Remote

12931333435

Comments

  • Need help on final root part.
    I enum and found vulnerable s**** p****
    I use the function I*-S * A * and cant get and admin rev * Sh *
    Can someone PM me please e know there is a "Remote" solution but i wanto to go this way

  • Type your comment> @WarIFFL said:

    Need help on final root part.
    I enum and found vulnerable s**** p****
    I use the function I*-S * A * and cant get and admin rev * Sh *
    Can someone PM me please e know there is a "Remote" solution but i wanto to go this way

    Update: Rooted
    hints* For those who go for In****-Se**** keep in mind the OS version and the rev****sh*** whith priv is really instable i open 3 dif sh****

  • User: I didn't use any scripts. I just used the web app. It was kind of hard in firefox, because some buttons weren't showing up. I ended up using chromium. This isn't the first time this has happened to me. Maybe I'll finally learn a lesson.

    Root: Just found what stood out, enumerated it, got help from a new module for creds.

    Looks like there may be more than one way to root.

    Hack The Box

  • I keep having problems with the script.

    Traceback (most recent call last): File "asd.py", line 54, in <module> VIEWSTATE = soup.find(id="__VIEWSTATE")['value'] TypeError: 'NoneType' object is not subscriptable

    I adjusted the time so nmap doesn't show any skew:

    Host script results: |_clock-skew: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 45222/tcp): CLEAN (Couldn't connect) | Check 2 (port 21943/tcp): CLEAN (Couldn't connect) | Check 3 (port 37936/udp): CLEAN (Timeout) | Check 4 (port 15893/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-07T19:28:59 |_ start_date: N/A

    Also edjusted the hwclock to reflect the 2 minutes difference I had before (remote machine is 2 minutes ahead of global NTP servers)

    Can anyone help me with this? It's getting kinda frustrating. Thanks.

    Hack The Box

  • edited June 2020

    Rooted
    Foothold: Files enumeration
    User: Use what you find
    Root: If the name of the machine does not help you, then look at the interesting programs that are installed on the machine.
    PM me for hints :smile:

  • Rooted, very fun box. Spent too much time on root.
    Root - Take some time to identify the correct way to connect with creds you found ;)

  • edited June 2020

    -

    Hack The Box

  • Type your comment> I'm logged into the site as ***n, but i now have no idea what to do next to get any further

  • Type your comment> @QubitKid said:

    Type your comment> I'm logged into the site as ***n, but i now have no idea what to do next to get any further

    also when trying to use ms** to e*****t, i get a conection reset by peer error message

  • Finally rooted this box. It took me way too long to get the root. I was stuck because of a bad shell. Meterpreter did it for me this time. So if you are stuck at root, try another shell.

    I loved the box though, learned a lot :)

    PM me for hints

  • Hey
    Could someone give me a pointer. I'm still chasing the initial foothold
    I have the log in page
    I have the username a@h.l*
    and I have the decoded hash from the file (sounds tasty)

    When I try log in I get "session timed out" every time, I have waited an hour, I have reset the box.
    I just gave in and looked at comments and see people talking about being logged in, so i'm taking from that I have missed something or have an issue.

    Cheers in advance

  • @LewEl said:

    Hey
    Could someone give me a pointer. I'm still chasing the initial foothold
    I have the log in page
    I have the username a@h.l*
    and I have the decoded hash from the file (sounds tasty)

    When I try log in I get "session timed out" every time, I have waited an hour, I have reset the box.
    I just gave in and looked at comments and see people talking about being logged in, so i'm taking from that I have missed something or have an issue.

    Cheers in advance

    You should be able to login with the data you mentioned. Might be that the machine is acting up and you need to reset it.


    Hack The Box
    OSWE | GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • Type your comment> @HomeSen said:

    @LewEl said:

    Hey
    Could someone give me a pointer. I'm still chasing the initial foothold
    I have the log in page
    I have the username a@h.l*
    and I have the decoded hash from the file (sounds tasty)

    When I try log in I get "session timed out" every time, I have waited an hour, I have reset the box.
    I just gave in and looked at comments and see people talking about being logged in, so i'm taking from that I have missed something or have an issue.

    Cheers in advance

    You should be able to login with the data you mentioned. Might be that the machine is acting up and you need to reset it.

    Interesting,

    I just swapped to a different server and am getting the same issue
    ...

    Hmmmm

  • For anyone else suffering with the above problem

    Install Chrome, whatever was causing it is a Firefox problem

  • One problem down and another arises.

