ServMon

KonEcho · November 9, 2020, 10:44am

Can someone please tell me why the user flag DOES NOT WORK, Ive reset the box and still nothing

TazWake · November 9, 2020, 10:46am

@BrandonSG said:

Can someone please tell me why the user flag DOES NOT WORK, Ive reset the box and still nothing

This comes up on every thread about once a week. HTB uses dynamic hashes and sometimes they dont work. The hashes should change after every reset and be different on different VPNs - this means that hashes should be used as soon as you get them and that sometimes the process which registers the new hash in the scoring server will break.

If it is a box that is being hit with resets, it becomes imperative that the hash is used immediately as a reset will render it invalid.

Your choices are really:

Wait a while, repwn the the box and get a working a hash.
Report it to HTB via a jira ticket and get them to fix the problem.

This isn’t something that can be fixed by the forum or by tips from other users.

TheEld3r · November 14, 2020, 7:21pm

All of the solutions for box no longer work, The box was updated recently. Windows Defender will now remove any nc.exe it comes across. Also any NC.exe you try will not run, as Defender stops it. We need to figure out a way around Defender to allow us NC.exe to run or find another solution that does not involve nc.exe being needed.

TheEld3r · November 14, 2020, 7:22pm

Also any tools like WinPEAS.exe will be removed via Defender.

TazWake · November 14, 2020, 7:39pm

Interesting that it has had a defender update as the device isn’t internet connected (or at least shouldn’t be - that might imply HTB are running patches on systems).

So you could try different versions - even when it was live there were issues about getting code onto the box.

You could try powershell as an alternative (or even PowerCat).

Or you could try different locations on the filesystem to see if that changes anything.

TheEld3r · November 15, 2020, 3:29pm

I have and idea today to get root on the box. If it works, i will let you guys know.

TheEld3r · November 15, 2020, 6:31pm

I got root, and I also notice the HTB would not take my user flag. Since I had Local admin, took look at user, and it was a different flag??? I looked up my notes and screen shot, and I had a totally different flag. VMs might have different flags. But I found another way to root the box, and no rev shell needed, no netcat needed. This way you bypass any app locker or Defender issues. PM I can you the details or I can get a new write up posted, showing the “New” way of getting local admin on this box.

TheEld3r · November 15, 2020, 6:33pm

tip for Root: If you understand the old way, you can leverage another option. Does not always have to be some reverse shell. If you got the script to run with system access. LOL you can make the box do what ever you want.

TazWake · November 15, 2020, 6:38pm

@PanamaEd117 said:

I got root, and I also notice the HTB would not take my user flag. Since I had Local admin, took look at user, and it was a different flag??? I looked up my notes and screen shot, and I had a totally different flag. VMs might have different flags.

HTB has been using dynamic flags for quite some time.

TheEld3r · November 15, 2020, 6:40pm

didn’t know that. thanks

pdppkp · January 7, 2021, 10:09am

C:\Users\Nadine\Desktop>type user.txt
type user.txt
Access is denied.

C:\Users\Nadine\Desktop>whoami
whoami
nt authority\system

why I cant read user.txt even I am system shell?? it is the first time I meet this problem in all htb machines I rooted…

TazWake · January 7, 2021, 10:18am

I thought you got the user flag from the FTP server on this box (in users/public)?

SYSTEM privs on a windows machine don’t override individual security settings on files and folders. There are a couple of HTB boxes where being SYSTEM doesn’t give you access to the flags (especially when NTFS encryption is in place).

meggers · May 31, 2021, 7:14pm

Can’t seem to get past AV for PE… tried many different things different things. Different directories, different exe’s for nc, tried .net reverse shell, tried .bat, even executing directly via the app console the script was popped by AV. erg… How to bypass av on this box???

MOKI · June 27, 2021, 12:54pm

Type your comment> @meggers said:

Can’t seem to get past AV for PE… tried many different things different things. Different directories, different exe’s for nc, tried .net reverse shell, tried .bat, even executing directly via the app console the script was popped by AV. erg… How to bypass av on this box???

I wanna bring more attention to this for everyone coming here for TJ Null’s list. Most walkthroughs don’t work now. nc.exe is now recognized as a virus. Just about every reverse shell method is flagged. I just grabbed the flag with no shell.

I guess Defender got updated on this box or something? I’m not sure. I’m on Kali 2020 and tried multiple nc.exe and shell methods.

If anyone could speak to why the box is different, I’d like to know.

b1d0ws · April 27, 2023, 2:10pm

I don’t know why, but trying a different nc binary worked for me.

Try this one: nc.exe/nc64.exe at master · int0x33/nc.exe · GitHub

MahonIsland · July 29, 2023, 11:01am

just did this walkthrough since the webui way wasn’t working. Also used the above nc64 bnary from b1d0ws. If you’re having trouble with privesc, try the steps with curl. Worked for me. ServMon - Write-up - HackTheBox | Rawsec