Remote

@itsPhoenix said:

@TazWake no it was for use on the U*****o forms but doesnt matter now as i have owned the system.

Nice work.

Rooted using TV and U****C method without msf. Quite an interesting box. Thanks to @TazWake and @japh42 for the nudges.

If anyone want any nudges, feel free to DM

i have this error when i execute exploit VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];

I enjoyed this box because I learnt about a new type of d******e.

User: do your enumeration, think about where this kind of application stores its data. Once authenticated, Google and find what you need.
Root: very straight forward, enumerate and the right tool will show you the weakness very clearly.

Feel free to DM for more specific hints.

Awesome box. Thanks @mrb3n . I really enjoyed it even it was my first Windows box ever.
I knew nearly nothing about windows exploitation but this machine was a good start.
Initially I had really hard times trying to get along with exploit. I was able only to issue simple commands and had no idea how to spawn a shell with this. Thankfully, @y4th0ts came with help. Kudos!
The “remote” way for root was pretty obvious if anyone tried to get the id remotely ever before :wink: I wasn’t aware of the second path but saw people write about it in this thread so I googled a bit but had no luck with exploit at first. Finally, thanks to @joenibe I got root with the second approach.

Just got user, couldn’t get one exploit to work but managed to find a different version of it that did work for me.

Now struggling to get any enum files passed to the box but pushing on!

Edit: Rooted!

Why Does the User Flag say it’s incorrect? -_-
PS: I got the reverse shell using the Netcat way(Uploading nc.exe)

@KrishSai1999 said:

Why Does the User Flag say it’s incorrect? -_-

Assuming you’ve got the correct user flag and rated the box as well as trying to submit the hash, then chances are the dynamic hash hasn’t worked.

Remember its a different hash each time the box is rebooted and on different VPNs.

If it isn’t working, the best suggestion is to raise a JIRA ticket and get HTB to help fix it.

trying to root using U…C but I do not get a shell back. Uploaded the correct n…c version and using automated script to abuse u…c. Any one can help?

Rooted. Much more easier than I expected. But I didn’t get why evil-winrm locked me out when I tried to login with credentials of new user that I created.

Finally made it to Root, Thanks to @joenibe for pointing me on the right track.

I can’t elevate my privs on this machine with U*O method. Could someone DM me pls?

Got root on this but don’t think I did it the intended way? Went the TV route but still don’t think it was right? Would appreciate someone reaching out

@cmoon said:

Got root on this but don’t think I did it the intended way? Went the TV route but still don’t think it was right? Would appreciate someone reaching out

AFAIK, you took the intended route.

Rooted. Getting user took longer than I expected, but that was because I went down a rabbit hole. Getting root was fun, I learned a new technique that I didn’t use before.
User: Do your usual enumeration, but make sure to check for versions on application, there might be vulns :wink: . Google and find what you need.
Root: Throw a enum script at it and carefully check the vulnerabilities.

Thank you for machine @mrb3n .

The TV route didn’t work for me so I went the “unintended” route and got root. For those struggling to get shell the script works just fine just check nishang’s PowerShellTCP.ps1. It work for me no editing needed to be done on the script.

After a long weekend bashing away at this… I finally have root, using the unintended method. Managed to find a password for the intended route but wasn’t sure what to do next. Would appreciate any tips on solving the intended route.

Thanks to all for the comments in the forum - kept me sane when I thought I was losing it.

Yay! Got root! Huge thank you to everyone for hints here and there! Got there using the “unintended” path of U****c.

As for the TV path, I found the hash, cracked the hash and discovered the interesting thing listening, but the above path was what I resorted to in the end. Anyone care to share more details about the TV path so that I can learn a little bit more? I’d be happy to share in DMs more details to prove that I really did get the above information I’m claiming.

Thank you for the machine @mrb3n !

I have a problem with running the exploit.py, I’ve modified the script and installed all modules and I get this output:
Start

Traceback (most recent call last):
File “*****.py”, line 56, in
VIEWSTATE = soup.find(id=“__VIEWSTATE”)[‘value’];
TypeError: ‘NoneType’ object has no attribute ‘getitem

I see people with the same problem and something about clock issues, but idk what to do.

Pls DM me if you can help me.
thx

Noob needing some help. I was able to get user but am having trouble with root. I dont want to post any specifics here. is anyone willing to hear what i have done and maybe give some guidance. THanks much! Plz DM me!

-p4nt4n30