OS           : Windows
Difficulty : Insane
Points     : 50
IP             : 10.10.11.147

---

Any idea about foothold?

[email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

(April 19, 2022, 01:18 PM)Internetdreams Wrote: [email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

How did you find out about [email protected]?

(April 19, 2022, 04:58 PM)user534915 Wrote:

(April 19, 2022, 01:18 PM)Internetdreams Wrote: [email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

How did you find out about [email protected]?

https://www.mojoportal.com/Forums/Thread.aspx?pageid=5&t=2902~-1

---

(April 19, 2022, 01:18 PM)Internetdreams Wrote: [email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

Stuck on getting shell. My aspx file is not rending.

(April 19, 2022, 04:58 PM)user534915 Wrote:

(April 19, 2022, 01:18 PM)Internetdreams Wrote: [email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

How did you find out about [email protected]?

google the cms you will find defaults creds

(April 19, 2022, 05:03 PM)___user___ Wrote:

(April 19, 2022, 04:58 PM)user534915 Wrote:

(April 19, 2022, 01:18 PM)Internetdreams Wrote: [email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

How did you find out about [email protected]?

https://www.mojoportal.com/Forums/Thread.aspx?pageid=5&t=2902~-1

---

(April 19, 2022, 01:18 PM)Internetdreams Wrote: [email protected]:admin
edit the fragment1.htm on filemanager as a aspx webshell go copy it to /logos/fragment1.aspx. go to /Data/Sites/1/media/logos/fragment1.aspx

---

then look at getbADpasswords and fetch creds and spray

Stuck on getting shell. My aspx file is not rending.

Worked for me:
- In File Manager, edit htmlfragments/fragment1.htm. You can replace it with a simple ASPX hello world.
- Select Copy, change the extensions to aspx and change the destination folder to logos
- Now after copying I don't see the new file in the File Manager under logos, but I can open it with http://hathor.htb/Data/Sites/1/media/logos/fragment1.aspx

Catching a rev shell from the aspx is painful, anybody got any tips for that ?

(April 19, 2022, 05:51 PM)joeydalips Wrote: Catching a rev shell from the aspx is  painful,  anybody got any tips  for that ?

This one worked for me: https://github.com/borjmz/aspx-reverse-shell

(April 19, 2022, 06:14 PM)user534915 Wrote:

(April 19, 2022, 05:51 PM)joeydalips Wrote: Catching a rev shell from the aspx is  painful,  anybody got any tips  for that ?

This one worked for me: https://github.com/borjmz/aspx-reverse-shell

Very nice,  moved on to the one user  + password enumeration spraying now

I've got the username and the hash. Which tool do you use for password spraying?