Possibly Related Threads…

**RedBlock** · Jan 11, 2025, 03:43 PM

Season 7 is finally here.

**RedBlock** · (This post was last modified: Jan 11, 2025, 07:06 PM by RedBlock.)

As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Nmap scan report for escapetwo.htb (10.10.11.51)
Host is up (0.044s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1433/tcp open ms-sql-s
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

**RedBlock** · Jan 11, 2025, 08:16 PM

Administrator -H 7a8d4e04986afa8ed4060f75e5a0b3ff

macavitysworld · Jan 11, 2025, 08:22 PM

- xlsx files
- get creds
- mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

BlackBeer · Jan 11, 2025, 08:59 PM

I've been suck on this box all day. Thank you LostGem and macavitysworld!

VoidNull · Jan 11, 2025, 09:28 PM

(Jan 11, 2025, 08:22 PM)macavitysworld Wrote: - xlsx files
- get creds
- mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Got any more tips for the xlsx files? Should they be found on the SMB share that are available?

**RedBlock** · Jan 11, 2025, 09:32 PM

(Jan 11, 2025, 09:28 PM)VoidNull Wrote:
(Jan 11, 2025, 08:22 PM)macavitysworld Wrote: - xlsx files
- get creds
- mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Got any more tips for the xlsx files? Should they be found on the SMB share that are available?

smbmap -H 10.10.11.51 -u rose -p 'KxEPkKe6R8su'
IP: 10.10.11.51:445 Name: esc.htb Status: Authenticated Disk Permissions Comment

Accounting Department READ ONLY ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share Users READ ONLY
and then
smbclient //10.10.11.51/Accounting\ Department -U rose

will show the files

VoidNull · Jan 11, 2025, 09:36 PM

(Jan 11, 2025, 09:32 PM)LostGem Wrote:
(Jan 11, 2025, 09:28 PM)VoidNull Wrote:
(Jan 11, 2025, 08:22 PM)macavitysworld Wrote: - xlsx files
- get creds
- mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Got any more tips for the xlsx files? Should they be found on the SMB share that are available?

smbmap -H 10.10.11.51 -u rose -p 'KxEPkKe6R8su'
IP: 10.10.11.51:445 Name: esc.htb Status: Authenticated Disk Permissions Comment

Accounting Department READ ONLY ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share Users READ ONLY
and then
smbclient //10.10.11.51/Accounting\ Department -U rose

will show the files

Oh my. Well of course. Forgot about the necessity of backslash in spaces. Thanks alot Smile

Asdjkl01 · Jan 11, 2025, 09:38 PM

Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

userhere123 · Jan 11, 2025, 09:53 PM

(Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

accounts.xlsx --> sharedStrings.xml

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	385	95,811	2 hours ago Last Post: rasa420
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	96	8,792	2 hours ago Last Post: rasa420
	[FREE] CPTS 12 FLAGS	pulsebreaker	86	3,094	3 hours ago Last Post: Mr_root
	[FREE] HackTheBox Academy - CAPE Path Study	Techtom	45	4,527	3 hours ago Last Post: BlazeFury
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	29	2,692	9 hours ago Last Post: newuser201