Remote

User:
Always scan all ports, the more information the better.

Root:
I did the T******** exploit I found to get creds, but I wasn’t able to find where I could use that. Instead used a standard Windows priv. esc. tool. After that ran into the shell issue people talk about throughout there, my workaround for this required a bit of waiting to get what I wanted.

This box was a lot of fun. Thank you to the creator, excellent work.

Somebody’s got this problem with u***********.*y ?

Traceback (most recent call last):
File “u***********.*y “, line 53, in
VIEWSTATE = soup.find(id=”__VIEWSTATE”)[‘value’]
TypeError: ‘NoneType’ object is not subscriptable

@X013 said:

Somebody’s got this problem with u***********.*y ?

Traceback (most recent call last):
File “u***********.*y “, line 53, in
VIEWSTATE = soup.find(id=”__VIEWSTATE”)[‘value’]
TypeError: ‘NoneType’ object is not subscriptable

It massively depends what is in u***********.*y but it looks like the script is missing something or has been misconfigured.

The best option is to read through the code, try to work out what is happening & where it happens, then you might be able to work out a solution.

Hello All.
So I’m having a bit of a weird issue, I’m able to run the script (Starts with U) for the user and get to user.txt but after exploiting the US and getting a shell I’m not able to run more that 1 command. Is anyone else having the same issue or am I just the lucky one?
Any help is greatly appreciated.

I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

What am I missing? Is this in the right direction?

@matheusbrat said:

I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

What am I missing? Is this in the right direction?

Just log in with those credentials :wink:

Can somebody help me, please?
I’m stuck with the u*******.** script.

I still have this answer:

VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];
TypeError: ‘NoneType’ object is not subscriptable

Thank you in advance

@X013 said:

Can somebody help me, please?
I’m stuck with the u*******.** script.

I still have this answer:

VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];
TypeError: ‘NoneType’ object is not subscriptable

Thank you in advance

its mentioned a lot in this thread - the search tool helps:

@waldemaro said:
rooted!
https://media.tenor.co/videos/6ed80590a4d0b91b0198e112cf3afd94/mp4

thank to @HomeSen to pointing me in the right direction

I’m in the same point where you were earlier can you help me

Type your comment> @HomeSen said:

@matheusbrat said:

I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

What am I missing? Is this in the right direction?

Just log in with those credentials :wink:

Probably I’m over thinking this but I have tried regular f** client, s** client, nf*, win** with a python script which gives me (the specified credentials were rejected by the server).

I thought on using TV client and connecting to the information I got on r*****. But that doesn’t to work too.

Can someone jump into DM so I can explain what I have been doing? Thanks in advance.

Type your comment> @HomeSen said:

@matheusbrat said:

I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?

I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.

What am I missing? Is this in the right direction?

Just log in with those credentials :wink:

@HomeSen Thanks for pointing that I was using the wrong encoded value!

ROOT Hint: There is more than one value encrypted, so pay attention on which one to use

got the remote key have to connect it seems and thank you @waldemaro for guiding me

Rooted!

root hint: Think like an evil

anyone could help me with the TV proccess?
i rooted already using the US method.

The TV process is annoying af, definitely drinking a bottle after that one lol PM me if you need a nudge

I cannot for the life of me figure out how to run the enumeration script! Can someone give me a hint?

Hi there, can someone help with the TV approach? Found pwd, but don’t know where to use it. And about enumeration method, ps says it did use “service” ps1 command thing, but it does nothing. Strange, cuz a lot of people been able to elevate via enum method.

UPD: Rooted using TV method. Really intrested how to root it the other way
PM for nudge. But really have no idea why US method doesn’t work. It doesn’t add user nor run a cmd via abuse, weird

EDIT: found the creds!

Neglected to add notes previously -
I’ve re-rooted box using the TV way (after first time going via service).
The second way is also nice :slight_smile:
Thanks again…

Root hint for u****c way:
Don’t forget to stop “the thing” before trying anything on it, and also forget the “PS thing” if you’re using it to exploit the vuln. The manual way works better.
Also this page may help you Windows elevation of privileges

Rooted. First tried the u****c way, but I couldn’t get it working. Was it patched or something, as user creation did not work? Then tried the TV way, rather straightforward. Very nice box overall.