Remote

12930313335

Comments

  • @TazWake said:

    I am curious how people find these write-ups without actively searching for the box name and write up.

    Well I can tell you in my case I was getting an error when I was futzing with a certain service on the host, and while Googling for the error I found someone posted a comment, complaining about the same thing, to a web site which had a full walkthrough. I'm reporting it to HTB, but the walkthrough was posted in mid/late May, so it's been out there a while.

  • edited July 2020

    OK, finally got root both ways.

    I really liked the initial enumeration over ***. I got sidetracked by two things I found there early on before focusing on the web site software itself and finding the file I needed.

    For instance, did anyone else find the WebShell? It's somewhere in the s***_*****p files, and I spent time on that, thinking "Maybe if it was there in a previous incarnation of this site, it's still there?" I wasn't able to find it on the live web site though. PM me and I'll tell you where to find this file so you can look at it yourself.

    Similarly, while recursively grepping through all the files for interesting strings, I found that at "2020-02-20 00:21:36,660" there was a failed login attempt because a user typed their password as their user account name. So naturally, their login failed, but the log file shows " Login attempt failed for username U**************!!". Immediately after this was a successful login for a user, so I figured maybe that was the password for that user? Nope. Another rabbit hole. PM me and I'll tell you where to find this stuff too.

    After spending time on those things, I finally found what I needed to get an initial foothold shell.

    Root took me a bit. Like, a few hours. I finally enumerated the right things and saw a way forward, but it took multiple tries to get the needed thing to run my code.

    Then I saw on the forums here there was another way to get root. Once I finally found the appropriate software, related to the system's name, enumeration of the right key information got me a hash. I was unable to crack the hash, but Google pointed me to a solution which did not involve cracking, but did involve cooking things a bit. That got me the credentials I needed to get in.

    I liked this system. It made me tear my hair out at some points, but it was a really good learning experience.

  • @japh42 said:

    Well I can tell you in my case I was getting an error when I was futzing with a certain service on the host, and while Googling for the error I found someone posted a comment, complaining about the same thing, to a web site which had a full walkthrough. I'm reporting it to HTB, but the walkthrough was posted in mid/late May, so it's been out there a while.

    Awesome - hopefully HTB will take action about it. This box appears to have a lot of people posting walkthroughs/video's. Possibly because it's marked "Easy" which means lots of beginners have a go and they may not fully understand the rules of the site.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • VIEWSTATE = soup.find(id="__VIEWSTATE")['value']
    'NoneType' object is not subscriptable
    i'm getting this error..what can i do

  • Rooted this box in both ways (TV and US) , learned a lot of new things! great stuff

  • got the user,
    any hint for rooting will be helpful

  • Can someone send me a PM on how to root this the "Remote" way.

    I done it the U***** way.

    Thanks

  • Took the T.V route in the end.
    This box was not easy for me (blue teamer)

  • Someone mind pointing me in the right direction? I have RCE via a U******.** exploit but I'm trying to .NET a reverse shell but I can't get it to work. Thanks in advance!

  • Nice box! Really trying to learn more windows and this was easy enough for me, but still learned alot :)

    I had to use metasploit on this one doing the TV-way, anyone did it that way manually? Please PM me if so!

  • Hello, someone else have problem with submit flags ? I'm have user and root flag and when i send flags from panel get 'wrong flag'. Someone has an idea how to solve the problem?

  • Well this box took me longer than it should have, I spent way too much time looking for a working unauthenticated exploit for U****** because I foolishly overlooked the N** port when I struck out trying to enum S**.
    \
    Even once I found the N** port, it took me ages to find the creds for U***** because I all the tools I tried to open the .S** file with said it was corrupted. I swear when I tried strings the first time the creds didn't even come out, was only when I went back and tried again hours later than I found them :-/

    Once you get access to U*****, the rest is easy, only takes a bit of googling and some enum.

  • edited July 2020

    Can anyone give me a nudge? I got in to the box and am having issues with root. I've tried messing with U****c...and can stop it, but can't start it to make it work. I think a .dll has been removed to prevent this. PUp shows it useable modifiable. Decided to go TV route. I found a hash that came out to be r3****_****n. Found a nifty python script to crack the hash. Tried an evil method with that password but no joy. Thought maybe I would reroute the service back to myself and use the app on my host machine, but discovered that the app needs internet service inorder to work without reconfiguring. Haven't been able to figure out how to reconfigure it using IP via command line. Anyway, any hints are appreciated. Thanks!

    EDIT: Got root! Thanks HomeSen for showing me what I was already seeing and not realizing it.. Learned some new things about how to view in pshell! And learned a nice bit of bash too!

  • PM for nuggets

  • I have rooted this box. But I would to know if there is anyone Rooted via S**personateP***? Drop me msg. I would like to know how.

  • I don't know why people on Free Servers just keep on Resetting the Box ..!
    It's Not even 1 min. Past the Last reset and Resetting the Box. Just can't even Enumerate.

  • Hi all, I had the cred for umbraco able to login in etc and the password keeps changing? Is someone doing that on purpose or is ment to be like that?
  • Type your comment> @piolug93 said:

    Hello, someone else have problem with submit flags ? I'm have user and root flag and when i send flags from panel get 'wrong flag'. Someone has an idea how to solve the problem?

    I seem to be having the same problem. I found the user flag, but it won't accept it.

  • edited July 2020

    Rooted this one, no longer a "script kiddie" :smiley:

    I'm definitely way more familiar maneuvering around Linux machines; helps quite a bit to watch some @VbScrub and @ippsec videos!

  • At some point Umbraco broke: i can't login no more (blank page after valid creds), CRE is not working anymore... seems like the app is broken. Reset wont work... The machine is about to be shutdown... can somebody do something with this machine?

  • edited July 2020

    Finally rooted! User was fairly easy but admin took quite some time.

    I found the U***** path first however I couldn't get it to work at the very last stage, if anyone succeeded with this method please let me know I think I must have done something wrong.

    TV was was pretty straightforward but I wasted a lot of time trying to get a meterpreter shell on the box, in the end I had to do it manually thanks to a hint from @HomeSen but it wasn't too hard.

    Feel free to PM for hints.

  • Why the fuck people cannot stay without changing the flag?

  • edited July 2020

    .

  • I got the user, any tip for the password? i got some files with hashes, can i use hashcat or you guys suggest other tool?

  • Stop resetting this box, y'all are kicking me out

  • Hi,

    Could someone please point the right syntax for passing comman arguments for the exploit? I'm working on user and I'm able to execute simple commands using the exploit but I cannot spawn a shell. I tried numerous ways but none has worked. This is my first Widnows box and honestly I don't feel comfortable with Windows syntax or escaping.

    Nism0

  • Hi,

    I was able to get two user with passwords. i can login to the site and i see people trying to upload files like WinP***, i saw a vulnerability, used a python script that i find on the web, but i only was capable to send simple commands.

  • Ok, for all those who have the problem with running exploit: think about -e option for PS.

    Nism0

  • I got the user.txt hash, i suspect it is the administrator password.
    Hashcat not working, i know its a md5 password any tip?

    the candidates from hash cat is something like this: $HEX[206b7

  • @GokuBlackSSR said:

    I got the user.txt hash, i suspect it is the administrator password.

    Erm, I might have misread but the hash in user.txt is a flag, not a password.

    Hashcat not working, i know its a md5 password any tip?

    the candidates from hash cat is something like this: $HEX[206b7

    This seems fun.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.