Remote

HI Guys,
i am stuck with the root part
I am unable to run Ine-AC**S … its showing me and error…
can anyone help me out with this ?

Type your comment> @panic said:

Hi all,

For the TV exploit, could someone point me to the best way to run a python exploit on a Windows box? What did you do?

Yes, I know there’s metasploit, but who did the exploit without MSF? Any tips would be very appreciated.

Thanks!

This is the problem I’m having. I am confident I am super close to getting root, but these are my dilemmas regarding the two methods that seem to be hinted are in this thread:

  1. TV exploiit: the box doesn’t have Py in order to run the exploit. I went as far as dropping a “portable” version of it, but it has to be version 2 which doesn’t appear to have such a version and I can’t seem to get it to install, which I wasn’t expecting to work anyway.

  2. Un****** Se****: I keep getting this message, NoMethodError undefined method `extapi’

Edit: So I figured out a way to run Py “remotely” and I think this is the direction I’m supposed to be going in, but it is telling me the command ran without returning a result. Still chipping away.

@routetehpacket said:

This is the problem I’m having. I am confident I am super close to getting root, but these are my dilemmas regarding the two methods that seem to be hinted are in this thread:

  1. TV exploiit: the box doesn’t have Py in order to run the exploit. I went as far as dropping a “portable” version of it, but it has to be version 2 which doesn’t appear to have such a version and I can’t seem to get it to install, which I wasn’t expecting to work anyway.

You are over-complicating things, here. You can grab useful information with built-in Windows tools, and then do the “heavy lifting” on your own machine :wink:
Feel free to PM me, if you have questions.

rooted. This was trouble for me.

Not familiar with windows stuff so it was hard for me to see what is vulnerable.

Thanks for the box.

thanks, @HomeSen

I was able to get root the “native” route, but I’d still be interested in figuring out the “hostname” way if it is possible.

finally rooted

Hi, I found one password and the user but I can not login. Is the password wrong? I tried both user mails (I have found)

Traceback (most recent call last): File “secretnameofthisexploit.py”, line 54, in VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’] TypeError: ‘NoneType’ object is not subscriptable

Hey guys i have this issue on my kali. I can use exploit from my main OS anyway i want to fix this issue on kali.
Is there some1 who know how to fix it ? date seems to be okey
nudges++

Finally rooted using U****C user was actually way easier for me than root. Learned some for root, definitely a fun box. I think ill try through TV now. PM me for nudges.

Finally rooted this box. It took me way longer than it should have because I was being an idiot for the first couple days. I used the TV method. Not entirely sure what the U****C thing I’ve been seeing is, I’ll have to look into that.
Root was much easier than User, it just takes basic enumeration and then knowing what to do with the PW. Thanks for the nice box, @mrb3n.

C:\Windows\system32>hostname && whoami
hostname && whoami
remote
nt authority\system

I learn something from the box.

Hello, I got the creds for login to Umbraco. After that I did searchsploit for umbraco and got some exploit from metasploit.

I tried to use Metasploit but it is not working. I don’t know why?

is there any other way?

Has this box been out and retired once already? I found a total walkthrough for it online…

This machine is still alive and kicking active. Unfortunately, not everyone follows the rule of “no public write-ups before retirement”.

Finally rooted the TV way, also very close the other way but not quite there. Thanks HomeSen for the nudge(s). First HTB…done

@japh42 said:

Has this box been out and retired once already? I found a total walkthrough for it online…

What @HomeSen has said is 100% correct (as usual). If you find a write up for a HTB machine you can, if you want, report it to HTB. You can remind the author of the ToS for HTB or you can ignore it.

I am curious how people find these write-ups without actively searching for the box name and write up.

@TazWake said:

I am curious how people find these write-ups without actively searching for the box name and write up.

Well I can tell you in my case I was getting an error when I was futzing with a certain service on the host, and while Googling for the error I found someone posted a comment, complaining about the same thing, to a web site which had a full walkthrough. I’m reporting it to HTB, but the walkthrough was posted in mid/late May, so it’s been out there a while.

OK, finally got root both ways.

I really liked the initial enumeration over ***. I got sidetracked by two things I found there early on before focusing on the web site software itself and finding the file I needed.

For instance, did anyone else find the WebShell? It’s somewhere in the s***_*****p files, and I spent time on that, thinking “Maybe if it was there in a previous incarnation of this site, it’s still there?” I wasn’t able to find it on the live web site though. PM me and I’ll tell you where to find this file so you can look at it yourself.

Similarly, while recursively grepping through all the files for interesting strings, I found that at “2020-02-20 00:21:36,660” there was a failed login attempt because a user typed their password as their user account name. So naturally, their login failed, but the log file shows " Login attempt failed for username U**************!!". Immediately after this was a successful login for a user, so I figured maybe that was the password for that user? Nope. Another rabbit hole. PM me and I’ll tell you where to find this stuff too.

After spending time on those things, I finally found what I needed to get an initial foothold shell.

Root took me a bit. Like, a few hours. I finally enumerated the right things and saw a way forward, but it took multiple tries to get the needed thing to run my code.

Then I saw on the forums here there was another way to get root. Once I finally found the appropriate software, related to the system’s name, enumeration of the right key information got me a hash. I was unable to crack the hash, but Google pointed me to a solution which did not involve cracking, but did involve cooking things a bit. That got me the credentials I needed to get in.

I liked this system. It made me tear my hair out at some points, but it was a really good learning experience.

@japh42 said:

Well I can tell you in my case I was getting an error when I was futzing with a certain service on the host, and while Googling for the error I found someone posted a comment, complaining about the same thing, to a web site which had a full walkthrough. I’m reporting it to HTB, but the walkthrough was posted in mid/late May, so it’s been out there a while.

Awesome - hopefully HTB will take action about it. This box appears to have a lot of people posting walkthroughs/video’s. Possibly because it’s marked “Easy” which means lots of beginners have a go and they may not fully understand the rules of the site.

VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’]
‘NoneType’ object is not subscriptable
i’m getting this error…what can i do