Remote

Type your comment> @htbuser01 said:

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

If you got creds, you have to switch user, another method exists though

Type your comment> @sneel0428 said:

Type your comment> @VbScrub said:

@sneel0428 if you want to keep trying to get the PoC working, fair enough. But just to clarify if you missed my previous posts - you don’t NEED to use the PoC with all the cookie and viewstate stuff. All that’s doing is mimicking someone actually using the website, so instead of using a script to do that you can just… actually use the website. You will still need the payload part of the PoC though, but its pretty obvious where to put it once you look around the site.

Oh for sure, at this point I am more curious than anything. What gets me about it is that other than the payload, its a fairly simple delivery mechanism. Hence me wondering whats going on. I tend to use the module that the PoC uses a lot so if there is an issue, I need to know haha. Thanks for everything!

Did you manage to find out what was going on? Because I think I have the same exact problem

Type your comment> @cyberafro said:

Type your comment> @htbuser01 said:

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

If you got creds, you have to switch user, another method exists though

I have no local creds, just for the piece of code which the hint is the machines name. These dont seem to work

Guys, any ideas about what to do with that TV cred ?

rooted! :smiley:

I think I was overcomplicating trying to reconfigure the U*****c as well
The keywords for this machine are really ‘don’t overcomplicate’ :wink: things are often simpler than you think!

Could anyone PM me how to approach the TV method? It looks like an interesting exploit to learn…

Type your comment> @htbuser01 said:

Type your comment> @cyberafro said:

Type your comment> @htbuser01 said:

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

If you got creds, you have to switch user, another method exists though

I have no local creds, just for the piece of code which the hint is the machines name. These dont seem to work

You are you have no local creds ? Don’t know what you call “piece of code”

@Raekh, switch user as said before

Type your comment> @daemonzone said:

rooted! :smiley:

I think I was overcomplicating trying to reconfigure the U*****c as well
The keywords for this machine are really ‘don’t overcomplicate’ :wink: things are often simpler than you think!

Could anyone PM me how to approach the TV method? It looks like an interesting exploit to learn…

I keep getting “FAILED 1053” when using U******c method.
Any help anyone?

Am struggling with poc - can’t get a ping or test-connection back nor downloadstring or file running from the cmd.x or ps.x no connection.

Found creds! Trying to get a reverse shell with the PoC

finally got root :smile:
Thanks for this box to learn something new (PoC) and some options to test multiple solution for getting root.
Again thanks to IppSec sharing all his knowledge on YT.
Since I’m just beginner on pentesting this helps me a lot to find possible solutions, getting important hints on how to use available tools, etc!

Since I was using the U***** path I’m wondering about the other options.
I haven’t had any success using the T* route so maybe someone can give me a nudged on how to go that way? Or was this just a rabbit hole?

I am a bit lost, I found credentials, and also used the PoC to drop nc or a msfvenom payload. But I cant get it to execute cause no icoming connection. Can someone give me a hint ?

the fastest rooting so far , I hope it was intended. Thanks to the creator

@ArcVael , I was getting the same issues until I reset the machine several time. I guess if you are the first user to exploit the U*s**C after reset, it will be alright.

Type your comment> @unethicalnoob said:

@gorash said:
I am a bit lost, I found credentials, and also used the PoC to drop nc or a msfvenom payload. But I cant get it to execute cause no icoming connection. Can someone give me a hint ?

I have the same issue. don’t know what’s happening in the background…Need help!

Make sure your payload parameters are correct (srvhost and lhost)

Rooted both ways! Nice machine. Stucked for some time with the payload for the PoC because of some silly mistake, but then all straightforward.

Ok wauw have been staring like crazy to a white screen for a long time until I looked on my watch and realized that time is of the essence.
So for anyone having the same silly problem, remember to keep track of time :wink:

Anyhow, box is straightforward only might take some time to get everything properly set. As always has been some fun. Enjoy guys!

While trying the U***** method for root, I’m getting an error saying it doesn’t start in a timely fashion. Did anyone else face that?

Edit: Got the root shell.
However, can’t read the root.txt file. I’m going absolutely crazy.
Every time I try to read it, the shell freezes. Wtf?

Edit 2: Nevermind, got it.
Weird tho.

Gents,

So, I did shmnt and found my way into a file system. However, from what I can tell, there is absolutely nothing within that I can utilize! All I would like to know is if I am spending hours going through USELESS information?

NOTE I am in using mt ns /st_b*up /mt <----- if this helps let you know what Im looking at!

Type your comment> @CandiedPixel said:

Gents,

So, I did shmnt and found my way into a file system. However, from what I can tell, there is absolutely nothing within that I can utilize! All I would like to know is if I am spending hours going through USELESS information?

NOTE I am in using mt ns /st_b*up /mt <----- if this helps let you know what Im looking at!

there is definitely something useful in there. Also, don’t just crawl through all of it hoping to stumble upon something interesting. Do some googling and find out where this type of site stores credentials

Finally rooted! My way:
User: enum, double enum, “mountines”, enum, strings, crack…enum again, CVE, doesn’t work from the box, change the process, shell, flag
root: enum, remote, “deeper” enum, find the right cracker, got passwd, flag

PM me for the help