Rooted with the TV way. I have made many attempts to do it with the U..S.. and always a reverse shell is opened and terminated before even getting a command prompt!!
Can anyone please PM me of how it was done using U..S... I want to know what I did miss to make it work.
Hi. I've managed to c*k one of the credentials in the s file. I am still not able to log in. I am wondering if this account is not supposed to be used. I am not able to crack the other ha**** because they have a different format (I've tried --fo****). Is this the correct way to go with this? I am unsure about the account that I have.
Hi. I've managed to c*k one of the credentials in the s file. I am still not able to log in. I am wondering if this account is not supposed to be used. I am not able to crack the other ha**** because they have a different format (I've tried --fo****). Is this the correct way to go with this? I am unsure about the account that I have.
The credential you've cracked is probably the one you need to use (I am guessing here as I dont know which one you've cracked).
It comes with an email address, so you can now use the combination to log into the portal associated with the file you got the password from.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Hi. I've managed to c*k one of the credentials in the s file. I am still not able to log in. I am wondering if this account is not supposed to be used. I am not able to crack the other ha**** because they have a different format (I've tried --fo****). Is this the correct way to go with this? I am unsure about the account that I have.
The credential you've cracked is probably the one you need to use (I am guessing here as I dont know which one you've cracked).
It comes with an email address, so you can now use the combination to log into the portal associated with the file you got the password from.
Yeah, that was correct. I was trying the username. Since there were other accounts, I didn't know if this is a rabbit hole. Usually this account is disabled externally.
Hey guys, I found a user hash but after searching it says not a valid hash. So, I'm trying to crack this hash but not getting any idea how to crack it ??. So, need a little help ?
Valid hash is SHA1 and if you found right file and correct copypasted that john will cracks it
Thanks man, It works.! I was missing a single char that's why John was not detecting a valid hash.
Hoping someone can point me in the right direction with the reverse shell for user. I actually already have the user flag. I'm logged in, I'm using the better version of the exploit, I'm able to execute single remote commands with it and get the output. I used this to get the user flag. So now I'm trying to get a stable reverse shell. I used a venomous tool to create an executable file. I then managed to upload it to the app and I am actually able to call it at its location on the file system. My problem is this: when I execute it using the POC, it calls my listener back here locally, but only for a couple seconds, and then dies. Did anyone else experience this? Could anyone point me toward what I should be debugging? I'm wondering if I'm not generate the exact right thing with that venom tool, but it does actually call me back, just not long enough to do anything.
Keep getting this error when trying the py script ~
Traceback (most recent call last):
File "1.py", line 53, in
VIEWSTATE = soup.find(id="VIEWSTATE")['value']
TypeError: 'NoneType' object has no attribute '__getitem'
Anyone? PM
it is time error..eg: may be your location mismatch with your current time.. for me it's worked after i corrected my time
Hey Guys. I'm having the hardest time getting a foothold into the box. Going by the comments, i'm on the right track.
1. m*****d the n** she
2. found the s*f file and used my 'Noggin' to find hashed creds.
3. Creds were hashed (s1)
I stripped the line to its bare hash and threw it in J*R. Left it running over night; ran for 9 hours and nothing. Are we supposed to make our own wlst to crack? Or can we use Rock**u...or is the default wlst suffice?
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Just to confirm, does your hash begin with a b and end with an a?
That is correct. I took out the extra fluff. Nothing more than the hash string in the text file while JR confirms the hash type as it is declared in the sf file.
As opposed to everybody else here, user was easy but root took me ages, so here my 2p:
User: Once you find folders, files and goodies go for the exploit. If you don't understand it or don't know how to use it there's another one going about in GH that will make your life easier (comparing both will help you understand how the exploit works ) You'll have to wander around a bit to get the flag.
Root: Use different enum tools, as they'll give you different useful information. The service way didn't worked for me, so I went with the remote way. You'll notice the odd program; Google the vulnerability and find where to look for it. PAY ATTENTION TO YOUR OUTPUT. I literally had the answer right in front of me, but was focusing in something else. Remember that different tools can give you outputs in different formats.
Hope that helps somebody. PM if you're really stuck.
Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!
Stuck at root, using the TV method. Found the password !******* but am still unable to connect using TV. Feels like I'm missing something. Any nudge is appreciated.
US - a certain Windows enum tool shows that you have full permissions to this item. Check the fuzzy priv esc guide on what to do to get the reverse shell. Mine only lasted long enough to copy/paste a command to print the root flag. If you have suggestions on how to stabilize this, I would love to hear them.
TV - EDB exploit doesn't work since the pre-req is not installed on the target. Check a similar framework for tools to help with this. Once you get a pw, try using them on a high port to get admin (have you heard of the evil tool?).
Users - find a way to obtain files and read it (don't just look at low ports). If you found an exploit, don't make too many changes - try understand the poc.
Root - Basic enum (link below), and with the point found, google is your best friend. Dont forget the evil.
Comments
Rooted with the TV way. I have made many attempts to do it with the U..S.. and always a reverse shell is opened and terminated before even getting a command prompt!!