    I don't want to give much away in here, but is there anyone who could reach out and help me with the exploit? It is erroring out on me and I can't figure out how to resolve it

    I can and will provide details in PM. I don't want to put specifics in here and give spoilers :)

    Cheers

  • Rooted !!! I found two priv esc's, but could only get one to work (TV ... way). Anyone get the "musical" one to work?

    GreysMatter

  • edited June 2020

    Rooted!

    Thanks for the suggestions here. I'm mainly a noob and just learning, so for those like me. Don't forget during user enum how to read into all files.

    For root I got it to the point of having a password from TV but was lost as to what to do with it, then i looked at the musical way and found a good reference to help me via enough google fu. It was in fact super easy to do.

    I'm enjoying hack the box a lot!

    Hack The Box

  • Finally rooted!

    USER: a bit of enumeration showed me the right vulnerability to use, then it was not immediate for beginners like me to understand what that opened port did, but after finding the s** file it was not so difficult to use the informations there to obtain a shell and get user flag.

    ROOT: spent a lot of time trying to figure out how to do a privilege escalation. Thanks @RangerRocket for the hint. After realizing what I was missing, I obtained a root shell.

    Hope this is not too much of a spoiler. PM me if you need some help!

    Hack The Box

  • edited June 2020

    Need advise on getting better shell

    a. I've already gotten user, found what's attached, enumerated, used what i found to do the authN RCE on the web service
    b.) stuck in a basic non-interrctive non ps reverse shell as the app***** user

    So basically, I don't like this non- interactive shell, looking for suggestions to get me an interactive shell so i can do enumeration of rpriv esc more easilly

    I've tried MSV -f psh paylods but can't get it to fire in the remote RCE
    I've looked around Github for interracgive ps1 examples but they embed the lhost and lport into them .. also try to cert*** method but i have permission issues even n temp ...

    seems dumb but i really don't want to use this shell, feel like it's holding me back cuz i can''t see errors

  • Hi all,

    I have already rooted the box using the U****C way but i am stuck with the TV way. I have got the TV Creds but dont know what to do next with those. I am new and this the 2nd windows box for me . Please PM me with a nudge

    cheers :smiley:
  • So we found the a**** and s***** creds in the N** folder. I'm using Burp to bruteforce one login while my friend tries the F** directory, but so far no luck. We also found the A**** webshell but can't figure out how to access it. Can anyone DM me with a hint? Thank you!
  • Finally rooted. My first machine owned on HTB. Learn a lot. :wink:

  • I'm pretty new to this, working on Remote. So far, I've gotten the user flag.

    As of now, I think I've managed to pull TV credentials, but can't figure out how to use the bloody things.

    I feel like I'm pretty close on this. I can't figure out how to escalate from this point with the credentials I've got (or think I've got). If someone's done this with the TV method and wouldn't mind shooting me a DM with a nudge in the right direction, or so that I can provide slightly more specific information for a nudge to get this sucker.

    Jatius

  • Type your comment> @Jatius said:

    I'm pretty new to this, working on Remote. So far, I've gotten the user flag.

    As of now, I think I've managed to pull TV credentials, but can't figure out how to use the bloody things.

    I feel like I'm pretty close on this. I can't figure out how to escalate from this point with the credentials I've got (or think I've got). If someone's done this with the TV method and wouldn't mind shooting me a DM with a nudge in the right direction, or so that I can provide slightly more specific information for a nudge to get this sucker.

    Same here...

    Got user , Upgraded my shell so i could invoke some better PS for enumerations
    Found the TV, read the article and which led me to the exploit, found the thing they left unattended

    At the moment, trying to replay the creds using a common powershell command but my my reverse gets terminated every-time... maybe AV? tried using a PS reverse shell to avoid AV but that doesn't fire off for some reason ...

  • Got root with the musical number after deciding to throw in the towel with the remote. However, I'd like to know how to do the remote way, if anyone who's done that wants to DM me with nudge/hint/whatever from where I am, I'd appreciate it.

    Jatius

  • Spoiler Removed

  • Hey got root on the box. Can someone tell me what is the other way?
    Thanks in advance

  • Hello, I have a shell as user and currently I see something that I can "abuse" to to PrivEscalation by I*****-S**********e , but nothing I'm trying works. Tried different listeing ports, versions, etc,. Anyone that can help me out please? Thanks.

  • I got user, but my reverse shell don't allow me to execute P****U**.ps1... anyone can help me to get root?

  • C:\Windows\system32>whoami
    whoami
    nt authority\system

    C:\Windows\system32>systeminfo
    systeminfo

    Host Name: REMOTE

    Finally.

Sign In to comment.