Remote

1121315171835

Comments

  • what to do with the TV credential? Please DM

  • Hi guys, I am new to HTB. I did enumeration for port 80 and 111, searched all the files and folders but I still couldnt find the username and password for running the exploit. Could you give me a tip about where to find it?

  • edited March 2020

    Got root.

    @Kamilovic said:
    Hi guys, I am new to HTB. I did enumeration for port 80 and 111, searched all the files and folders but I still couldnt find the username and password for running the exploit. Could you give me a tip about where to find it?

    If you see what 111 gives info it will list a service that you can use to proceed. To say any more would be a spoiler.

  • Please STOP CHANGING PASSWORD...
    Soooooo annoying. :(

  • Type your comment> @Wrebra said:

    Please STOP CHANGING PASSWORD...
    Soooooo annoying. :(

    I still find it hard to believe people are actively doing this, as its been supposedly going on pretty much non stop since the box went live a week ago. Even trolls get bored in that time...

  • Hi guys, I am new to HTB. i managed to find creds but struggling with the POC to do anything. Anybody able to help over private message? I've spent hours on this but getting nowhere!

  • Finally, I rooted my first windows machine.

    Foothold: See what you can do with all these open ports
    For User Exploit: Understand Windows CMD and file structure
    For Root(Hint): Querier

    I see many people rooted in the machine using the Remote way. Please message and guide me about that way if you have used that one.

    Thanks to @CyberTinker :)

  • Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

    b0ssk

  • Type your comment> @VbScrub said:

    Type your comment> @Wrebra said:

    Please STOP CHANGING PASSWORD...
    Soooooo annoying. :(

    I still find it hard to believe people are actively doing this, as its been supposedly going on pretty much non stop since the box went live a week ago. Even trolls get bored in that time...

    And password is changed again...
    I can't believe this.

  • Managed to get the working exploit..able to ping my kali from victim using exploit. Tried downloading the malicious executable using powershell, can see file is getting downloaded as "python HTTPserver" receives the GET request. But when I try to execute the exe, nothing happens.

    All stuck ..any hint please..!!

  • Type your comment> @rootsh3llz said:

    Managed to get the working exploit..able to ping my kali from victim using exploit. Tried downloading the malicious executable using powershell, can see file is getting downloaded as "python HTTPserver" receives the GET request. But when I try to execute the exe, nothing happens.

    All stuck ..any hint please..!!

    Getting the exact same issue!! Its so frustrating. I have tried so many different ways and nothing is executing

  • edited March 2020

    Type your comment> @b0ssk said:

    Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

    Any hints on user?

  • Type your comment> @rootsh3llz said:

    Type your comment> @b0ssk said:

    Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

    Any hints on user?

    The user.txt file is all in the same location. So with the working exploit you can just grab the contents of it. As far as getting a propper shell PM me.

    b0ssk

  • Type your comment> @rootsh3llz said:

    Type your comment> @b0ssk said:

    Rooted! That was enjoyable. Thank you for the nudge I needed @nyckelharpa

    Any hints on user?

    Just done this. PM me if you still need it. As far as root goes, I think I'll call it a night for today

  • Just a hint for those that have trouble with uploading stuff to the box (@rootsh3llz @mfhtb88 ): Maybe your exploit is correctly calling your server and downloading your payload but you can't execute it afterwards because your exploit is trying to write somewhere where it doesn't have write permissions. Try to specify a specific path for your exploit to write its files. Might involve some guess work, but I assume you'll only be temporarily stumped by this ;)

  • Type your comment> @TazWake said:

    @osmus said:

    So I'm able to change the needed areas in the script. However, when i run it i get this error. Any nudges would be helpful.

    TypeError: 'NoneType' object has no attribute 'getitem'

    Is this from some code you have added?

    Yeah. I added additional values that i thought were needed.

  • Type your comment> @nyckelharpa said:

    Just a hint for those that have trouble with uploading stuff to the box (@rootsh3llz @mfhtb88 ): Maybe your exploit is correctly calling your server and downloading your payload but you can't execute it afterwards because your exploit is trying to write somewhere where it doesn't have write permissions. Try to specify a specific path for your exploit to write its files. Might involve some guess work, but I assume you'll only be temporarily stumped by this ;)

    Yeah I got this, figured it out as I started getting the output from my PS script. Thanks :-)

  • Got first shell...finally..!! Thanks for hints guys..!!

