@B00mer445

Thanks for the help, sure i was trying that lol. but as getting NT_STATUS_IO_TIMEOUT. but fixed that now.

(November 6, 2022, 08:47 AM)yumi Wrote: @B00mer445

Thanks for the help, sure i was trying that lol. but as getting NT_STATUS_IO_TIMEOUT. but fixed that now.

How you did that.

Remember to use backslash in smbclient

Can anyone tell how we go from S.Moon to C.Bum?

how do we get the c.bum hash?

(November 6, 2022, 09:02 AM)11231123 Wrote: Can anyone tell how we go from S.Moon to C.Bum?

try ;
smbclient  \\\\flight.htb\\each_share_and_you_will_ind_the_one_right -U FLIGHT.HTB/C.Bum --password='**the_passwd**'

---

(November 6, 2022, 11:14 AM)kujen5 Wrote: how do we get the c.bum hash?

use this to understand the POC:
https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
https://www.youtube.com/watch?v=D2CxjQGjnAk

(November 6, 2022, 11:28 AM)casga Wrote:

(November 6, 2022, 09:02 AM)11231123 Wrote: Can anyone tell how we go from S.Moon to C.Bum?

try ;
smbclient  \\\\flight.htb\\each_share_and_you_will_ind_the_one_right -U FLIGHT.HTB/C.Bum --password='**the_passwd**'

---

(November 6, 2022, 11:14 AM)kujen5 Wrote: how do we get the c.bum hash?

use this to understand the POC:
https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
https://www.youtube.com/watch?v=D2CxjQGjnAk

That's what I figured it was but what share do you drop the payload on? Everything points to the share "Shared" but you can't drop files on it, can only create folders or upload empty folders on it. Do you have to mess around with NTFS permissions or something to be able to drop files on the Shared share as user S.Moon? If I try and put a .lnk/.scf/.url lure on it I get NT_STATUS_ACCESS_DENIED even though the share is READ/WRITE.

(November 6, 2022, 12:06 PM)htbhtbhtb Wrote:

(November 6, 2022, 11:28 AM)casga Wrote:

(November 6, 2022, 09:02 AM)11231123 Wrote: Can anyone tell how we go from S.Moon to C.Bum?

try ;
smbclient  \\\\flight.htb\\each_share_and_you_will_ind_the_one_right -U FLIGHT.HTB/C.Bum --password='**the_passwd**'

---

(November 6, 2022, 11:14 AM)kujen5 Wrote: how do we get the c.bum hash?

use this to understand the POC:
https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
https://www.youtube.com/watch?v=D2CxjQGjnAk

That's what I figured it was but what share do you drop the payload on? Everything points to the share "Shared" but you can't drop files on it, can only create folders or upload empty folders on it. Do you have to mess around with NTFS permissions or something to be able to drop files on the Shared share as user S.Moon? If I try and put a .lnk/.scf/.url lure on it I get NT_STATUS_ACCESS_DENIED even though the share is READ/WRITE.

you can upload .Ink and .ini file. Note that .lnk is not 'l' at beginning but 'i' UPPERCASE. so change file name from file.lnk to file.ink (i UPPERCASE)
. on "Shared"

(November 6, 2022, 12:06 PM)htbhtbhtb Wrote:

(November 6, 2022, 11:28 AM)casga Wrote:

(November 6, 2022, 09:02 AM)11231123 Wrote: Can anyone tell how we go from S.Moon to C.Bum?

try ;
smbclient  \\\\flight.htb\\each_share_and_you_will_ind_the_one_right -U FLIGHT.HTB/C.Bum --password='**the_passwd**'

---

(November 6, 2022, 11:14 AM)kujen5 Wrote: how do we get the c.bum hash?

use this to understand the POC:
https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
https://medium.com/greenwolf-security/ntlm-theft-a-file-payload-generator-for-forced-ntlm-hash-disclosure-2d5f1fe5b964
https://www.youtube.com/watch?v=D2CxjQGjnAk

That's what I figured it was but what share do you drop the payload on? Everything points to the share "Shared" but you can't drop files on it, can only create folders or upload empty folders on it. Do you have to mess around with NTFS permissions or something to be able to drop files on the Shared share as user S.Moon? If I try and put a .lnk/.scf/.url lure on it I get NT_STATUS_ACCESS_DENIED even though the share is READ/WRITE.

try desktop.ini extension  ;)

smbmap -H flight.htb -u S.MOON -p 'S@Ss!K@*t13' --upload desktop.ini Shared\\desktop.ini\\

---

Any hints on after getting cbum?