Remote

Maybe the creator of the box can confirm if the U***** is the correct path to root ?
It looks like uninttended because it has no relevancy with the box name.
I guess the correct way is related to the “remote” tool ?

Anyway, awesome box !
Every hints have been written here.

@Crafty I assumed both were intentional actually, cos surely that service you mentioned is not normally vulnerable to this kind of attack so must have been changed?

nothing is working for me on this machine…errors and errors and some more errors dunno if its me or the box, probably its me…this just make me feel to never wanna touch windows machines again

30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?

Type your comment> @imag1ne said:

30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?

you don’t actually need to use py at all. I just logged in to the site and did it all manually, copying the payload part of the POC into the obvious place it should go when you start looking through the management portal of the site. Took me a while to realise how to trigger it (thanks to some of the button images not working) but a bit of googling helped there

I got User, POc needs a little change, but after a time, it needs a box reset to work
for the foothold, also try again and again

Type your comment> @imag1ne said:

30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?

Make sure you’re in a privileged account. There’s more than one you can log into with the same password

I am stuck at the initial foothold. I saw the n** share and can access after m****** it, and found a s** file in A**_**** that I am pretty sure has the creds for a***@h**.l****, but after a lot of grep, find, sed, awk, strings, cat, etc I can not find the hash for the life of me as described in CMS documentation. Am I on the right track?
Thanks in advance!

Could someone PM me and give me a nudge on the POC? I’m able to ping my box and upload files to a path but not able to get a connection back.

Type your comment> @sneel0428 said:

I am stuck at the initial foothold. I saw the n** share and can access after m****** it, and found a s** file in A**_**** that I am pretty sure has the creds for a***@h**.l****, but after a lot of grep, find, sed, awk, strings, cat, etc I can not find the hash for the life of me as described in CMS documentation. Am I on the right track?
Thanks in advance!

use your “head”

Type your comment> @rezabey said:

use your “head”

Thanks!

is it me or is the file system (first foothold) horribly slow?!

Type your comment> @yannizZz said:

Type your comment> @DanielNull said:

Hey,
I am not looking for any hint at all, (tired of this) I am asking the people who are more familiar with Windows pen-testing.
Is there any book/course that I can learn about the Windows environment and its services? Or experience is the key here?
Thanks ?
Highly appreciated.

thumbs up
I’d love something like that as well

Me too

Finally rooted. Getting root was easier then the foothold :smile:

guys, i swapped to us-free2 and i still get no response on the high port with the shm*t command…

suggestions?

Type your comment> @yannizZz said:

Type your comment> @DanielNull said:

Hey,
I am not looking for any hint at all, (tired of this) I am asking the people who are more familiar with Windows pen-testing.
Is there any book/course that I can learn about the Windows environment and its services? Or experience is the key here?
Thanks ?
Highly appreciated.

thumbs up
I’d love something like that as well

Me too

Guys is anything wrong with the U****C service? I get this The service did not respond to the start or control request in a timely fashion.

Type your comment> @bill110179 said:

Guys is anything wrong with the U****C service? I get this The service did not respond to the start or control request in a timely fashion.

Same problem here, i’m going to reset if it persists !

is the 46***.py supposed to work ? It should be vulnerable looking at the version ..4 , but I get an issue loading the login page in py. am I on the wrong path?

@cyberafro said:
Type your comment> @bill110179 said:

Guys is anything wrong with the U****C service? I get this The service did not respond to the start or control request in a timely fashion.

Same problem here, i’m going to reset if it persists !

No, nothing wrong with the service.