Remote

Type your comment> @TazWake said:

@JKLOVE said:

how to get root
someone can give me tips?

Exploit something vulnerable that is on the box.

I like your style.

Stuck on root using the U****c method, changed what I need to but not getting any output from it. Anyone who could DM me to check I’m on the right track? Cheers

Hi everyone, I got root with U***c method but i am wondering about TV method. I used some meterpreter functions but i couldn’t success. Could anyone dm me about this method Regards

Hi all, got a bit stuck on the user part… I’ve found a lot of things and now I try to get the POC 46***.*y working. I changed the basic information to the target and I tried to run it.

After running it, I get the next error:

VIEWSTATE = soup.find(id=“_VIEWSTATE”)[‘value’];
TypeError: ‘NoneType’ object is not subscriptable

(and yeah 8 coffie won’t help anymore after working a few hours on this part…)

not sure what the error means if I did not change other parts… Something wrong with the POC?

Finally Did remote with u****c way
want to know about TV way.

ROOT!Although this machine is very simple. I would give it medium because the shell I got is very limit: There is NO error message… I waste so much time on some detail issues :frowning:

rooted

got my way to the root using the U****c method

could anyone pm about the tv method?

Pleaseeeee someone ping me!!! I am stuck with the root, I can not create a new user and I can not execute the reverse shell from powershell!! I already reset the machine couple of times but nothing, it´s incredible… everyone say “it´s working” but is not working for me and we are doing the same command for sure because is not a difficult command, as I said, please send me a message!!

Got user. If you’re struggling with the exploit - it didn’t always work for me. I ran a payload, it worked and literally 3 minutes later it didn’t so don’t give up if it happens to you as well. Also the box hasn’t been too stable recently (on EU1 at least). Some douchebag would change the password every now and then but just reset the box if it happens again.

Guys, I’m not able to get a initial foothold for the user, I went through all the links on the webpage. Not able to get any username or password. Any hints?

Type your comment> @X3522A said:

Guys, I’m not able to get a initial foothold for the user, I went through all the links on the webpage. Not able to get any username or password. Any hints?

As you already should know, there is no plain text password inside the files, but inside one of the most important files (you can read just partial information from this file) you will find a user followed by the hash.

for getting User, Enumerate well…after that…check the portal…its a product…it can have known flaws
For Root…I see there are two ways to get it…the remote one worked but the other one didn’t worked for me. Overall all a good box…PM me for nudges if you are stuck

Hey guys - literally stuck on root… can someone give me a nudge ?
i have a PS reverse shell, based on MSF with user but all outputs /errors whatever are surpressed in that reverse shell… would be great to have a nudge for root

Amazing machine.

Hints,
User: Follow the leads and google a particular type of file. Don’t overthink it, a single command like strings can help.

Root: Even easier, try many things after the initial foothold holds your hand and tells you where you have to go.


Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:bfff%13

c:\Users\Administrator>whoami
whoami
nt authority\system

I’m running across the VIEWSTATE error with the PoC. I understand that it’s a clock sync issue but I can’t seem to get it resolved as when I try to sync I’m getting

no server suitable for synchronization found

Would anyone be able to lend a hand?

Edit: If you’re having issues with this, make sure with the part you change in the PoC that you are looking at the rest of the exploit and aren’t putting in something that will be added later.

OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this… can someone explain how I would have zeroed in on that service in the first place. I checked the service path and there is nothing unusual and when I look at the service permissions I don’t understand why the user shell I get is able to modify it. The most inclusive group in the permissions is Authenticated Users…I thought the user associated with the initial shell was excluded form that group. Would someone be willing to PM me with some details ( or a link to an article)

(A;;CCLCSWRPLOCR;;;AU)(A;;CCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPWPLOCRRC;;;S-1-5-21-3799463084-4290437372-2261193466-500)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SU)

@CyberG33k said:

OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this… can someone explain how I would have zeroed in on that service in the first place.

Depends on what you went for to root the box.

If you went for the intended route, this is discoverable through enumeration and should stand out (certainly with experience it will). If you went for a slightly different approach, again, the characteristics of the service are unusual which should draw attention.

guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :slight_smile:

any kind of help will be appreciated

I’m really struggeling with opening up a specific file i found on the s***_b******. It keeps giving me errors when I try to opening it locally on my attacker box. Any idea’s how to enumerate it correctly? Or am I going the wrong way?

Type your comment> @bigfatpig said:

guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :slight_smile:

any kind of help will be appreciated

I have been stuck at the same point for hours, too. Could you already solve it?