Posts: 71 Threads: 0 Joined: N/A August 15, 2022 at 1:20 AM interesting looking box Posts: 166 Threads: 0 Joined: N/A August 15, 2022 at 1:26 AM (August 14, 2022, 01:17 PM)undeadly Wrote: (August 13, 2022, 10:30 PM)yumi Wrote: if I get users i will warn you here with more details, I tried zero logon the first time, but I didn't realize that it had worked, I always try on a windows machine, and with the name outdated I tried several vulnerabilities zero logon worked and the petitpotam partially worked because there was no way to access certsrv remotely in this machine.
(August 13, 2022, 10:27 PM)JINXX Wrote: (August 13, 2022, 09:41 PM)undeadly Wrote: sadly bug on the box. the intended way should be probably dealing with hmail and group policies.
if an author will fix this fast, it still be playable.
Directory: C:\Users\Administrator\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/16/2022 11:05 AM SQL Server Management Studio
d----- 6/16/2022 11:05 AM Visual Studio 2017
d----- 6/16/2022 12:07 AM WindowsPowerShell
-a---- 8/1/2022 6:38 PM 7023 hmail_cleanup.ps1
-a---- 8/3/2022 4:18 PM 978 install_updates.ps1
-a---- 6/16/2022 6:51 PM 518 wsus_group_cleanup.ps1
*Evil-WinRM* PS C:\Users\Administrator\Documents>
How did you achieve a shell with evilwinrm
How did you achieve a shell with evilwinrm
get hash from secretsdump and acess with evil-winrm
in your "list of tryings" you may also include noPac. however, you need to own at least one standard domain user first.
Anubis machine was (and still is) vulnerable to noPac -> where it was pretty easy to get a shell on the box and then impersonate admin in under 30 minutes in "Insane" level box. sometimes author just can't cover all windows breaches.
https://github.com/Ridter/noPac Thanks :D :heart: Posts: 1 Threads: 0 Joined: N/A August 15, 2022 at 2:17 AM (August 13, 2022, 09:02 PM)yumi Wrote: niC Posts: 30 Threads: 0 Joined: N/A August 15, 2022 at 2:25 AM What other steps are there to take? I'm not finding anything so far. The only thing that looked promising was hMailServer but I'm not able to get any callbacks to my server. I did download the pdf from the shares and have looked into and tried the vulnerabilities listed within - but so far no luck with anything :-/ Posts: 71 Threads: 0 Joined: N/A August 15, 2022 at 2:45 AM same here with Follina and emailing both manually and swaks with links and attachments, specifying tun0 etc - no call backs at all. Posts: 20 Threads: 0 Joined: N/A August 15, 2022 at 3:21 AM (August 15, 2022, 02:45 AM)skyweasel Wrote: same here with Follina and emailing both manually and swaks with links and attachments, specifying tun0 etc - no call backs at all. Yeah same here, I get a call back when I have it grab a random .txt file, but when I specify the follina.doc it won't get it... ): Posts: 166 Threads: 0 Joined: N/A August 15, 2022 at 3:37 AM it didn't work here either, in fact I didn't receive any callback even from http.
well, the path is probably this smtp, or we have to try another poc, or abandon that way, and try some classic msfvenom doc. Posts: 78 Threads: 0 Joined: N/A August 15, 2022 at 4:07 AM (August 13, 2022, 09:02 PM)yumi Wrote: ty Posts: 7 Threads: 0 Joined: N/A August 15, 2022 at 5:05 AM (August 13, 2022, 09:02 PM)yumi Wrote: ty Posts: 23 Threads: 0 Joined: N/A August 15, 2022 at 9:48 AM I believe the intended path from sflowers to administrator is via wsus. Was anyone able to get root that way or am I down a rabbit hole? |
