Remote

OK I am lost here. I am trying to root with teh TV. Got some Creds.
Is the Password r*****_****n correct?
Cant log in with it. I feel really dump right now, cause i cant figure out what i am missing.

Finally rooted. I went straigth into the rabbit whole…
Learned a lot.

anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

@itsPhoenix said:

anyone having trouble with using the Creds gained from the file in A_***? trying to use them to login but the session keeps timing out. Anyone got a suggestion on how to fix this?

Is this for privilege escalation?

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

@itsPhoenix said:

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

Nice work.

Rooted using TV and U****C method without msf. Quite an interesting box. Thanks to @TazWake and @japh42 for the nudges.

If anyone want any nudges, feel free to DM

i have this error when i execute exploit VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];

I enjoyed this box because I learnt about a new type of d******e.

User: do your enumeration, think about where this kind of application stores its data. Once authenticated, Google and find what you need.
Root: very straight forward, enumerate and the right tool will show you the weakness very clearly.

Feel free to DM for more specific hints.

Awesome box. Thanks @mrb3n . I really enjoyed it even it was my first Windows box ever.
I knew nearly nothing about windows exploitation but this machine was a good start.
Initially I had really hard times trying to get along with exploit. I was able only to issue simple commands and had no idea how to spawn a shell with this. Thankfully, @y4th0ts came with help. Kudos!
The “remote” way for root was pretty obvious if anyone tried to get the id remotely ever before :wink: I wasn’t aware of the second path but saw people write about it in this thread so I googled a bit but had no luck with exploit at first. Finally, thanks to @joenibe I got root with the second approach.

Just got user, couldn’t get one exploit to work but managed to find a different version of it that did work for me.

Now struggling to get any enum files passed to the box but pushing on!

Edit: Rooted!

Why Does the User Flag say it’s incorrect? -_-
PS: I got the reverse shell using the Netcat way(Uploading nc.exe)

@KrishSai1999 said:

Why Does the User Flag say it’s incorrect? -_-

Assuming you’ve got the correct user flag and rated the box as well as trying to submit the hash, then chances are the dynamic hash hasn’t worked.

Remember its a different hash each time the box is rebooted and on different VPNs.

If it isn’t working, the best suggestion is to raise a JIRA ticket and get HTB to help fix it.

trying to root using U…C but I do not get a shell back. Uploaded the correct n…c version and using automated script to abuse u…c. Any one can help?

Rooted. Much more easier than I expected. But I didn’t get why evil-winrm locked me out when I tried to login with credentials of new user that I created.

Finally made it to Root, Thanks to @joenibe for pointing me on the right track.

I can’t elevate my privs on this machine with U*O method. Could someone DM me pls?

Got root on this but don’t think I did it the intended way? Went the TV route but still don’t think it was right? Would appreciate someone reaching out

@cmoon said:

Got root on this but don’t think I did it the intended way? Went the TV route but still don’t think it was right? Would appreciate someone reaching out

AFAIK, you took the intended route.

Rooted. Getting user took longer than I expected, but that was because I went down a rabbit hole. Getting root was fun, I learned a new technique that I didn’t use before.
User: Do your usual enumeration, but make sure to check for versions on application, there might be vulns :wink: . Google and find what you need.
Root: Throw a enum script at it and carefully check the vulnerabilities.

Thank you for machine @mrb3n .