Remote

Hi,

I was able to get two user with passwords. i can login to the site and i see people trying to upload files like WinP***, i saw a vulnerability, used a python script that i find on the web, but i only was capable to send simple commands.

Ok, for all those who have the problem with running exploit: think about -e option for PS.

I got the user.txt hash, i suspect it is the administrator password.
Hashcat not working, i know its a md5 password any tip?

the candidates from hash cat is something like this: $HEX[206b7

@GokuBlackSSR said:

I got the user.txt hash, i suspect it is the administrator password.

Erm, I might have misread but the hash in user.txt is a flag, not a password.

Hashcat not working, i know its a md5 password any tip?

the candidates from hash cat is something like this: $HEX[206b7

This seems fun.

Ok, so I’m stuck at getting shell on the machine… I tried to download a file crafted with msfvenom on the machine, but seems like exploit doesn’t like several characters (like 0x00). I’d appreciate if someone could DM me.

Type your comment> @TazWake said:

@GokuBlackSSR said:

I got the user.txt hash, i suspect it is the administrator password.

Erm, I might have misread but the hash in user.txt is a flag, not a password.

Hashcat not working, i know its a md5 password any tip?

the candidates from hash cat is something like this: $HEX[206b7

This seems fun.

Sorry i’m new to HTB, i was too focused on the root.txt that i forgot what user.txt it all about.

Rooted!!

OK I am lost here. I am trying to root with teh TV. Got some Creds.
Is the Password r*****_****n correct?
Cant log in with it. I feel really dump right now, cause i cant figure out what i am missing.

Finally rooted. I went straigth into the rabbit whole…
Learned a lot.

anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

@itsPhoenix said:

anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

Is this for privilege escalation?

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

@itsPhoenix said:

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

Nice work.

Rooted using TV and U****C method without msf. Quite an interesting box. Thanks to @TazWake and @japh42 for the nudges.

If anyone want any nudges, feel free to DM

i have this error when i execute exploit VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];

I enjoyed this box because I learnt about a new type of d******e.

User: do your enumeration, think about where this kind of application stores its data. Once authenticated, Google and find what you need.
Root: very straight forward, enumerate and the right tool will show you the weakness very clearly.

Feel free to DM for more specific hints.

Awesome box. Thanks @mrb3n . I really enjoyed it even it was my first Windows box ever.
I knew nearly nothing about windows exploitation but this machine was a good start.
Initially I had really hard times trying to get along with exploit. I was able only to issue simple commands and had no idea how to spawn a shell with this. Thankfully, @y4th0ts came with help. Kudos!
The “remote” way for root was pretty obvious if anyone tried to get the id remotely ever before :wink: I wasn’t aware of the second path but saw people write about it in this thread so I googled a bit but had no luck with exploit at first. Finally, thanks to @joenibe I got root with the second approach.

Just got user, couldn’t get one exploit to work but managed to find a different version of it that did work for me.

Now struggling to get any enum files passed to the box but pushing on!

Edit: Rooted!

Why Does the User Flag say it’s incorrect? -_-
PS: I got the reverse shell using the Netcat way(Uploading nc.exe)

@KrishSai1999 said:

Why Does the User Flag say it’s incorrect? -_-

Assuming you’ve got the correct user flag and rated the box as well as trying to submit the hash, then chances are the dynamic hash hasn’t worked.

Remember its a different hash each time the box is rebooted and on different VPNs.

If it isn’t working, the best suggestion is to raise a JIRA ticket and get HTB to help fix it.

trying to root using U…C but I do not get a shell back. Uploaded the correct n…c version and using automated script to abuse u…c. Any one can help?