Can someone help, I have the creds however having issues with the exploit.
I keep getting this error when trying to run:
Traceback (most recent call last):
File= “FILENAME” , line 54, in <module>
VIEWSTATE = soup.find(id=“__VIEWSTATE”) [‘value’];
TypeError: ‘NoneType’ object is not subsriptable.
Is this a clock issue or something else, I have edited the parts of the script I need to.
I have a remote shell on the box. Got user, trying for root.
Trying to connect via TV using creds found after enum and crack/decode.
Can’t seem to connect via TV, and don’t see other service u***…(?) that people are talking about.
Any help via either route would be appreciated!
Just managed to get the root on this one by the U*****C route, which seems fairly unstable, major thanks for the nudges to @sh4d0wless.
Type your comment> @bashsquid said:
Can someone help, I have the creds however having issues with the exploit.
I keep getting this error when trying to run:
Traceback (most recent call last):
File= “FILENAME” , line 54, in <module>
VIEWSTATE = soup.find(id=“__VIEWSTATE”) [‘value’];
TypeError: ‘NoneType’ object is not subsriptable.Is this a clock issue or something else, I have edited the parts of the script I need to.
resets the box solves this problem
@Cactus said:
Type your comment> @bashsquid said:
Can someone help, I have the creds however having issues with the exploit.
I keep getting this error when trying to run:
Traceback (most recent call last):
File= “FILENAME” , line 54, in <module>
VIEWSTATE = soup.find(id=“__VIEWSTATE”) [‘value’];
TypeError: ‘NoneType’ object is not subsriptable.Is this a clock issue or something else, I have edited the parts of the script I need to.
resets the box solves this problem
No, it doesn’t. You have to maintain the session in-between requests.
Finally got root after being stuck in user for a while. Looked at the TV method and found a password but ended up going in through the U****C method. I was not able to use the obvious syntax as it resulted in an immediate stop. Ended up encoding another payload to get a shell long enough to pull the flag. Took several attempts as the session would only last < 1min.
Type your comment> @hervai said:
Type your comment> @LegendarySpork said:
I can’t get past the
VIEWSTATE ... TypeError: 'NoneType' object has no attribute '__getitem__'error when running any version of the poc 46***.y . I’m using python3 . logging in with a***@.l and password b*****e .
You have a clock problem on your computer, resolve it and it will be good.
Yes, you are correct, a clock issue is what it was. Sigh I should have learned by now… every 3d box or so I run into a clock sync issue, and it’s so simple to sync them up I should just add this to my normal initial steps.
@bashsquid said:
Can someone help, I have the creds however having issues with the exploit.I keep getting this error when trying to run:
Traceback (most recent call last):
File= “FILENAME” , line 54, in <module>
VIEWSTATE = soup.find(id=“__VIEWSTATE”) [‘value’];
TypeError: ‘NoneType’ object is not subsriptable.Is this a clock issue or something else, I have edited the parts of the script I need to.
Yeah, it’s a clock issue.
How to find writeable location, when there is no output from the PoC whatsoever? I don’t understand the commands are executed since i pinged myself and looked it up using wireshark, but there is literally no output from the .py script?
Edit: Got it
i got root thanks everyone helps as a service 
Rooted! Reminded me how much I have forgotten about windows, but fun!
I spent a lot of time with the POC code. For those stuck there…have a look what’s on github
Not much else I can say that has not been covered in the thread.
Fun box, thanks!
Type your comment> @peek said:
Type your comment> @fcmunhoz said:
I got creds for a****@h**.l****
Is it possible to get a shell using script 46***.py?yes
If you add a line of code, you can even get the user flag without any shell
Seriously, help me on it broo
Rooted. Thanks for the box @mrb3n
Hints
User: look at what you can enumerate then read all the strings carefully. look at how you can use the content you get.
Root. look at what privs you have and see if you can mod something and run it.
DM for Help NP.
Type your comment> @hervai said:
Type your comment> @LegendarySpork said:
I can’t get past the
VIEWSTATE ... TypeError: 'NoneType' object has no attribute '__getitem__'error when running any version of the poc 46***.y . I’m using python3 . logging in with a***@.l and password b*****e . What is causing this error? I see several people have encountered it but am stuck on getting past it.The POC looks pretty simple and I could execute it manually but I just get a blank page after logging in and then a session timeout. Burp repeater could be useful but I am not seeing anything about VIEWSTATE in the responses.
You have a clock problem on your computer, resolve it and it will be good.
You are a freaking genius, can please say me how did u figured it out???
C:\users\public\documents>sc start ******
sc start ******
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
WTF i can not get it to start verified path… PLEASE HELP!!! lol
Hit me up if you know what is up trying to avoid a reboot
Type your comment> @Ja4V8s28Ck said:
Type your comment> @hervai said:
Type your comment> @LegendarySpork said:
I can’t get past the
VIEWSTATE ... TypeError: 'NoneType' object has no attribute '__getitem__'error when running any version of the poc 46***.y . I’m using python3 . logging in with a***@.l and password b*****e . What is causing this error? I see several people have encountered it but am stuck on getting past it.The POC looks pretty simple and I could execute it manually but I just get a blank page after logging in and then a session timeout. Burp repeater could be useful but I am not seeing anything about VIEWSTATE in the responses.
You have a clock problem on your computer, resolve it and it will be good.
You are a freaking genius, can please say me how did u figured it out???
Not the first to have this problem ; when trying to log through a web browser, immediatly got a session timeout message, this might help
Rooted
This box gave me a bit of trouble in a few different ways. However, I learned a lot and found some great Windows tools to poke around in it!
user: Fun CVE challenge. Initial foothold just involves enum, after that you have to do a bit of research on the CMS to get anywhere (or just be familiar with certain filetypes).
root: Two ways I’ve heard people talking about. I went the u****c route only because I couldn’t get TV to work for the life of me (though I did find the necessary info). It’s pretty simple to find (with proper enum) and there is easily googleable info on how to use this service to your advantage.
All in all, great box! The Discord channel is a lot more responsive than these forums if you need any help.
Feel free to PM.
So for anyone who had the clock skew issue, or the error I’m getting below and managed to go on to get user/root… please help!
I’ve corrected the clock skew so I am perfectly in-sync with the target:
Host script results:
|clock-skew: 0s
| smb2-time:
| date: 2020-04-06T20:07:26
| start_date: N/A
But unfortunately still getting this error when I run the script…
Traceback (most recent call last):
File “1.py”, line 53, in
VIEWSTATE = soup.find(id=“VIEWSTATE”)[‘value’]
TypeError: ‘NoneType’ object has no attribute ‘__getitem’
Thanks,
@JMFL said:
C:\users\public\documents>sc start ******
sc start ******
[SC] StartService FAILED 1053:The service did not respond to the start or control request in a timely fashion.
WTF i can not get it to start verified path… PLEASE HELP!!! lol
Hit me up if you know what is up trying to avoid a reboot
If you’ve modified the path, it probably won’t ever be able to start properly. That shouldn’t prevent a well-formatted attack from working though.
Able to root by u***c. Can some pm me the t route. wanted to jump off bridge trying to figure that out.