Remote

12930313234

Comments

  • Ok, so I'm stuck at getting shell on the machine... I tried to download a file crafted with msfvenom on the machine, but seems like exploit doesn't like several characters (like 0x00). I'd appreciate if someone could DM me.

    Nism0

  • Type your comment> @TazWake said:

    @GokuBlackSSR said:

    I got the user.txt hash, i suspect it is the administrator password.

    Erm, I might have misread but the hash in user.txt is a flag, not a password.

    Hashcat not working, i know its a md5 password any tip?

    the candidates from hash cat is something like this: $HEX[206b7

    This seems fun.

    Sorry i'm new to HTB, i was too focused on the root.txt that i forgot what user.txt it all about.

    Rooted!!

  • OK I am lost here. I am trying to root with teh TV. Got some Creds.
    Is the Password r*****_****n correct?
    Cant log in with it. I feel really dump right now, cause i cant figure out what i am missing.

  • Finally rooted. I went straigth into the rabbit whole...
    Learned a lot.

  • anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

  • @itsPhoenix said:

    anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

    Is this for privilege escalation?

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

  • @itsPhoenix said:

    @TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

    Nice work.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted using TV and U****C method without msf. Quite an interesting box. Thanks to @TazWake and @japh42 for the nudges.

    If anyone want any nudges, feel free to DM

  • i have this error when i execute exploit VIEWSTATE = soup.find(id="__VIEWSTATE")['value'];

  • edited July 2020

    I enjoyed this box because I learnt about a new type of d******e.

    User: do your enumeration, think about where this kind of application stores its data. Once authenticated, Google and find what you need.
    Root: very straight forward, enumerate and the right tool will show you the weakness very clearly.

    Feel free to DM for more specific hints.

    peterdjalaliev

  • Awesome box. Thanks @mrb3n . I really enjoyed it even it was my first Windows box ever.
    I knew nearly nothing about windows exploitation but this machine was a good start.
    Initially I had really hard times trying to get along with exploit. I was able only to issue simple commands and had no idea how to spawn a shell with this. Thankfully, @y4th0ts came with help. Kudos!
    The "remote" way for root was pretty obvious if anyone tried to get the id remotely ever before ;) I wasn't aware of the second path but saw people write about it in this thread so I googled a bit but had no luck with exploit at first. Finally, thanks to @joenibe I got root with the second approach.

    Nism0

  • edited July 2020

    Just got user, couldn't get one exploit to work but managed to find a different version of it that did work for me.

    Now struggling to get any enum files passed to the box but pushing on!

    Edit: Rooted!

    JohnEagle
    Always happy to help, feel free to drop me a PM for spoiler-free nudges

  • Why Does the User Flag say it's incorrect? -_-
    PS: I got the reverse shell using the Netcat way(Uploading nc.exe)

  • @KrishSai1999 said:

    Why Does the User Flag say it's incorrect? -_-

    Assuming you've got the correct user flag and rated the box as well as trying to submit the hash, then chances are the dynamic hash hasn't worked.

    Remember its a different hash each time the box is rebooted and on different VPNs.

    If it isn't working, the best suggestion is to raise a JIRA ticket and get HTB to help fix it.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • trying to root using U...C but I do not get a shell back. Uploaded the correct n....c version and using automated script to abuse u...c. Any one can help?

  • edited August 2020

    Rooted. Much more easier than I expected. But I didn't get why evil-winrm locked me out when I tried to login with credentials of new user that I created.

  • Finally made it to Root, Thanks to @joenibe for pointing me on the right track.

  • edited August 2020

    I can't elevate my privs on this machine with U*O method. Could someone DM me pls?

    Nism0

  • Got root on this but don't think I did it the intended way? Went the TV route but still don't think it was right? Would appreciate someone reaching out

    cmoon
    OSCP

  • @cmoon said:

    Got root on this but don't think I did it the intended way? Went the TV route but still don't think it was right? Would appreciate someone reaching out

    AFAIK, you took the intended route.


    Hack The Box
    OSWE | GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • Rooted. Getting user took longer than I expected, but that was because I went down a rabbit hole. Getting root was fun, I learned a new technique that I didn't use before.
    User: Do your usual enumeration, but make sure to check for versions on application, there might be vulns ;) . Google and find what you need.
    Root: Throw a enum script at it and carefully check the vulnerabilities.

    Thank you for machine @mrb3n .

  • The TV route didn't work for me so I went the "unintended" route and got root. For those struggling to get shell the script works just fine just check nishang's PowerShellTCP.ps1. It work for me no editing needed to be done on the script.

  • After a long weekend bashing away at this... I finally have root, using the unintended method. Managed to find a password for the intended route but wasn't sure what to do next. Would appreciate any tips on solving the intended route.

    Thanks to all for the comments in the forum - kept me sane when I thought I was losing it.

    jmehys

  • edited August 2020

    Yay! Got root! Huge thank you to everyone for hints here and there! Got there using the "unintended" path of U****c.

    As for the TV path, I found the hash, cracked the hash and discovered the interesting thing listening, but the above path was what I resorted to in the end. Anyone care to share more details about the TV path so that I can learn a little bit more? I'd be happy to share in DMs more details to prove that I really did get the above information I'm claiming.

    Thank you for the machine @mrb3n !

  • I have a problem with running the exploit.py, I've modified the script and installed all modules and I get this output:
    Start
    []
    Traceback (most recent call last):
    File "*****.py", line 56, in
    VIEWSTATE = soup.find(id="VIEWSTATE")['value'];
    TypeError: 'NoneType' object has no attribute '__getitem
    '

    I see people with the same problem and something about clock issues, but idk what to do.

    Pls DM me if you can help me.
    thx

  • Noob needing some help. I was able to get user but am having trouble with root. I dont want to post any specifics here. is anyone willing to hear what i have done and maybe give some guidance. THanks much! Plz DM me!

    -p4nt4n30

  • Not sure what im doing wrong. I got both pw's out of TV i can seem to login everything i try i get login failed. someone please help. Ive tried almost every PS**** and nothing.

  • The RCE exp doesn't work, and 500 status code returned when I use the exp in burp, can anyone help me?

  • Just got Root!!!! and now I'm a script Kiddie!!!! thanks to everyone that helped and to @mrb3n for making the box.

Sign In to comment.