I’m running across the VIEWSTATE error with the PoC. I understand that it’s a clock sync issue but I can’t seem to get it resolved as when I try to sync I’m getting
no server suitable for synchronization found
Would anyone be able to lend a hand?
Edit: If you’re having issues with this, make sure with the part you change in the PoC that you are looking at the rest of the exploit and aren’t putting in something that will be added later.
OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this… can someone explain how I would have zeroed in on that service in the first place. I checked the service path and there is nothing unusual and when I look at the service permissions I don’t understand why the user shell I get is able to modify it. The most inclusive group in the permissions is Authenticated Users…I thought the user associated with the initial shell was excluded form that group. Would someone be willing to PM me with some details ( or a link to an article)
(A;;CCLCSWRPLOCR;;;AU)(A;;CCLCSWRPWPLOCRRC;;;BA)(A;;CCLCSWRPWPLOCRRC;;;S-1-5-21-3799463084-4290437372-2261193466-500)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SU)
@CyberG33k said:
OK, I was able to get root, but only because one of the tips lead me to the right service. My question is this… can someone explain how I would have zeroed in on that service in the first place.
Depends on what you went for to root the box.
If you went for the intended route, this is discoverable through enumeration and should stand out (certainly with experience it will). If you went for a slightly different approach, again, the characteristics of the service are unusual which should draw attention.
guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now 
any kind of help will be appreciated
I’m really struggeling with opening up a specific file i found on the s***_b******. It keeps giving me errors when I try to opening it locally on my attacker box. Any idea’s how to enumerate it correctly? Or am I going the wrong way?
Type your comment> @bigfatpig said:
guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now
any kind of help will be appreciated
I have been stuck at the same point for hours, too. Could you already solve it?
Type your comment> @redbird said:
Type your comment> @bigfatpig said:
guys, im having some problems here, i already know the “U****c” exploit for the root but when i run the ******-abuse and the command, i didn’t get anything, ive been struggling with this for 5 fkn hours. my head spins when i write this now
any kind of help will be appreciated
I have been stuck at the same point for hours, too. Could you already solve it?
Got stuck there for a while too, i think that route has been patched. Had to do it the other way.
After a nudge please. Managed to get final password via the T******** service. Can’t seem to login anywhere, even at that high port. Evil tool doesn’t work either.
Thanks!
EDIT: Argh, user error on my part. Got root.
Hi everybody! I’m stuck on privesc from the last week. Powershell works 1 time outta 10 and the vm keep resetting. I’ve tried abusing U****c but it’s now working, at least I don’t get the resverse shell execution… So I tried also with Tr-Se . I see that it is running as NT AUTHORITY\SYSTEM and I tried to switch the executable with an msfvenom payload that should pop a reverse shell. I can’t see the error output on my shell so I suppose that the file is locked because it is running; i tried to move it, rename it, delete it with no luck. I read that is possible retrieve T*****r 7 password and someone has been able to do it… can someone please point me in the right direction???
@waldemaro said:
Hi everybody! I’m stuck on privesc from the last week. Powershell works 1 time outta 10 and the vm keep resetting. I’ve tried abusing U****c but it’s now working, at least I don’t get the resverse shell execution… So I tried also with Tr-Se . I see that it is running as NT AUTHORITY\SYSTEM and I tried to switch the executable with an msfvenom payload that should pop a reverse shell. I can’t see the error output on my shell so I suppose that the file is locked because it is running; i tried to move it, rename it, delete it with no luck. I read that is possible retrieve T*****r 7 password and someone has been able to do it… can someone please point me in the right direction???
A Google search for that exact thing you are trying to extract, should give you all you need 
Type your comment> @HomeSen said:
@waldemaro said:
A Google search for that exact thing you are trying to extract, should give you all you need
waldemaro is spot on, have just completed the same google search and then escalation from there in the last hour. It’s specific to T********r 7.
yes, maybe I’m not able to search things on google… …Before asking, I found c++ or python script (no python installed on remote ) ,msfmodule that are not working, without mentioning that all the poc’s video that I’ve found are for version 13 and 14… the only cve I’ve found is dated 2019 …
Type your comment
ROOTED FINALLY! After a short little rage here at home I finally figured out a way to transfer files to the box using the PoC. I dropped my veggies got root 5 minutes later. Jesus this box was a pain in the ■■■. User took me ages but root was easy peazy.
Alright, I’m here again to help my fellow warriors. If you need a nudge please PM and mention which box you’re trying to pwn since I got many PM’s on boxes I did recently.
rooted!
https://media.tenor.co/videos/6ed80590a4d0b91b0198e112cf3afd94/mp4
thank to @HomeSen to pointing me in the right direction
User:
Always scan all ports, the more information the better.
Root:
I did the T******** exploit I found to get creds, but I wasn’t able to find where I could use that. Instead used a standard Windows priv. esc. tool. After that ran into the shell issue people talk about throughout there, my workaround for this required a bit of waiting to get what I wanted.
This box was a lot of fun. Thank you to the creator, excellent work.
Somebody’s got this problem with u***********.*y ?
Traceback (most recent call last):
File “u***********.*y “, line 53, in
VIEWSTATE = soup.find(id=”__VIEWSTATE”)[‘value’]
TypeError: ‘NoneType’ object is not subscriptable
@X013 said:
Somebody’s got this problem with u***********.*y ?
Traceback (most recent call last):
File “u***********.*y “, line 53, in
VIEWSTATE = soup.find(id=”__VIEWSTATE”)[‘value’]
TypeError: ‘NoneType’ object is not subscriptable
It massively depends what is in u***********.*y but it looks like the script is missing something or has been misconfigured.
The best option is to read through the code, try to work out what is happening & where it happens, then you might be able to work out a solution.
Hello All.
So I’m having a bit of a weird issue, I’m able to run the script (Starts with U) for the user and get to user.txt but after exploiting the US and getting a shell I’m not able to run more that 1 command. Is anyone else having the same issue or am I just the lucky one?
Any help is greatly appreciated.
I’m trying TV approach after getting access to cmd and user.txt. After finding the Administrator password on r******* and cracking it I get r*****_****n. Is this correct?
I was trying to run something like “sudoo” on ps and/or runas but it always fallback to the cmd without allowing me to type the password.
What am I missing? Is this in the right direction?