@OrkaPatorka said:
I’m stuck on root. I think i’m trying to do it the unintended way using the U****c service. When i’m getting to do end i always get this error : The perimeter is incorrect. How can I fix this?
Did anyone else face this when doing it the unintended way?
No. Try the other way if this one doesn’t work.
Finally rooted earlier today. It seems that there is more than enough information here already but if you are stuck with user or root, please feel free to DM me for hints.
rooted, nice box that’s only slightly irritating in places 
Got User.
I am very new to windows prev escalation. I saw a service running post i got a user related to the box name. it has something to do with privesc? any nudges would be great.
hmm, got user and access to the system. After a break the user password seems to be changed.
I’ll investigate on root by tomorrow since I already got greyed hairs due to bad internet connection today 
Btw. if someone is having trouble with the PoC, just watch IppSec’s videos. One of them helped me out to understand and implement that correctly
Edit Again: thanks for fixing the password back to normal
Finally got user, thank you @chefByzen and @zito .
Pm me if you’re stuck. Taking a break before getting after root.
Tip: Don’t overcomplicate the POC. I wasted way too much time doing this.
what on earth is going on with this machine that is causing the password for the website to keep getting changed? Seems very odd that so many people have encountered this over several days. I find it hard to believe so many people are changing the password, as there’s no need to do that at all.
I didn’t encounter it myself when attacking the box though, and I went through the whole thing twice (once on free servers and then again after I’d signed up for VIP). Maybe its something else that is making people think the password has been changed?
I never encountered a password change - although I am on a VIP server. I’ve tried it a few times now (largely when I realised my privesc was not the “intended” privesc!).
All I can think is that some people may think it’s funny to change the password after they’ve logged in.
Finally got root, like always learned something new
Ok so I got root the intended way, but I also abused the other service and made an administrator account (my guess is this is the second way). How can I use this to log in??
first box, fully owned without gentle hints!
there are enough tips for the user in the thread already.
root: do win enumeration from powershell manually or using the tools, things will jump at you
pm for tips, if needed
USER :
_exploit the high service
_when you got creed use CVE against the CMS
pimp the payload change something by cd.ee
ROOT :
_find the service to exploit with a script
_exploit in the way that the script suggest you
thanks for all
Feel Free To PM
So I have user creds, I have the PoC, but I am running into an issue with the python lib behind it. The PoC doesnt seem to be saving the UMB_UCONTEXT cookie, and I have torn the PoC apart until its bare bones trying to send one authenticated request after the initial Post authentication. Has anyone had similar issues?
Type your comment> @TazWake said:
@phlashko said:
I am dead in the water at the darn CVE. I just cant seem to know what to change in the code to make it work. I got a**** pass and got access to the site, can upload js* manually, but can not make the script work. a nudge would be very helpful.
@th3g3ntleman said:
Can’t seem to run the PoC . After running the py file it just starts and ends without returning the shell, tried changing few things in the PoC but no luck. Pleas help
@spowlay said:
I need some help with the PoC…Anyone please ping me
It isn’t easy for people to help in this way without basically giving you the code to get the flag. The only non-spoiler way is to say “check what isnt working and change it.”
If you dont know what isn’t working then use this as a learning experience to find out how the exploit works and see what you need to change.
At a very high level, and because I dont want to come across like a ■■■■, you need to read the exploit - some parts are clearly marked in need of content (the XXXXs), others you need to read what it is doing and change it to do what you want it to do.
Popping calc is for POCs, not exploitation on HTB.
@TazWake Yeah i get it, i changed the payload and now i understand that i need to run commands to get a shell. The only problem i am facing is downloading any file
So I’m able to change the needed areas in the script. However, when i run it i get this error. Any nudges would be helpful.
TypeError: ‘NoneType’ object has no attribute ‘getitem’
@th3g3ntleman said:
@TazWake Yeah i get it, i changed the payload and now i understand that i need to run commands to get a shell. The only problem i am facing is downloading any file
Quite a few ways to do this. Try to determine what is going wrong and where you are trying to download it, then you might be able to solve the problem.
@osmus said:
So I’m able to change the needed areas in the script. However, when i run it i get this error. Any nudges would be helpful.
TypeError: ‘NoneType’ object has no attribute ‘getitem’
Is this from some code you have added?
can someone help me please i put my file.exe on the box by 46****.py but i can’t run it
@YASWELL said:
can someone help me please i put my shell on the box by 46****.py but i can’t run it
I dont know what you mean by putting your shell on the box. If the python exploit has worked, you have a shell.