Posts: 44 Threads: 0 Joined: N/A September 24, 2022 at 1:22 AM (September 24, 2022, 01:02 AM)meowmeowattack Wrote: (September 24, 2022, 12:43 AM)onl1_f4ns Wrote: Any ideas from bob.wood to admin ? I tried GPO, ACLs, some exploits... winpeas... and nothing yet. Anything?
I think that is a final step. Also interesting
Computer Name : HOPE
User Name : Bob.Wood
User Id : 2761
Is Enabled : True
User Type : User
Comment :
Last Logon : 9/23/2022 3:20:18 AM
Logons Count : 93
Password Last Set : 5/2/2022 12:42:15 PM
Computer Name : HOPE
User Name : bob.woodadm
User Id : 5101
Is Enabled : True
User Type : Administrator
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 5/4/2022 7:43:11 PM
Computer Name : HOPE
User Name : luis.jacksonADM
User Id : 5102
Is Enabled : True
User Type : Administrator
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 5/4/2022 7:44:09 PM
but how to get it..
same here. after going through the journey so far, i feel this box doesn't really involve any technically difficult barrier, but a lot of things are customised in a unfriendly manner. so i bet it would take some time to find out what what's the next customisation. yeah...also windefender is acting on the box and prevents a lot of stuff. That sucks.. I'm now running winpspy to collect some more intell -> https://github.com/xct/winpspy and i wanna take s screenshot on the box. You're right about customizations and we might not expect something strange again. Posts: 25 Threads: 0 Joined: N/A September 24, 2022 at 1:39 PM noice! Posts: 44 Threads: 0 Joined: N/A September 24, 2022 at 9:07 PM Can you verify please that this Getscreen.me is also onyou box instance? Though can't get anything from it.. still digging. Listing: C:\ProgramData
=======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2022-04-28 13:59:43 -0600 Application Data
040777/rwxrwxrwx 0 dir 2022-04-28 13:59:43 -0600 Desktop
040777/rwxrwxrwx 0 dir 2022-04-26 03:29:06 -0600 DockerDesktop
040777/rwxrwxrwx 0 dir 2022-04-28 13:59:43 -0600 Documents
040777/rwxrwxrwx 0 dir 2022-05-01 08:59:17 -0600 Getscreen.me
040777/rwxrwxrwx 8192 dir 2022-08-18 08:49:47 -0600 Microsoft
040777/rwxrwxrwx 4096 dir 2022-08-24 04:12:54 -0600 Package Cache
040777/rwxrwxrwx 0 dir 2021-05-08 02:20:24 -0600 SoftwareDistribution
040777/rwxrwxrwx 0 dir 2022-04-28 13:59:43 -0600 Start Menu
040777/rwxrwxrwx 0 dir 2022-04-28 13:59:43 -0600 Templates
040777/rwxrwxrwx 0 dir 2022-04-28 14:56:28 -0600 USOPrivate
040777/rwxrwxrwx 0 dir 2021-05-08 02:20:24 -0600 USOShared
040777/rwxrwxrwx 4096 dir 2021-08-30 13:49:28 -0600 VMware
100444/r--r--r-- 279366 fil 2022-09-20 16:12:01 -0600 ntuser.pol
040777/rwxrwxrwx 0 dir 2022-09-24 14:51:17 -0600 regid.1991-06.com.microsoft
040777/rwxrwxrwx 0 dir 2021-05-08 03:35:49 -0600 ssh
meterpreter > ls Getscreen.me\\logs\\
Listing: Getscreen.me\logs\
===========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 14902 fil 2022-05-01 09:13:03 -0600 20220501.log
migrated to several processes and don't have access to the desktop to make a screenshot. There's also docker auxiliary utils and not so much yet. Posts: 213 Threads: 0 Joined: N/A September 25, 2022 at 6:02 AM Perhaps there's something with the WINDCORP\Adminusers and WINDCORP\IT group memberships. Posts: 31 Threads: 0 Joined: N/A September 25, 2022 at 6:55 PM (September 25, 2022, 06:02 AM)Exa Wrote: Perhaps there's something with the WINDCORP\Adminusers and WINDCORP\IT group memberships. Try to dig in browsers.. Smth there :) Posts: 48 Threads: 0 Joined: N/A September 25, 2022 at 7:09 PM i would like to know what is next step....
i got the smb ... with the .lnk and ps1 but i know that cifs/hope isn't writebale .. Posts: 59 Threads: 0 Joined: N/A  September 25, 2022 at 9:22 PM in IT@WINDCORP there's also some extra policies set. if you know how to baypass protection, then you may execute an attack against DC to dump hashes. Posts: 19 Threads: 0 Joined: N/A September 26, 2022 at 7:13 AM (September 14, 2022, 10:17 AM)meowmeowattack Wrote: in the cve-2019-19886 article, you can find a cookie bypass introduced.
structure your payload this way:
app=$cookie_app;profile=$(echo 'node_js_rce_payload'|base64 -w0)=<original-profile-content>
anyone able to confirm if the next step after getting a shell to webster is to crack the backup.zip file or not?
by browsing the contents of the backup.zip (password protected but paths/names are visible), it seems the contents can be further used for kerberos related attacks and from the login history of webster, the last login was from hope.windcorp.htb
yet, i'm not certain if the immediate next step after receiving a shell is to crack the backup.zip or not. cause many wordlists didn't work. also tried mangling some leet forms of potential keywords.
i also found cracklib used for preventing the user to use common words as password. but this is considered a deny list, not an allow list that can be used for mangling password lists.
thanks in advance bro how you got the shell i still searching but i got only for dos attack Posts: 213 Threads: 0 Joined: N/A September 26, 2022 at 7:20 AM (September 25, 2022, 06:55 PM)Mr_Unkn0wn Wrote: (September 25, 2022, 06:02 AM)Exa Wrote: Perhaps there's something with the WINDCORP\Adminusers and WINDCORP\IT group memberships.
Try to dig in browsers.. Smth there :) Thanks for the hint. I see there is a saved login (Edge) for bob.woodADM. Trying to decrypt that database entry now.
(September 26, 2022, 07:13 AM)lamehacker Wrote: (September 14, 2022, 10:17 AM)meowmeowattack Wrote: in the cve-2019-19886 article, you can find a cookie bypass introduced.
structure your payload this way:
app=$cookie_app;profile=$(echo 'node_js_rce_payload'|base64 -w0)=<original-profile-content>
anyone able to confirm if the next step after getting a shell to webster is to crack the backup.zip file or not?
by browsing the contents of the backup.zip (password protected but paths/names are visible), it seems the contents can be further used for kerberos related attacks and from the login history of webster, the last login was from hope.windcorp.htb
yet, i'm not certain if the immediate next step after receiving a shell is to crack the backup.zip or not. cause many wordlists didn't work. also tried mangling some leet forms of potential keywords.
i also found cracklib used for preventing the user to use common words as password. but this is considered a deny list, not an allow list that can be used for mangling password lists.
thanks in advance
bro how you got the shell i still searching but i got only for dos attack In another reply someone posted this link: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/ Posts: 73 Threads: 0 Joined: N/A September 26, 2022 at 7:36 AM (September 26, 2022, 07:20 AM)Exa Wrote: I see there is a saved login (Edge) for bob.woodADM. Trying to decrypt that database entry now.
You are in good way. Just decrypt it then you can connect with bob.woodADM using evil-winrm then get the root flag. |
