Remote

I can’t elevate my privs on this machine with U*O method. Could someone DM me pls?

Got root on this but don’t think I did it the intended way? Went the TV route but still don’t think it was right? Would appreciate someone reaching out

@cmoon said:

Got root on this but don’t think I did it the intended way? Went the TV route but still don’t think it was right? Would appreciate someone reaching out

AFAIK, you took the intended route.

Rooted. Getting user took longer than I expected, but that was because I went down a rabbit hole. Getting root was fun, I learned a new technique that I didn’t use before.
User: Do your usual enumeration, but make sure to check for versions on application, there might be vulns :wink: . Google and find what you need.
Root: Throw a enum script at it and carefully check the vulnerabilities.

Thank you for machine @mrb3n .

The TV route didn’t work for me so I went the “unintended” route and got root. For those struggling to get shell the script works just fine just check nishang’s PowerShellTCP.ps1. It work for me no editing needed to be done on the script.

After a long weekend bashing away at this… I finally have root, using the unintended method. Managed to find a password for the intended route but wasn’t sure what to do next. Would appreciate any tips on solving the intended route.

Thanks to all for the comments in the forum - kept me sane when I thought I was losing it.

Yay! Got root! Huge thank you to everyone for hints here and there! Got there using the “unintended” path of U****c.

As for the TV path, I found the hash, cracked the hash and discovered the interesting thing listening, but the above path was what I resorted to in the end. Anyone care to share more details about the TV path so that I can learn a little bit more? I’d be happy to share in DMs more details to prove that I really did get the above information I’m claiming.

Thank you for the machine @mrb3n !

I have a problem with running the exploit.py, I’ve modified the script and installed all modules and I get this output:
Start
[]
Traceback (most recent call last):
File “*****.py”, line 56, in
VIEWSTATE = soup.find(id="__VIEWSTATE")[‘value’];
TypeError: ‘NoneType’ object has no attribute ‘getitem

I see people with the same problem and something about clock issues, but idk what to do.

Pls DM me if you can help me.
thx

Noob needing some help. I was able to get user but am having trouble with root. I dont want to post any specifics here. is anyone willing to hear what i have done and maybe give some guidance. THanks much! Plz DM me!

-p4nt4n30

Not sure what im doing wrong. I got both pw’s out of TV i can seem to login everything i try i get login failed. someone please help. Ive tried almost every PS**** and nothing.

The RCE exp doesn’t work, and 500 status code returned when I use the exp in burp, can anyone help me?

Just got Root!!! and now I’m a script Kiddie!!! thanks to everyone that helped and to @mrb3n for making the box.

Rooted using U***** method. Not sure about intended method. PM for help.

Awesome box. Multiple paths to system. I spent some time doing the entire thing with powershell-empire for fun. Ended up writing my first ever formal writeup because of it. Free to pm for nudges, or if ya wanna go down the empire path like i did.

rOoTeD. Getting credentials was satisfactory for a newbie like me. The exploit itself required some tuning because I couldn’t understand why it worked/wasn’t working.
Root was actually pretty easy because my friends shared a tool on discord that ended up being what I needed. I just had to enumerate a bit and use it.
PM for nud(g)es :wink:

well

Has anyone had trouble submitting the flags for this box? I’ve rooted but both my user and root flags are not working when trying to submit them.

Session Timed out. Error while logging in the umbraco login page. Need Help…?

Session timed out. Error is very annoying for the U***CO login page. Need Help…

46153.py", line 42, in
VIEWSTATE = soup.find(id="__VIEWSTATE")[‘value’];
TypeError: ‘NoneType’ object is not subscriptable

This error for the remote box, while using the 46153.py … Need help…