  • Can someone give me a hint on transferring the file. I believe I know where to put the file, but I've tried copying the file using smb shares, http to transfer via I*****-W**R******, and am not getting any luck with it even trying to take the file from my http server. This is only my second box so I have a feeling I'm not doing something obvious but have been stuck here for 2 hours at this point. I'm able to ping my kali box but that is about the only thing I feel like I've accomplished.

  • I think I am about to go insane... My creds dont work. If someone PMs me so I can compare my findings with them I would really appreciate it.

  • Ripping my hair out over this script. Been stuck on it for a full day :/

    <img src="https://www.hackthebox.eu/badge/team/image/2708"; alt="Hack The Box">

  • In case anyone has the cred a*d**@htb.***** and b********se but failed to login. Reset the machine. I don't understand why people change the password.

    Zhe0ops

  • edited March 2020

    I don't get the file path I have to write to. I tried it with $env:TEMP but apparently the user doesn't have write rights on it. Anyone able to provide some tips please?

    EDIT: nvm i'm an idiot, think of something public (hope thats not an spoiler)

    phil330d

  • Type your comment> @dojoku said:

    Type your comment> @zhaoss said:

    hi,I am new ,I ve found the S*******Ps files through the high,and a****@***.****l,then I have no idea what to do ,any bros helps me?thks~ >.<

    did you have credential of a****@***.****l? tried to enumerate what cms used of this box then tried to exploit them.

    thank you ,I've found the secret in the files ,login,and now try to use the exp .

  • Type your comment> @DHIRAL said:

    Type your comment> @yannizZz said:

    anyone else having trouble with the payload? :neutral:

    I am going insane. Literally its executing nothing. Start [] End....
    T.T

    me tooooo,upset >.<

  • edited March 2020
    I see there are two ways to get root: U**S** and TV.

    Did anyone try the U**S** way recently? It didn't work for me and I was wondering if this (probably unintended) method has been patched.

    Update: Never mind. The U**S** way still works. I had to use a script. It's strange that it can't done more manually.
  • Type your comment> @DHIRAL said:

    Type your comment> @imag1ne said:

    Type your comment> @bugeyemonster said:

    (Quote)
    I tried same thing and added debug lines. I don't get to end, but the [] shows lack of cookies, so I too think this is the wrong route.

    No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong😉.

    Hope it's not a spoiler and we figure it out soon!!!

    @DHIRAL said:
    Type your comment> @imag1ne said:

    Type your comment> @bugeyemonster said:

    (Quote)
    I tried same thing and added debug lines. I don't get to end, but the [] shows lack of cookies, so I too think this is the wrong route.

    No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong😉.

    Hope it's not a spoiler and we figure it out soon!!!

    Any chance of a nudge. I've been looking for ages to find where to inject the payload.

    • I've followed the code, it all seems to be in the right place. I dont know what im missing
  • Type your comment> @W0rmsp17 said:

    Type your comment> @DHIRAL said:

    Type your comment> @imag1ne said:

    Type your comment> @bugeyemonster said:

    (Quote)
    I tried same thing and added debug lines. I don't get to end, but the [] shows lack of cookies, so I too think this is the wrong route.

    No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong😉.

    Hope it's not a spoiler and we figure it out soon!!!

    @DHIRAL said:
    Type your comment> @imag1ne said:

    Type your comment> @bugeyemonster said:

    (Quote)
    I tried same thing and added debug lines. I don't get to end, but the [] shows lack of cookies, so I too think this is the wrong route.

    No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong😉.

    Hope it's not a spoiler and we figure it out soon!!!

    Any chance of a nudge. I've been looking for ages to find where to inject the payload.

    • I've followed the code, it all seems to be in the right place. I dont know what im missing

    Drop me a message if you want a nudge :)

    <img src="https://www.hackthebox.eu/badge/team/image/2708"; alt="Hack The Box">

  • @byteflo said:

    Can someone give me a hint on transferring the file.

    You can try to make your own place.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.