easy to identify the first service, it's also easy to get access to a not protected share, then just Google where the juicy information is stored.

    User: if you are here you know what to do now so read the PoC and think what can be more useful to run on a Windows box instead of calc.exe

    Root: I owned the box following the "Remote" way, so again identify the service that is not on a default Windows installation and google for vulnerabilities of that particular version, then there is a msf module to complete the task.

    PM me if you need help!

    achille

    achille

  • Finally ROOTED. It took me way to long.

    User: Once you find the exploit, look a little more, someone has made it a little easier.

    Root: It is a common escalation method. However, I had syntax issues so I used the same method but in a little different way.

    PM me if you need any hints.

  • Hi all,

    For the TV exploit, could someone point me to the best way to run a python exploit on a Windows box? What did you do?

    Yes, I know there's metasploit, but who did the exploit without MSF? Any tips would be very appreciated.

    Thanks!

    Hack The Box

  • Rooted. Thanks to HomeSen for confirming I was on the right lines. Second box after ServMon. Learnt a lot and enjoyed this box. Used TV to get Admin. Happy to provide pointers via PM.

  • edited May 2020

    Is there something wrong with the box? Unable to issue commands as I was doing last night.

  • edited May 2020

    Okay rooted, finally. Thank you everyone, because I've been scanning this forum for pointers. Got just enough help without getting spoiled.

    User: Look up PoCs, pay attention to ports.
    Root: Use that famous tool we all use, but afterwards if you are lost go look up similar boxes in the past and pay very close attention to the scripts they run. Also stay away from the Mario brothers approach, because I think that the exploit it leads to got patched so it doesn't help as much anymore (either that or I'm incompetent)

    Hopefully I didn't give away too much or give any bad info, but I'm tired and need to sleep for like a day. (Internally I am screaming in anger for how long it took me to solve this box just to find out I was an inch away and just had to do better research)

    Edit: I fixed the user hint.

    King of feeling stupid

  • Type your comment> @dojoku said:

    Type your comment> @gsxrjason said:

    Type your comment> @dyl88 said:

    Type your comment> @Meatex said:

    I am in the same boat as xboxfreak54
    Confirmed RCE with ping and got it do web requests and download files but any more complicated scripts are no go. Not sure where its storing downloaded files and tried downloading and then executing by running exploit with command to just run but no joy yet.

    Im in the same boat as you, it downloaded a file.. but god knows where it went.. cant seem to get it to run

    I am also at this stage.
    Any attempt to add a path to the output location, download never starts.
    Attempts to execute my file with out, hasn't made it back to to my meter.

    try to execute in memory when you can download file in server. so you don't need to know where the file is placed. one terminal to received reverse connection another terminal to serving a file to be downloaded.

    Trying using P*******l and I*X but i'm having trouble inserting it into the POC paylaod. I think if i use ' python throws an error, if i use " it doesn't seem to work. Any pointers?

Sign In to comment.