Remote

TazWake · March 28, 2020, 12:47am

@TazWake There are many alternatives in windows for downloads and execution

I agree. You dont always know what is available on the remote box though. If you’ve made your own, you know its there.

VbScrub · March 28, 2020, 12:54am

To find a writeable location on the file system, I just googled to see where the default IIS user account has permission to write to. But yeah, by default all users can create new folders in the root of the C drive on Windows so a lot of the time you can do as @TazWake said and just create your own there

TazWake · March 28, 2020, 12:58am

To be fair, it’s not the most forensically sound approach but it works very well on CTFs…

VbScrub · March 28, 2020, 1:01am

hey, no need to be forensically sound when you log in to a machine and find everyone else has just dumped their entire exploit library into the first directory you land in :lol:

Raekh · March 28, 2020, 1:02am

Type your comment> @TazWake said:

@Raekh said:

I’m so dumb. Fixed with http in front ofr the url. Now I gotta figure out how to run it from a different location

Couple of ways you can solve this. You could create your own.

No I mean, powershell’s default location is system32 files so I can’t run the command there. I changed directory to C:\Users\Public but the script says the reverse option is unknown so it’s weird

TazWake · March 28, 2020, 1:03am

@VbScrub said:

hey, no need to be forensically sound when you log in to a machine and find everyone else has just dumped their entire exploit library into the first directory you land in :lol:

I dont know if I should laugh or cry.

Raekh · March 28, 2020, 4:14am

Okay moved on to the shell (which I got using msfvenom).
Found a password with the “remote” tool. Any clues as to what to do with them ?

zhaoss · March 28, 2020, 5:03am

hi,I am new ,I ve found the SPs files through the high,and a@.****l,then I have no idea what to do ,any bros helps me?thks~ >.<

dojoku · March 28, 2020, 6:13am

Type your comment> @zhaoss said:

hi,I am new ,I ve found the SPs files through the high,and a@.****l,then I have no idea what to do ,any bros helps me?thks~ >.<

did you have credential of a****@***.****l? tried to enumerate what cms used of this box then tried to exploit them.

Kevoenos · March 28, 2020, 8:09am

Finally got the hashes to work out for me, rooted the box but did it the unintended way… Now onto the intended method…

daemonzone · March 28, 2020, 10:07am

Type your comment> @VbScrub said:

hey, no need to be forensically sound when you log in to a machine and find everyone else has just dumped their entire exploit library into the first directory you land in :lol:

Ahahahahah!! You’re right, I noticed this situation happening so many times…

Apart from well-known scripts, by the way, I have to admit that I usually type/cat other people scripts when I come across them because I’m curious to understand how they’re are approaching my same situation… something new to learn sometimes

HTB is great, a really learned a lot during these last times!

htbuser01 · March 28, 2020, 10:10am

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

godsky · March 28, 2020, 10:27am

I am stuck at the root part, can anybody help?? please dm

cyberafro · March 28, 2020, 10:32am

Type your comment> @htbuser01 said:

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

If you got creds, you have to switch user, another method exists though

pavlet · March 28, 2020, 10:57am

Type your comment> @sneel0428 said:

Type your comment> @VbScrub said:

@sneel0428 if you want to keep trying to get the PoC working, fair enough. But just to clarify if you missed my previous posts - you don’t NEED to use the PoC with all the cookie and viewstate stuff. All that’s doing is mimicking someone actually using the website, so instead of using a script to do that you can just… actually use the website. You will still need the payload part of the PoC though, but its pretty obvious where to put it once you look around the site.

Oh for sure, at this point I am more curious than anything. What gets me about it is that other than the payload, its a fairly simple delivery mechanism. Hence me wondering whats going on. I tend to use the module that the PoC uses a lot so if there is an issue, I need to know haha. Thanks for everything!

Did you manage to find out what was going on? Because I think I have the same exact problem

htbuser01 · March 28, 2020, 11:11am

Type your comment> @cyberafro said:

Type your comment> @htbuser01 said:

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

If you got creds, you have to switch user, another method exists though

I have no local creds, just for the piece of code which the hint is the machines name. These dont seem to work

Raekh · March 28, 2020, 11:33am

Guys, any ideas about what to do with that TV cred ?

daemonzone · March 28, 2020, 11:43am

rooted!

I think I was overcomplicating trying to reconfigure the U*****c as well
The keywords for this machine are really ‘don’t overcomplicate’ things are often simpler than you think!

Could anyone PM me how to approach the TV method? It looks like an interesting exploit to learn…

cyberafro · March 28, 2020, 11:45am

Type your comment> @htbuser01 said:

Type your comment> @cyberafro said:

Type your comment> @htbuser01 said:

Hi all! I managed my way in and also found 2 additional puzzle pieces - but now I am stuck elevating privs. Any hints on the intentional way?> @ironman2 said:

need some tips getting root. Got password from TV but can’t figure out how to run a command using it!

I am stuck at this exact position and cannot seem to find a way make it work

If you got creds, you have to switch user, another method exists though

I have no local creds, just for the piece of code which the hint is the machines name. These dont seem to work

You are you have no local creds ? Don’t know what you call “piece of code”

@Raekh, switch user as said before

AndreasVDB · March 28, 2020, 1:04pm

Type your comment> @daemonzone said:

rooted!

I think I was overcomplicating trying to reconfigure the U*****c as well
The keywords for this machine are really ‘don’t overcomplicate’ things are often simpler than you think!

Could anyone PM me how to approach the TV method? It looks like an interesting exploit to learn…

I keep getting “FAILED 1053” when using U******c method.
Any help anyone?