Remote

@Ninkasi the hint by @TazWake regarding not seeing the script output is the key to getting the reverse shell I found. Feel free to message me if you need help

Stuck getting a decent shell. Got admin credentials, used a RCE exploit found on github. RCE works, but gives very limited output, tried somehow getting a reverse shell by uploading files, tried connecting back directly to my pc, but nothing works. From reading the comments, I assume there is another exploit that I missed which makes it way easier to get user, but I haven’t got a clue as to what it might be. Anyone able to help me out? If you need more details as to what I did, feel free to send me a pm.

Wow… I was stuck for hours trying to figure out how to exploit tv** in order to get root. Sometimes there are simpler solutions :smile:
Great fun though!

I’m on the root way with TV : I got a pw (!******!) and an ID, but can’t connect to the target. Please PM

Rooted the TV way !!!
pm for hints…

i need help to get Admin shell using TV, NVM Got it

@Ninkasi said:

@TazWake

I’ve got the Um***** RCE, so I can issue commands remotely.

I strongly believe there is more than one exploit.

can anybody help me out to solve this machine. I tried NS , FP. I mounted N*S but not able to see anything in directories. Am i going in right way or wrong way. please give me some hint.

@1nferno said:

can anybody help me out to solve this machine. I tried NS , FP. I mounted N*S but not able to see anything in directories. Am i going in right way or wrong way. please give me some hint.

Right way if I’ve read it correctly.

Double-check the mounting. You should be able to see things in the folders.

Got user.txt after running exploit but now failing to get shell for priv esc. any one to help?

Rooted!

All the hints needed are in this thread, but it took me an awful lot of try, fail, re-read to get there…

(Edit: I went via TV route, but I saw mention of an alternative; could someone PM me with a hint for that way, please?)

Besides the annoying and slow connection for beginning, this was a good one. Root complete!

I found user.txt and when I submit the flag it gives an error. Does anyone know if you have a problem?

I am trying to get root through U****c service, I have managed to create admin user, but I can’t login using new user’s creds. Please, help.

@Ralf how are you trying to login with the newly created account? If its via winrm then you would need to add the user to the Remote Management Users group

Type your comment> @absolutenoob said:

@Ralf how are you trying to login with the newly created account? If its via winrm then you would need to add the user to the Remote Management Users group

Thanks, I will try

@Ralf said:

Thanks, I will try

Or you could use the same exploit to get a priv shell.

rooted, User was far more complicated than root.

User Hint : Once you have found the credentials, there are 2 exploits you can use just make sure you get the syntax correct.

Root Hint : There are 2 ways to root this. The easiest way is to enumerate the server and something will jump out. The difficult way is to try and configure the TV with limited interpreters installed on the server.

Enjoy and thanks to the creator.

Nugget!

Can anyone help me with the pass i found the username but could not find the pass. Too many files and I kinda lost in it

Type your comment> @TazWake said:

@Ralf said:

Thanks, I will try

Or you could use the same exploit to get a priv shell.

Thanks! Finally rooted.
User: Notice that if you use quotes in the arguments section (cmd variable), you have to use triple quotes (ProcessStartInfo.Arguments Property (System.Diagnostics) | Microsoft Learn)
Root: Use different enumeration scripts ( I went the U**c service way)