Can anyone please PM me of how it was done using U..S... I want to know what I did miss to make it work.
I need tips for root pleaseee
Hi. I've managed to c*k one of the credentials in the s file. I am still not able to log in. I am wondering if this account is not supposed to be used. I am not able to crack the other ha**** because they have a different format (I've tried --fo****). Is this the correct way to go with this? I am unsure about the account that I have.
@dany10101 said:
The credential you've cracked is probably the one you need to use (I am guessing here as I dont know which one you've cracked).
It comes with an email address, so you can now use the combination to log into the portal associated with the file you got the password from.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Type your comment> @TazWake said:
Yeah, that was correct. I was trying the username. Since there were other accounts, I didn't know if this is a rabbit hole. Usually this account is disabled externally.
User: enum, google, and there is a nicer version of the code on a GitHub page
Root: remote access is beautiful but equally dangerous
PM if you need hints.
possible that someone changed the admin password for the portal ? i was connected and now the password don't works
Type your comment> @fr0ster said:
Thanks man, It works.! I was missing a single char that's why John was not detecting a valid hash.
Hoping someone can point me in the right direction with the reverse shell for user. I actually already have the user flag. I'm logged in, I'm using the better version of the exploit, I'm able to execute single remote commands with it and get the output. I used this to get the user flag. So now I'm trying to get a stable reverse shell. I used a venomous tool to create an executable file. I then managed to upload it to the app and I am actually able to call it at its location on the file system. My problem is this: when I execute it using the POC, it calls my listener back here locally, but only for a couple seconds, and then dies. Did anyone else experience this? Could anyone point me toward what I should be debugging? I'm wondering if I'm not generate the exact right thing with that venom tool, but it does actually call me back, just not long enough to do anything.
Type your comment> @Ninkasi said:
it is time error..eg: may be your location mismatch with your current time.. for me it's worked after i corrected my time
Hey Guys. I'm having the hardest time getting a foothold into the box. Going by the comments, i'm on the right track.
1. m*****d the n** she
2. found the s*f file and used my 'Noggin' to find hashed creds.
3. Creds were hashed (s1)
I stripped the line to its bare hash and threw it in J*R. Left it running over night; ran for 9 hours and nothing. Are we supposed to make our own wlst to crack? Or can we use Rock**u...or is the default wlst suffice?
@0xFFensvDfndr said:
It should crack pretty quickly. You may have added superfluous data.
Just to confirm, does your hash begin with a
b
and end with ana
?Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
That is correct. I took out the extra fluff. Nothing more than the hash string in the text file while JR confirms the hash type as it is declared in the sf file.
As opposed to everybody else here, user was easy but root took me ages, so here my 2p:
Hope that helps somebody. PM if you're really stuck.
@shotop I used a know powershell reverse shell, no timeout problems at all.
Easy machine
. Thanks to @mrb3n for the box.
C:\Users\Administrator\Documents> whoami
remote\administrator
If anyone needs help, be free to pm me
'These violent delights have violent ends'
Edit : i had everithing since the beginning i just forgot about a simple tool ><. Thx @cY83rR0H1t
Getting "'NoneType' object has no attribute 'getitem'" from the PoC,
can someone help me fix this clock problem? I cant get it to work
Stuck on root, have found the S****c you are meant to abuse, but fails to start every time?
Type your comment> @COVID19 said:
Your name is COVID19
That's funny man
Rooted earlier, fun box, learnt a lot. Thanks.
Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!
Type your comment> @COVID19 said:
same... says successful execution.. but no privileged shells
theres no place like 127.0.0.1
@evelbit said:
Maybe they finally fixed the unintended way
GREM | OSCE | GASF | eJPT
Feel free to PM me your questions, but please explain what you tried, so far.
Finally rooted the tv way, a bit obvious what to do with all the payload laying around the actual website. Overall a greatbox by @mrb3n
Stuck at root, using the TV method. Found the password !******* but am still unable to connect using TV. Feels like I'm missing something. Any nudge is appreciated.
Type your comment> @HomeSen said:
theres no place like 127.0.0.1
Rooted both ways.
US - a certain Windows enum tool shows that you have full permissions to this item. Check the fuzzy priv esc guide on what to do to get the reverse shell. Mine only lasted long enough to copy/paste a command to print the root flag. If you have suggestions on how to stabilize this, I would love to hear them.
TV - EDB exploit doesn't work since the pre-req is not installed on the target. Check a similar framework for tools to help with this. Once you get a pw, try using them on a high port to get admin (have you heard of the evil tool?).
Finally rooted.
Users - find a way to obtain files and read it (don't just look at low ports). If you found an exploit, don't make too many changes - try understand the poc.
Root - Basic enum (link below), and with the point found, google is your best friend. Dont forget the evil.
I hope I didn't say too much.
link for basic enum: https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Pm-me for the other way to root it. Thx
Having issues cracking the hash from the s*f file. Any hints.
Type your comment> @Sc0rp10n said:
do u mean the first hash or where are u at? google can be your friend
Be happy, always