Remote

Spoiler Removed

Hey everyone, I just rooted this great box!

Aside from the technical issues with a certain filesystem, I really enjoyed this. Thanks @mrb3n for the experience!

My hints:
User: Go for the low-hanging fruit and brush up on your google-foo. If something looks important, it very well might be! Finally, before making a calculated risk, try something simple.
Root: Basic Windows enumeration gets you far. There isn’t much else here.

Feel free to message me if you want any hints or nudges! I’m always happy to help.

can some one give me hint how I’m supposed to run payload. I have access to admin portal but I can’t figure out how I can run it from here.

I’ve dug through the files acquired in the first step, got my friend John to help out, and gained access to the portal with user s*****.

Found the PoC, and understood what each step does. I can manually replicate them, but when I get to the vulnerable page, it’s returning Internal Server Error. I’ve tried to execute the payload, but after much fiddling I haven’t been able to get it to work.

Could someone confirm if the Internal Server Error is the page I should be seeing before sending my payload? Suspecting I might be in the wrong account or overlooked something else.

EDIT: I was in the wrong account. Now I’m able to get RCE to ping my machine, working on getting a shell

Type your comment> @Perkele said:

can some one give me hint how I’m supposed to run payload. I have access to admin portal but I can’t figure out how I can run it from here.

Same. I think I understand what it’s doing… but I can not successfully change the script to do whats needed.

Rooted.

Some hints:

User - Look up how the CMS stores things, and then look around in the non-standard port you probably found. You’ll find some useful stuff. Remember to pay attention to login prompts, otherwise you might get frustrated that the creds you have aren’t working. Once you have creds, the PoC might seem like it’s broken…it’s not. Read through the payload carefully and figure out how to get a full command with argument in there.

Root - The name of the box is a hint. Do some standard enumeration and something will stick out. Investigate it…there’s an easy button available or you can do it manually if you want.

Type your comment> @DanielNull said:

Hey,
I am not looking for any hint at all, (tired of this) I am asking the people who are more familiar with Windows pen-testing.
Is there any book/course that I can learn about the Windows environment and its services? Or experience is the key here?
Thanks ?
Highly appreciated.

thumbs up
I’d love something like that as well

Found user a****@htb.**. the keys in w.g, the login page, some md5 from I dont even remember where. People talk of some s user which i havent seen in a single file. Some help on what to do with all this junk because i feel so close yet so far.

I found that payload thing if you want help PM me

is that s*f file needed for foothold? i tried methods but couldn’t read.

Type your comment> @rezabey said:

is that s*f file needed for foothold? i tried methods but couldn’t read.

@rezabey said:
is that s*f file needed for foothold? i tried methods but couldn’t read.

yes. try the way you typically read files

Type your comment> @menorevs said:

Type your comment> @rezabey said:

is that s*f file needed for foothold? i tried methods but couldn’t read.

@rezabey said:
is that s*f file needed for foothold? i tried methods but couldn’t read.

yes. try the way you typically read files

i feel so dumb right now. ty.

Type your comment> @rezabey said:

Type your comment> @menorevs said:

Type your comment> @rezabey said:

is that s*f file needed for foothold? i tried methods but couldn’t read.

@rezabey said:
is that s*f file needed for foothold? i tried methods but couldn’t read.

yes. try the way you typically read files

i feel so dumb right now. ty.

Never feel dumb learning!

Rooted, but people, do NOT change original configurations if it is not connected to the exploitation… and especially credentials! There is other people there trying to work at the same time and you waste their time by doing that!

Overall nice box
User: enumerate , m***t and find juicy info that will allow you to login. Then search for public info. Make sure you edit that public info carefully, especially the payload. There is no need of hardcoding any values.
Root: do regular enumeration and you should find something quickly

Is it necessary to change the password for the ***n account? the creds i had were working earlier, anyone seeing this behavior?

Having trouble on payload/POC. Kept it simple, tried more complicated and even tried to trigger manual. Been mindful of formatting, would definitely welcome a nudge.

Type your comment> @bee said:

Having trouble on payload/POC. Kept it simple, tried more complicated and even tried to trigger manual. Been mindful of formatting, would definitely welcome a nudge.

It works as is, just change the File Name to what you want and the string to the parameters, you might want to add a line to print the response content, or see it through Burp.

Can someone help me out with the PoC please? Im able to ping my machine, but everything else i try does not work.

found 2 ways to get root.txt

got it. had a lot of fun on this one. I did have to switch from EU to US and that seemed to help.