Remote

@Cyberzombi3 said:

I found the .py exploit that didn’t require any changes and I can run some commands but not others, this is confusing me, so for example I can run a ping or ipconfig but I cant change directory ??? is this a permissions thing ?

Try the other exploit. If this one isn’t working easily for you, the minimal changes to the other one might be a better path.

I really don’t get why tf people rank this machine (and some other ones) as easy.

Finally for root, used msfconsole so i feel i cheated a bit in reguard to my OSCP approach lol but done is done! Learned an incredible amount and amazed myself a few times

Thanks to all who fielded my questions you know who you are, much appreciated as usual!

I found this box difficult, not having done much windows privesc before, and it forced me to review my notes a lot. Enumeration is key here.

Other things that I have learned to be on the lookout for:

  • Some things just aren’t very easy to bruteforce, pick your battles
  • Sometimes there are bugs in pocs
  • Sometimes there are bugs in metasploit modules

Advice for the T********r root: enumerate and google. Go back over your notes from the foothold, find a way that perhaps you’d ignored.

Just rooted this box after hours of struggling with what to do with the information you get from the intended exploit.

To my fellow linux buddies who are also new to windows hacking: don’t do what I did and try to execute code as another user and/or switch to another user within your reverse shell. Close your reverse shell, have another good long look at the open ports, and think evil thoughts.

Rooted! Fun box, good challenge for beginners. I’m not very familiar with windows boxes so it was a good opportunity to sharpen my enumeration skills. Other people have done a great job with hints so I won’t risk revealing spoilers. Everything you need for root is this thread.

Can anyone help me with getting User please. I have managed to get the exploit to work and can see what user I am but I cannot see user.txt…

I also have seen the remote service but struggling to find user/pass for it, already tried all local users on system and old pass I already have for exploit.

Type your comment> @Ninkasi said:

Can anyone help me with getting User please. I have managed to get the exploit to work and can see what user I am but I cannot see user.txt…

I also have seen the remote service but struggling to find user/pass for it, already tried all local users on system and old pass I already have for exploit.

how can you find a file in windows? :wink:

@aldebaransec said:

how can you find a file in windows? :wink:

Any time I try find or findstr and try to traverse directories i.e. search throughout all of C:\ or search each users desktop the script fails and I get a prompt instead, you know the carrot (>).

It’s doesn’t like something about C:\ so how can I search? Also dir has the same problem.

How did anyone find out how to search using the script effectively, it either doesn’t work and gives an error message most of the time or it just hangs and does nothing.

Simple command like whoami work…

Type your comment> @Ninkasi said:

Any time I try find or findstr and try to traverse directories i.e. search throughout all of C:\ or search each users desktop the script fails and I get a prompt instead, you know the carrot (>).

Have you looked in the user’s folders with dir ?

@TazWake said:

Have you looked in the user’s folders with dir ?

Yes I tried this using the py script but it doesn’t work, if I specify for example dir C:\Users\Username\Desktop the script doesn’t work I press enter and then just get a carrot/prompt (>) like the syntax breaks the script somehow.

I take it most people aren’t using the python script to get the user.txt… so what are they using it for? What is the point here… dir/find/findstr doesn’t work with it, powershell reverse shell doesn’t work either. What am I missing!

Only simple commands work, ipconfig, whoami, net users, ping etc…

@Ninkasi said:

Yes I tried this using the py script but it doesn’t work, if I specify for example dir C:\Users\Username\Desktop the script doesn’t work I press enter and then just get a carrot/prompt (>) like the syntax breaks the script somehow.

You need to get a shell. There is an exploit which does this for you.

I take it most people aren’t using the python script to get the user.txt… so what are they using it for? What is the point here… dir/find/findstr doesn’t work with it, powershell reverse shell doesn’t work either. What am I missing!

I don’t know what python script you mean.

Only simple commands work, ipconfig, whoami, net users, ping etc…

It feels like you’ve got an RCE exploit which makes enumeration harder because you can’t see the output.

@TazWake

I’ve got the Um***** RCE, so I can issue commands remotely. This is where I am stuck, I would like to know what commands/syntax other people have been using, as however I am using it, isn’t liked by the script and either errors or just returns a carrot/prompt (>).

Are you talking about another shell? I am certain this is the right ‘first’ shell for user as I can see another way in now to root - evil*****… but I haven’t found creds for that yet.

@Ninkasi the hint by @TazWake regarding not seeing the script output is the key to getting the reverse shell I found. Feel free to message me if you need help

Stuck getting a decent shell. Got admin credentials, used a RCE exploit found on github. RCE works, but gives very limited output, tried somehow getting a reverse shell by uploading files, tried connecting back directly to my pc, but nothing works. From reading the comments, I assume there is another exploit that I missed which makes it way easier to get user, but I haven’t got a clue as to what it might be. Anyone able to help me out? If you need more details as to what I did, feel free to send me a pm.

Wow… I was stuck for hours trying to figure out how to exploit tv** in order to get root. Sometimes there are simpler solutions :smile:
Great fun though!

I’m on the root way with TV : I got a pw (!******!) and an ID, but can’t connect to the target. Please PM

Rooted the TV way !!!
pm for hints…

i need help to get Admin shell using TV, NVM Got it

@Ninkasi said:

@TazWake

I’ve got the Um***** RCE, so I can issue commands remotely.

I strongly believe there is more than one exploit.