Remote

I managed to get the a**** credentials on the login page but every time I try to login I just get a ‘Session timed out’ error in response. Running the 4****.py script with those creds gives me an error on line 54 that it didn’t get a cookie, implying the creds didn’t work. any hints?

Hmmm… Not too sure what I should be editing in the POC. Have tried editing the cmd and proc.StartInfo.FileName variables and inputting some kind of nc.exe payload over SMB but no connection being called back or ping to verify code execution.

Please help.

Thanks.

Thanks to @konamon for the hint ;D

@xxmeshxx said:
Thanks to @konamon for the hint ;D

Actually this is a really nice box, but I really struggled on User and then on Root as well. ?

User: As others said, there is really little to do, to make it work. I think I just missed the point completely here and ended up completely re-writing the pld part using PS*, which in the end worked really well for me.*

Root: I ran into error 1053 here as well, as others already did here. I know you don’t want to hear this, and I also don’t want to encourage others to reset the box even more, but this really was the only thing that worked for me.
→ Doing this step directly after a fresh reset.

*I guess hacking sometimes needs to be kinda brainfuck… Like using a script in one language, performing an exploit in a kind of markup language, which then runs a programming language to start a process running yet in another language. Hope that’s not too spoily and/or confusing ??

Hi guys, I am new to HTB. I did enumeration for port 80 and 111, searched all the files and folders but I still couldnt find the username and password for running the exploit. Could you give me a tip about where to find it?

Got root.

@Kamilovic said:
Hi guys, I am new to HTB. I did enumeration for port 80 and 111, searched all the files and folders but I still couldnt find the username and password for running the exploit. Could you give me a tip about where to find it?

If you see what 111 gives info it will list a service that you can use to proceed. To say any more would be a spoiler.

Please STOP CHANGING PASSWORD…
Soooooo annoying. :frowning:

Type your comment> @Wrebra said:

Please STOP CHANGING PASSWORD…
Soooooo annoying. :frowning:

I still find it hard to believe people are actively doing this, as its been supposedly going on pretty much non stop since the box went live a week ago. Even trolls get bored in that time…

Hi guys, I am new to HTB. i managed to find creds but struggling with the POC to do anything. Anybody able to help over private message? I’ve spent hours on this but getting nowhere!

Finally, I rooted my first windows machine.

Foothold: See what you can do with all these open ports
For User Exploit: Understand Windows CMD and file structure
For Root(Hint): Querier

I see many people rooted in the machine using the Remote way. Please message and guide me about that way if you have used that one.

Thanks to @CyberTinker :slight_smile:

Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

Type your comment> @VbScrub said:

Type your comment> @Wrebra said:

Please STOP CHANGING PASSWORD…
Soooooo annoying. :frowning:

I still find it hard to believe people are actively doing this, as its been supposedly going on pretty much non stop since the box went live a week ago. Even trolls get bored in that time…

And password is changed again…
I can’t believe this.

Managed to get the working exploit…able to ping my kali from victim using exploit. Tried downloading the malicious executable using powershell, can see file is getting downloaded as “python HTTPserver” receives the GET request. But when I try to execute the exe, nothing happens.

All stuck …any hint please…!!

Type your comment> @rootsh3llz said:

Managed to get the working exploit…able to ping my kali from victim using exploit. Tried downloading the malicious executable using powershell, can see file is getting downloaded as “python HTTPserver” receives the GET request. But when I try to execute the exe, nothing happens.

All stuck …any hint please…!!

Getting the exact same issue!! Its so frustrating. I have tried so many different ways and nothing is executing

Type your comment> @b0ssk said:

Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

Any hints on user?

Type your comment> @rootsh3llz said:

Type your comment> @b0ssk said:

Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

Any hints on user?

The user.txt file is all in the same location. So with the working exploit you can just grab the contents of it. As far as getting a propper shell PM me.

Type your comment> @rootsh3llz said:

Type your comment> @b0ssk said:

Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

Any hints on user?

Just done this. PM me if you still need it. As far as root goes, I think I’ll call it a night for today

Just a hint for those that have trouble with uploading stuff to the box (@rootsh3llz @mfhtb88 ): Maybe your exploit is correctly calling your server and downloading your payload but you can’t execute it afterwards because your exploit is trying to write somewhere where it doesn’t have write permissions. Try to specify a specific path for your exploit to write its files. Might involve some guess work, but I assume you’ll only be temporarily stumped by this :wink:

Type your comment> @TazWake said:

@osmus said:

So I’m able to change the needed areas in the script. However, when i run it i get this error. Any nudges would be helpful.

TypeError: ‘NoneType’ object has no attribute ‘getitem

Is this from some code you have added?

Yeah. I added additional values that i thought were needed.