Remote

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

Type your comment> @TombBuster said:

Type your comment> @Twe1ve said:

I’m on road to root ,but while stop service U*c via "sc.exe stop Uc"
I got these error:
“”"
[SC] ControlService FAILED 1062:
The service has not been started.
“”"
can anyone help me???

That’s just because someone else has stopped it before you using the same command.

Can use ‘sc.exe qc u****c’ to query the status of a service.
it shows no matter:
“”"
[SC] QueryServiceConfig SUCCESS
…
and i can’t start it neither for these error：
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Watching football on the TV with a remote control is better than the weak streaming service on the Internet because so many people are abusing it

@cedric9113 said:

Not able to find a way to execute or download something via the POC. I was able to ping my kali machine with both cmd and powershell. I tried both http and smb for downloading, nothing works, anyone can DM me ?

If you managed to figure out how to ping from powershell then you understand how to execute a command via powershell, next you should try to change the command to suite your purpose - If you’re looking for a way to download something I’d suggest googling Downloading file using powershell - for example.
Eventually it depends on what you’re trying to achive and then I’m sure that there are plenty of ways \ methods to acheive what you’re looking for.

I just want to re-emphasize something that was already said:
@VbScrub said:

@sneel0428 if you want to keep trying to get the PoC working, fair enough. But just to clarify if you missed my previous posts - you don’t NEED to use the PoC with all the cookie and viewstate stuff. All that’s doing is mimicking someone actually using the website, so instead of using a script to do that you can just… actually use the website. You will still need the payload part of the PoC though, but its pretty obvious where to put it once you look around the site.

Type your comment> @menorevs said:

for people that rooted the machine, what are you using to extract the administrator hash so I can look up some of these walkthroughs?

On this machine it’s possible to get the hashes through the “hashdump” command of a meterpreter shell. That’s the easiest (and only working way) I personally found so far.

/Edit: Keep in mind that you need a root meterpreter shell for that to work!

Rooted. Really enjoyed this box

Foothold: A basic port scan and some googling should allow you to visit a promising location.

User: Find an interesting looking file and explore it. Once you find what you were looking for, do your research and find that POC everyone is talking about. Read the POC carefully and change what needs to be changed. Otherwise you’ll be simply popping up calculators on this Windows box

Root: What are some terrible places to hide config settings? Exactly Study these settings and do some more research. A cool security article will lead you right to root.

Type your comment> @Twe1ve said:

Type your comment> @TombBuster said:

Type your comment> @Twe1ve said:

I’m on road to root ,but while stop service U*c via "sc.exe stop Uc"
I got these error:
“”"
[SC] ControlService FAILED 1062:
The service has not been started.
“”"
can anyone help me???

That’s just because someone else has stopped it before you using the same command.

Can use ‘sc.exe qc u****c’ to query the status of a service.
it shows no matter:
“”"
[SC] QueryServiceConfig SUCCESS
…
and i can’t start it neither for these error：
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

I’m getting this same issue. Even tried a few resets and no dice. I’m fairly certain this is unintended way, but still, why does it keep failing for some and apparently working for others?

I’m getting an issue with the POC, can’t even get a ping on my machine using cmd as filename and /C ping x.x.x.x as arguments. What am I doing wrong ?

Hey, struggling with getting some momentum on this box as it is my first windows box. Carrying out dirbuster scan i find u0 login, however cannot find any extra directories containing anything useful, eg files.
nmap scan gave back alot, guessing it may have something to do with rb service, but when attempting s*mt command, i get an error…
Any help in where to go from here?

Type your comment> @ArcticReboundz said:

Hey, struggling with getting some momentum on this box as it is my first windows box. Carrying out dirbuster scan i find u0 login, however cannot find any extra directories containing anything useful, eg files.
nmap scan gave back alot, guessing it may have something to do with rb service, but when attempting s*mt command, i get an error…
Any help in where to go from here?

Don’t worry about the website for now, enumerate all the other services that your nmap found

@ArcticReboundz said:

Hey, struggling with getting some momentum on this box as it is my first windows box. Carrying out dirbuster scan i find u0 login, however cannot find any extra directories containing anything useful, eg files.
nmap scan gave back alot, guessing it may have something to do with rb service, but when attempting s*mt command, i get an error…
Any help in where to go from here?

Use the correct syntax for s*mt and it should work.

@Raekh said:

I’m getting an issue with the POC, can’t even get a ping on my machine using cmd as filename and /C ping x.x.x.x as arguments. What am I doing wrong ?

Almost certainly a syntax error or you are running something which isn’t on the remote machine.

I have successfully ran the m**** command but I can’t find anything good. I am guessing I am missing the obvious. Can I get a hint or a pm?

Working on user. Found creds in sf file. Ran the hash through website which spit back
bnce Seems like that’s the ticket. Tried logging in as ad@h**.***** but nothing. Am I on the wrong track, or did someone change the pw? Can’t reset the box; says it’s under maintenance.

Type your comment> @rlh said:

Working on user. Found creds in sf file. Ran the hash through website which spit back
bnce Seems like that’s the ticket. Tried logging in as ad@h**.***** but nothing. Am I on the wrong track, or did someone change the pw? Can’t reset the box; says it’s under maintenance.

People shouldn’t be changing passwords. What you have should log you in

Using the PoC I get this powershell error in the response : Exception calling “DownloadString” with “1” argument(s): "Could not find a part of the path ‘c:\windows\system32\inetsrv\10.10.14.x\shell.ps1’, any ideas ?

Why does my hackthebox keep rejecting my user flag which i found in /Public?? Also can anybody give me a nudge on intended path to root?

@Kevoenos said:
Why does my hackthebox keep rejecting my user flag which i found in /Public?? Also can anybody give me a nudge on intended path to root?

1. If the box was reset since you found the flag then your original flag is invalid. New boxes (As of Traceback) have flag rotation each reset - otherwise someone might have changed the flag on purpose (?) if that’s the case I’d reset the box and get the flag as quickly as possible.
2. Enumerate - Plenty of hints on here on the intended and unintended (if you can call it that).

Anybody here willing to look at my script for the foothold? Not sure why it isnt working

To the people who already got the box, is NF… the right place to investigate ?