This box is a mess. First time have so much problems with it.
I have creds and exploit, but it gives me a 302 to every login with a white page. Can’t even bypass it. Tried to work it out with few people on Discord and it seems that on labs vip-beta-1 and vip-16 it’s just bad.
I’m out of options.
Finally user. Made a stupid mistake following Ippsecs video on re***** sh**** too literally.
i got user as well. My advice forget about logging into the website .
No need to reset either
Use what you found to utilise the RCE also make it simple ,
Step by step to verify you have command execution and so on
Guys dont rese the box all the time .No need for this .
Use the Poc
It is like Traceback machine resets all the time unnecessary
Just rooted the machine after I got user yesterday. Great learning experience for me, root wasn’t difficult if you know what you need to/can do on Windows boxes. It only takes a handful of commands and you’re done.
I definitely need to step up my Windows knowledge, though! 
User:
Initial foothold was a nightmare, because people keep changing a**** creds. I suspect someone has a script for it as on one server it gets changed seconds after the box is reset… Sunk several hours into trying to find a second password which doesn’t exist. If you found one password you can stop looking. Double check your username, and try switching regions if you suspect someone is messing with it. For the next part, understand the PoC, and as @MariaB said take it step by step.
Root:
Something should stand out during enumeration. Some people say it has to do with the machine name; I personally don’t see why, so don’t be too focused on that or you might miss it.
EDIT: There are at least 2 ways to root hence the confusion
Rooted> @LaszloNagy said:
User:
Initial foothold was a nightmare, because people keep changing a**** creds. I suspect someone has a script for it as on one server it gets changed seconds after the box is reset… Sunk several hours into trying to find a second password which doesn’t exist. If you found one password you can stop looking. Double check your username, and try switching regions if you suspect someone is messing with it. For the next part, understand the PoC, and as @MariaB said take it step by step.Root:
Something should stand out during enumeration. Some people say it has to do with the machine name; I personally don’t see why (I would welcome a Pm explaining it), so don’t be too focused on that or you might miss it.
Perhaps it is the other path to root, and I also would like to know why!
ROOTED
.It was a race as always .But i would say use your enumeration scripts they will show you the way
Cool box @mrb3n Despite all the resets from others .
Rooted!
Was u****c the correct path?
Can anyone pm the other rooting process not involving US? Just curious…
AND ROOT.
User was the hard part. Syntax matters, don’t go straight for shell, try something simple first. Remember the language of the exploit you are using and how to format things so they output the way you want! (careful for escape characters etc…)
Maybe the creator of the box can confirm if the U***** is the correct path to root ?
It looks like uninttended because it has no relevancy with the box name.
I guess the correct way is related to the “remote” tool ?
Anyway, awesome box !
Every hints have been written here.
@Crafty I assumed both were intentional actually, cos surely that service you mentioned is not normally vulnerable to this kind of attack so must have been changed?
nothing is working for me on this machine…errors and errors and some more errors dunno if its me or the box, probably its me…this just make me feel to never wanna touch windows machines again
30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?
Type your comment> @imag1ne said:
30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?
you don’t actually need to use py at all. I just logged in to the site and did it all manually, copying the payload part of the POC into the obvious place it should go when you start looking through the management portal of the site. Took me a while to realise how to trigger it (thanks to some of the button images not working) but a bit of googling helped there
I got User, POc needs a little change, but after a time, it needs a box reset to work
for the foothold, also try again and again
Type your comment> @imag1ne said:
30 different ways, no success with PoC. Continue to crash at Viewstate. Can anyone advise? is this a py issue on my box?
Make sure you’re in a privileged account. There’s more than one you can log into with the same password
I am stuck at the initial foothold. I saw the n** share and can access after m****** it, and found a s** file in A**_**** that I am pretty sure has the creds for a***@h**.l****, but after a lot of grep, find, sed, awk, strings, cat, etc I can not find the hash for the life of me as described in CMS documentation. Am I on the right track?
Thanks in advance!
Could someone PM me and give me a nudge on the POC? I’m able to ping my box and upload files to a path but not able to get a connection back.