Remote

FINALLY popped root with the help of a nudge from @cY83rR0H1t

Start

Enumerate at first. Dig through each and every thing you find. Youā€™ll eventually come across a lot of files. It may be easier to work with them locallyā€¦ If you find any interesting files, instead of looking for software to open/analyze them, look into utilities already available in your terminal. There are a lot of basic Linux binary utilities that can help you here. I actually sat here for a while and refined my skills with a variety of the tools available in almost every linux system, and ended up finding additional information that would help with lateral movement should this be a production system. Really learn the tools available to you. Platforms such as PentesterLab and OverTheWire would definitely help you learn about them.

User

Make sure the exploits you find are for the version of the service youā€™re likely trying to attack. My (and likely your) tool of choice didnā€™t have the exploit I ended up using. I highly advise avoiding bundled exploits and those that come up from searching Kaliā€™s filesystem (although you may have more luck with these than I did). I found my exploit online, and not in an exploit database.

Youā€™re going to have to learn and read a LOT about Windows enumeration and privilege escalation procedures if you arenā€™t familiar with Windows boxes. There are windows versions of popular linux enumeration tools. Because thereā€™s a web server, consider trying to find any services that you might be able to exploit. Also consider using your exploit of choice to help other tools available on Kali to pop a shell.

Root

There are windows versions of popular linux enumeration tools. Once youā€™ve owned user and enumerated the system, youā€™ll know what people are talking about when it comes to TV. Enumerate it well. You may find an exploit or tool to help you if you search in the right places.


If any of this was too revealing, please let me know and Iā€™ll edit it. Tried to be as obscure as possible while also providing subtle nudges without explicitly naming anything specific to this box.

Feel free to reach out to me for nudges!

Nice machine :mrgreen:

Rooted without tv, will go back and give that a go now.

thanks @mrb3n

pm for a hint if youā€™re really stuck.

Hi. I am stuck on my way to user. I have found the s** file but cannot crack anything inside, either itā€™s not recognized as a hh or doesnā€™t find any matching pw***. Any nudges?

@dany10101 said:

Hi. I am stuck on my way to user. I have found the s** file but cannot crack anything inside, either itā€™s not recognized as a hh or doesnā€™t find any matching pw***. Any nudges?

You know you have the right string if it tells you the algorithm it used.

In turn that tells you how many characters the hash should be and if you use a tool (hashid, cyberchef, whatever) to analyse the hash it should match.

Then, when you know you have copied out the correct characters, you can use the --format= option to specify how you want it cracked.

Then it should crack pretty quickly.

Rooted !
DM if you stuck

Great machine finally rooted! Was unable to do it with the TV so I did it with the Power and google! :wink:

DM if you need help!

Spoiler Removed

rooted!! This was an interesting one to say the least!!

Been trying to root this for a day now. For the past hour I canā€™t get my reverse shell to even download nc anymore InvalidOperation (System.Net.HttpWebRequest:HttpWebRequestā€¦ wtf Iā€™ve been downloading things through the reverse shell with this same method multiple times for the past couple days. Now its jacked even through resetting the box.

Really nice box!
Feel free to PM me if you need help.

Rooted the U***** way. Many thanks to @h0plite for the help. PM for nudges.
Did someone get root the TV way and can help me with that? Still stuck there.

Machine owned! Really interesting.

Feel free to contact me if you need an hint

Spoiler Removed

Hey guys, I found a user hash but after searching it says not a valid hash. So, Iā€™m trying to crack this hash but not getting any idea how to crack it ??. So, need a little help ?

Type your comment> @Anand007 said:

Hey guys, I found a user hash but after searching it says not a valid hash. So, Iā€™m trying to crack this hash but not getting any idea how to crack it ??. So, need a little help ?

Valid hash is SHA1 and if you found right file and correct copypasted that john will cracks it

Iā€™ve done it :slight_smile:

I have been stuck for hours with ROOT. I have done everything I know/found related to US but I canā€™t receive a shell. Would anyone please PM me and give me a little push forward?

rooted what a pain everyone is doing the same which is causing your session to die

I hope people were more subtle and gentle with the machines. Resets all the time, change of credentials, shutdown of important services etc. Iā€™ve been banging my head all day with the people that are trying to get inside the machine.

EDIT: There is someone out there (he knows who he is) that keeps resetting the machine every 2 minutes and it really frustrated me. Iā€™ve been trying to complete the machine for 1 hour now and I keep redoing steps again and again just to ā– ā– ā– ā–  him/her off.

Root achieved. Went the U*****C way. Worked pretty well with an extra runas tool (not the native one).

I gave this machine 12 hours now of my time, and it almost looks like there are people fixing the vulnerabilities on this machine. Services are disappearing, vulnerabilities are vaporized and this seems a pretty safe machine to me lol.

Session dies every 10-15 minutes.

I will try the 2nd approach tomorrow, getting fed up and I am out of icecream :blush: