Remote

Rooted. Thanks to HomeSen for confirming I was on the right lines. Second box after ServMon. Learnt a lot and enjoyed this box. Used TV to get Admin. Happy to provide pointers via PM.

Is there something wrong with the box? Unable to issue commands as I was doing last night.

Okay rooted, finally. Thank you everyone, because I’ve been scanning this forum for pointers. Got just enough help without getting spoiled.

User: Look up PoCs, pay attention to ports.
Root: Use that famous tool we all use, but afterwards if you are lost go look up similar boxes in the past and pay very close attention to the scripts they run. Also stay away from the Mario brothers approach, because I think that the exploit it leads to got patched so it doesn’t help as much anymore (either that or I’m incompetent)

Hopefully I didn’t give away too much or give any bad info, but I’m tired and need to sleep for like a day. (Internally I am screaming in anger for how long it took me to solve this box just to find out I was an inch away and just had to do better research)

Edit: I fixed the user hint.

Type your comment> @dojoku said:

Type your comment> @gsxrjason said:

Type your comment> @dyl88 said:

Type your comment> @Meatex said:

I am in the same boat as xboxfreak54
Confirmed RCE with ping and got it do web requests and download files but any more complicated scripts are no go. Not sure where its storing downloaded files and tried downloading and then executing by running exploit with command to just run but no joy yet.

Im in the same boat as you, it downloaded a file… but god knows where it went… cant seem to get it to run

I am also at this stage.
Any attempt to add a path to the output location, download never starts.
Attempts to execute my file with out, hasn’t made it back to to my meter.

try to execute in memory when you can download file in server. so you don’t need to know where the file is placed. one terminal to received reverse connection another terminal to serving a file to be downloaded.

Trying using P******l and IX but i’m having trouble inserting it into the POC paylaod. I think if i use ’ python throws an error, if i use " it doesn’t seem to work. Any pointers?

:smiley: I take the root flag before the user one :smiley: :smiley: because didn’t see
Nice machine, I was blocked before notice that I had the password on my hand

user owned i also have credentials for admin from TV, but don’t know what now
I can’t switch user to admin beacuse shell is limited.
I also find WRM service but it also doesn’t work
can someone give a hint or dm

I rooted the box with service method can someone please DM me the TV method

Type your comment> @s1lv3rst4r said:

I rooted the box with service method can someone please DM me the TV method

I didn’t think that method was still possible, I tried it but could never get anything out of it.

Edit: If anyone can show me how they did it that way DM me, I want to revisit the box and do it that way. I solved it the other way.

Hi guys,

spoiler removed

however I’m getting 400 response when trying to log in into web administration. Is it expected?

@Anonymous1 said:

Hi guys,
however I’m getting 400 response when trying to log in into web administration. Is it expected?

If you have the right user name and password, you should be able to log in.

If you are getting an HTTP400 request it means the server thinks you are making a bad request. If you are using something other than a web browser, you may be sending a malformed request.

Whoa! Now it works. With the same request (literally the same, as I used the curl command from the zsh history).

Seems like sometimes things can be broken (strangely even after the machine reset).

@Anonymous1 said:

Whoa! Now it works. With the same request (literally the same, as I used the curl command from the zsh history).

Seems like sometimes things can be broken (strangely even after the machine reset).

If you have creds, it is probably easier to use a browser to access this page.

User - there’s two versions of essentially the same PoC script. Took me waaaaaaaaaay too long to understand the payload in the first script so i used the second script as a reference. Second script is more friendly to testing commands / outputs / error messages

Spoiler Removed

@Anonymous1 said:

@TazWake I’m using curl just to be sure it’s not some browser-related issue.

Might be best to drop me a pm.

@10768390 said:
user owned i also have credentials for admin from TV, but don’t know what now
I can’t switch user to admin beacuse shell is limited.
I also find WRM service but it also doesn’t work
can someone give a hint or dm

Same here.
Can somebody give me a nudge on how/where to use the password acquired from TV to get root?

edit: got it, am idiot

I need a hint to get the user.
I’ve spent two nights looking for that goddam password in the files one is able to mo-- “retrieve”. I’ve found a username in a l*g, but no password. Anywhere.
Since this is an easy machine, it seems I’m missing something basic… Any clue? Don’t tell me the answer, only clues for me to know where to look for.

Some observations:

F** logged as f*p seems to be empty (I hope this is normal).
I was able to find a shell with a suspicious body name among the files. It’s an uploaded file in a temporal dimension. I wonder if this is intended or just something that someone dropped there lol.

Root : For those who are wondering if the U****c way is patched, it is not, Good luck !
Just don’t rely too much on tools, you can do it by yourself pretty easily, some research about that will help you

@RangerRocket said:

Any clue? Don’t tell me the answer, only clues for me to know where to look for.

Clues are hard because what makes sense to me, might not make sense to you.

However look for a file where the name relates to a thing you might have found in your enumeration and the extension is very rarely seen in a windows environment. The carve through the file using whatever tool appeals you. You should find something interesting along with a signpost as to how you can turn it into something useful.

Hi all,

Can someone tell me on how to root using TV method. I have rooted using the u****c method but unable to figure out how to do so using TV . Is it possible to do so without using metasploit at all ?

Please help ? :smile: