Remote

rooted

got my way to the root using the U****c method

could anyone pm about the tv method?

Pleaseeeee someone ping me!!! I am stuck with the root, I can not create a new user and I can not execute the reverse shell from powershell!! I already reset the machine couple of times but nothing, it´s incredible… everyone say “it´s working” but is not working for me and we are doing the same command for sure because is not a difficult command, as I said, please send me a message!!

Got user. If you’re struggling with the exploit - it didn’t always work for me. I ran a payload, it worked and literally 3 minutes later it didn’t so don’t give up if it happens to you as well. Also the box hasn’t been too stable recently (on EU1 at least). Some douchebag would change the password every now and then but just reset the box if it happens again.

Guys, I’m not able to get a initial foothold for the user, I went through all the links on the webpage. Not able to get any username or password. Any hints?

Type your comment> @X3522A said:

Guys, I’m not able to get a initial foothold for the user, I went through all the links on the webpage. Not able to get any username or password. Any hints?

As you already should know, there is no plain text password inside the files, but inside one of the most important files (you can read just partial information from this file) you will find a user followed by the hash.

for getting User, Enumerate well…after that…check the portal…its a product…it can have known flaws
For Root…I see there are two ways to get it…the remote one worked but the other one didn’t worked for me. Overall all a good box…PM me for nudges if you are stuck

Hey guys - literally stuck on root… can someone give me a nudge ?
i have a PS reverse shell, based on MSF with user but all outputs /errors whatever are surpressed in that reverse shell… would be great to have a nudge for root

Amazing machine.

Hints,
User: Follow the leads and google a particular type of file. Don’t overthink it, a single command like strings can help.

Root: Even easier, try many things after the initial foothold holds your hand and tells you where you have to go.


Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:bfff%13

c:\Users\Administrator>whoami
whoami
nt authority\system

I’m running across the VIEWSTATE error with the PoC. I understand that it’s a clock sync issue but I can’t seem to get it resolved as when I try to sync I’m getting

no server suitable for synchronization found

Would anyone be able to lend a hand?

Edit: If you’re having issues with this, make sure with the part you change in the PoC that you are looking at the rest of the exploit and aren’t putting in something that will be added later.

OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this… can someone explain how I would have zeroed in on that service in the first place. I checked the service path and there is nothing unusual and when I look at the service permissions I don’t understand why the user shell I get is able to modify it. The most inclusive group in the permissions is Authenticated Users…I thought the user associated with the initial shell was excluded form that group. Would someone be willing to PM me with some details ( or a link to an article)

(A;;CCLCSWRPLOCR;;;AU)(A;;CCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPWPLOCRRC;;;S-1-5-21-3799463084-4290437372-2261193466-500)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SU)

@CyberG33k said:

OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this… can someone explain how I would have zeroed in on that service in the first place.

Depends on what you went for to root the box.

If you went for the intended route, this is discoverable through enumeration and should stand out (certainly with experience it will). If you went for a slightly different approach, again, the characteristics of the service are unusual which should draw attention.

guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :slight_smile:

any kind of help will be appreciated

I’m really struggeling with opening up a specific file i found on the s***_b******. It keeps giving me errors when I try to opening it locally on my attacker box. Any idea’s how to enumerate it correctly? Or am I going the wrong way?

Type your comment> @bigfatpig said:

guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :slight_smile:

any kind of help will be appreciated

I have been stuck at the same point for hours, too. Could you already solve it?

Type your comment> @redbird said:

Type your comment> @bigfatpig said:

guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now :slight_smile:

any kind of help will be appreciated

I have been stuck at the same point for hours, too. Could you already solve it?

Got stuck there for a while too, i think that route has been patched. Had to do it the other way.

After a nudge please. Managed to get final password via the T******** service. Can’t seem to login anywhere, even at that high port. Evil tool doesn’t work either.
Thanks!

EDIT: Argh, user error on my part. Got root.

Hi everybody! I’m stuck on privesc from the last week. Powershell works 1 time outta 10 and the vm keep resetting. I’ve tried abusing U****c but it’s now working, at least I don’t get the resverse shell execution… So I tried also with Tr-Se . I see that it is running as NT AUTHORITY\SYSTEM and I tried to switch the executable with an msfvenom payload that should pop a reverse shell. I can’t see the error output on my shell so I suppose that the file is locked because it is running; i tried to move it, rename it, delete it with no luck. I read that is possible retrieve T*****r 7 password and someone has been able to do it… can someone please point me in the right direction???

@waldemaro said:

Hi everybody! I’m stuck on privesc from the last week. Powershell works 1 time outta 10 and the vm keep resetting. I’ve tried abusing U****c but it’s now working, at least I don’t get the resverse shell execution… So I tried also with Tr-Se . I see that it is running as NT AUTHORITY\SYSTEM and I tried to switch the executable with an msfvenom payload that should pop a reverse shell. I can’t see the error output on my shell so I suppose that the file is locked because it is running; i tried to move it, rename it, delete it with no luck. I read that is possible retrieve T*****r 7 password and someone has been able to do it… can someone please point me in the right direction???

A Google search for that exact thing you are trying to extract, should give you all you need :wink:

Type your comment> @HomeSen said:

@waldemaro said:

A Google search for that exact thing you are trying to extract, should give you all you need :wink:

waldemaro is spot on, have just completed the same google search and then escalation from there in the last hour. It’s specific to T********r 7.

yes, maybe I’m not able to search things on google… …Before asking, I found c++ or python script (no python installed on remote ) ,msfmodule that are not working, without mentioning that all the poc’s video that I’ve found are for version 13 and 14… the only cve I’ve found is dated 2019 …