Remote

One problem down and another arises.

I donā€™t want to give much away in here, but is there anyone who could reach out and help me with the exploit? It is erroring out on me and I canā€™t figure out how to resolve it

I can and will provide details in PM. I donā€™t want to put specifics in here and give spoilers :slight_smile:

Cheers

Rooted !!! I found two priv escā€™s, but could only get one to work (TV ā€¦ way). Anyone get the ā€œmusicalā€ one to work?

Rooted!

Thanks for the suggestions here. Iā€™m mainly a noob and just learning, so for those like me. Donā€™t forget during user enum how to read into all files.

For root I got it to the point of having a password from TV but was lost as to what to do with it, then i looked at the musical way and found a good reference to help me via enough google fu. It was in fact super easy to do.

Iā€™m enjoying hack the box a lot!

Finally rooted!

USER: a bit of enumeration showed me the right vulnerability to use, then it was not immediate for beginners like me to understand what that opened port did, but after finding the s** file it was not so difficult to use the informations there to obtain a shell and get user flag.

ROOT: spent a lot of time trying to figure out how to do a privilege escalation. Thanks @RangerRocket for the hint. After realizing what I was missing, I obtained a root shell.

Hope this is not too much of a spoiler. PM me if you need some help!

Need advise on getting better shell

a. Iā€™ve already gotten user, found whatā€™s attached, enumerated, used what i found to do the authN RCE on the web service
b.) stuck in a basic non-interrctive non ps reverse shell as the app***** user

So basically, I donā€™t like this non- interactive shell, looking for suggestions to get me an interactive shell so i can do enumeration of rpriv esc more easilly

Iā€™ve tried MSV -f psh paylods but canā€™t get it to fire in the remote RCE
Iā€™ve looked around Github for interracgive ps1 examples but they embed the lhost and lport into them ā€¦ also try to cert*** method but i have permission issues even n temp ā€¦

seems dumb but i really donā€™t want to use this shell, feel like itā€™s holding me back cuz i canā€™'t see errors

Hi all,

I have already rooted the box using the U****C way but i am stuck with the TV way. I have got the TV Creds but dont know what to do next with those. I am new and this the 2nd windows box for me . Please PM me with a nudge

cheers :smiley:

So we found the a**** and s***** creds in the N** folder. Iā€™m using Burp to bruteforce one login while my friend tries the F** directory, but so far no luck. We also found the A**** webshell but canā€™t figure out how to access it. Can anyone DM me with a hint? Thank you!

Finally rooted. My first machine owned on HTB. Learn a lot. :wink:

Iā€™m pretty new to this, working on Remote. So far, Iā€™ve gotten the user flag.

As of now, I think Iā€™ve managed to pull TV credentials, but canā€™t figure out how to use the ā– ā– ā– ā– ā– ā–  things.

I feel like Iā€™m pretty close on this. I canā€™t figure out how to escalate from this point with the credentials Iā€™ve got (or think Iā€™ve got). If someoneā€™s done this with the TV method and wouldnā€™t mind shooting me a DM with a nudge in the right direction, or so that I can provide slightly more specific information for a nudge to get this sucker.

Type your comment> @Jatius said:

Iā€™m pretty new to this, working on Remote. So far, Iā€™ve gotten the user flag.

As of now, I think Iā€™ve managed to pull TV credentials, but canā€™t figure out how to use the ā– ā– ā– ā– ā– ā–  things.

I feel like Iā€™m pretty close on this. I canā€™t figure out how to escalate from this point with the credentials Iā€™ve got (or think Iā€™ve got). If someoneā€™s done this with the TV method and wouldnā€™t mind shooting me a DM with a nudge in the right direction, or so that I can provide slightly more specific information for a nudge to get this sucker.

Same hereā€¦

Got user , Upgraded my shell so i could invoke some better PS for enumerations
Found the TV, read the article and which led me to the exploit, found the thing they left unattended

At the moment, trying to replay the creds using a common powershell command but my my reverse gets terminated every-timeā€¦ maybe AV? tried using a PS reverse shell to avoid AV but that doesnā€™t fire off for some reason ā€¦

Got root with the musical number after deciding to throw in the towel with the remote. However, Iā€™d like to know how to do the remote way, if anyone whoā€™s done that wants to DM me with nudge/hint/whatever from where I am, Iā€™d appreciate it.

Spoiler Removed

Hey got root on the box. Can someone tell me what is the other way?
Thanks in advance

Hello, I have a shell as user and currently I see something that I can ā€œabuseā€ to to PrivEscalation by I*****-S**********e , but nothing Iā€™m trying works. Tried different listeing ports, versions, etc,. Anyone that can help me out please? Thanks.

I got user, but my reverse shell donā€™t allow me to execute P****U**.ps1ā€¦ anyone can help me to get root?

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>systeminfo
systeminfo

Host Name: REMOTE

Finally.

Got root, but it looks like through the unintended way. I found credentials for the intended way and am working on applying them. DM for nudges.

Can someone help on this box. Nudge pls.

I got root. Someone else have a problem with the shells down all the f***nā€™ time?

Can someone please message me to help me with root, i know the permissions that i need to exploit but i need help.

Update

I was able to figure it out, basic enum will give you two directions to go into. I am more of a team player tho :slight_smile: