Remote

I got the user, any tip for the password? i got some files with hashes, can i use hashcat or you guys suggest other tool?

Stop resetting this box, y’all are kicking me out

Hi,

Could someone please point the right syntax for passing comman arguments for the exploit? I’m working on user and I’m able to execute simple commands using the exploit but I cannot spawn a shell. I tried numerous ways but none has worked. This is my first Widnows box and honestly I don’t feel comfortable with Windows syntax or escaping.

Hi,

I was able to get two user with passwords. i can login to the site and i see people trying to upload files like WinP***, i saw a vulnerability, used a python script that i find on the web, but i only was capable to send simple commands.

Ok, for all those who have the problem with running exploit: think about -e option for PS.

I got the user.txt hash, i suspect it is the administrator password.
Hashcat not working, i know its a md5 password any tip?

the candidates from hash cat is something like this: $HEX[206b7

@GokuBlackSSR said:

I got the user.txt hash, i suspect it is the administrator password.

Erm, I might have misread but the hash in user.txt is a flag, not a password.

Hashcat not working, i know its a md5 password any tip?

the candidates from hash cat is something like this: $HEX[206b7

This seems fun.

Ok, so I’m stuck at getting shell on the machine… I tried to download a file crafted with msfvenom on the machine, but seems like exploit doesn’t like several characters (like 0x00). I’d appreciate if someone could DM me.

Type your comment> @TazWake said:

@GokuBlackSSR said:

I got the user.txt hash, i suspect it is the administrator password.

Erm, I might have misread but the hash in user.txt is a flag, not a password.

Hashcat not working, i know its a md5 password any tip?

the candidates from hash cat is something like this: $HEX[206b7

This seems fun.

Sorry i’m new to HTB, i was too focused on the root.txt that i forgot what user.txt it all about.

Rooted!!

OK I am lost here. I am trying to root with teh TV. Got some Creds.
Is the Password r*****_****n correct?
Cant log in with it. I feel really dump right now, cause i cant figure out what i am missing.

Finally rooted. I went straigth into the rabbit whole…
Learned a lot.

anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

@itsPhoenix said:

anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

Is this for privilege escalation?

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

@itsPhoenix said:

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

Nice work.

Rooted using TV and U****C method without msf. Quite an interesting box. Thanks to @TazWake and @japh42 for the nudges.

If anyone want any nudges, feel free to DM

i have this error when i execute exploit VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];

I enjoyed this box because I learnt about a new type of d******e.

User: do your enumeration, think about where this kind of application stores its data. Once authenticated, Google and find what you need.
Root: very straight forward, enumerate and the right tool will show you the weakness very clearly.

Feel free to DM for more specific hints.

Awesome box. Thanks @mrb3n . I really enjoyed it even it was my first Windows box ever.
I knew nearly nothing about windows exploitation but this machine was a good start.
Initially I had really hard times trying to get along with exploit. I was able only to issue simple commands and had no idea how to spawn a shell with this. Thankfully, @y4th0ts came with help. Kudos!
The “remote” way for root was pretty obvious if anyone tried to get the id remotely ever before :wink: I wasn’t aware of the second path but saw people write about it in this thread so I googled a bit but had no luck with exploit at first. Finally, thanks to @joenibe I got root with the second approach.

Just got user, couldn’t get one exploit to work but managed to find a different version of it that did work for me.

Now struggling to get any enum files passed to the box but pushing on!

Edit: Rooted!