Remote

I don’t get the file path I have to write to. I tried it with $env:TEMP but apparently the user doesn’t have write rights on it. Anyone able to provide some tips please?

EDIT: nvm i’m an idiot, think of something public (hope thats not an spoiler)

Type your comment> @dojoku said:

Type your comment> @zhaoss said:

hi,I am new ,I ve found the SPs files through the high,and a@.****l,then I have no idea what to do ,any bros helps me?thks~ >.<

did you have credential of a****@***.****l? tried to enumerate what cms used of this box then tried to exploit them.

thank you ,I’ve found the secret in the files ,login,and now try to use the exp .

Type your comment> @DHIRAL said:

Type your comment> @yannizZz said:

anyone else having trouble with the payload? :neutral:

I am going insane. Literally its executing nothing. Start End…
T.T

me tooooo,upset >.<

Rooted. Thanks to @xthanavit @b0ssk

I see there are two ways to get root: US and TV.

Did anyone try the US way recently? It didn’t work for me and I was wondering if this (probably unintended) method has been patched.

Update: Never mind. The US way still works. I had to use a script. It’s strange that it can’t done more manually.

Type your comment> @DHIRAL said:

Type your comment> @imag1ne said:

Type your comment> @bugeyemonster said:

(Quote)
I tried same thing and added debug lines. I don’t get to end, but the shows lack of cookies, so I too think this is the wrong route.

No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong?.

Hope it’s not a spoiler and we figure it out soon!!!

@DHIRAL said:
Type your comment> @imag1ne said:

Type your comment> @bugeyemonster said:

(Quote)
I tried same thing and added debug lines. I don’t get to end, but the shows lack of cookies, so I too think this is the wrong route.

No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong?.

Hope it’s not a spoiler and we figure it out soon!!!

Any chance of a nudge. I’ve been looking for ages to find where to inject the payload.

  • I’ve followed the code, it all seems to be in the right place. I dont know what im missing

Type your comment> @W0rmsp17 said:

Type your comment> @DHIRAL said:

Type your comment> @imag1ne said:

Type your comment> @bugeyemonster said:

(Quote)
I tried same thing and added debug lines. I don’t get to end, but the shows lack of cookies, so I too think this is the wrong route.

No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong?.

Hope it’s not a spoiler and we figure it out soon!!!

@DHIRAL said:
Type your comment> @imag1ne said:

Type your comment> @bugeyemonster said:

(Quote)
I tried same thing and added debug lines. I don’t get to end, but the shows lack of cookies, so I too think this is the wrong route.

No, I did the same thing. Look closely where the script tries to print the cookies. Its at r1. While it logins afterwards at r2. So I tried print_dict(r2.cookies) and it worked! So it does have the cookies, maybe the place where we inject the payload is wrong?.

Hope it’s not a spoiler and we figure it out soon!!!

Any chance of a nudge. I’ve been looking for ages to find where to inject the payload.

  • I’ve followed the code, it all seems to be in the right place. I dont know what im missing

Drop me a message if you want a nudge :slight_smile:

@byteflo said:

Can someone give me a hint on transferring the file.

You can try to make your own place.

So weird, the PoC is giving me error now…

Nvm, fixed it. Just recopied the PoC lol, have no idea what i did wrong on the last one.

'Is the U****C route still working? I’m getting an error starting the service. Following as done for Q*****r machine. I have verified I can manually stop/start the service and even reset the box.

PS C:\users\public> Start-Service : Service 'Update O******** Service (Uc)’ cannot be started due to the following error: Cannot
start service U
c on computer ‘.’.
At C:\users\public\P****Up.ps1:1821 char:34

  • … $TargetService | Start-Service -ErrorAction SilentlyContinue
  •                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    • CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
      ServiceCommandException
    • FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

Type your comment> @davihack said:

Got brain damage on user payload.

C:\Windows\system32>whoami
whoami
nt authority\system

Hack The Box

Going through the same stage right now too hahahaha

Anyone
I got user flag but it is not accepting the flag
tried Resetting machine but none getting same flag again

The box is so weird, sometimes ping works sometimes it doesn’t! Still struggling for user !

Finally Rooted this #Remote…good machine to work upon

Follow up - after watching IppSec video, that error output appears normal. However I can’t get the Abuse command to execute ntct back to my listener. I manually verified I could run the kitty i dropped on the box and get connection back, so that’s working right. Maybe the UsoSvc route was patched? Also tried creating a user with this, but no dice. Any input?

@Vibhu025 said:

Anyone
I got user flag but it is not accepting the flag
tried Resetting machine but none getting same flag again

You need to raise this with HTB. Each reboot should give you a new flag, if it isn’t then something is broken and you dont want to get flagged as someone using an expired flag.

hey everyone, if your POC isn’t working: there are two options:

  1. you should edit it correctly
  2. maybe the time on the Server is different than on your PC. I had to change it to -5h.

If you need help feel free to pm

Resetting the Server doesn’t help :wink:

Rooted with U***C as well…!!

So this machine was fun…two ways get the root flag:

  1. Administrator user
  2. System User

Rooted. Thanks, rootsh3llz!