Posts: 12
Threads: 0
Joined: Oct 2023
(Jun 30, 2024, 03:10 PM)ritualist Wrote: (Jun 30, 2024, 02:19 PM)jeff1998 Wrote: finally fucking rooted.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
blazorized\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2024 3:42 PM 159 note.txt
-ar--- 6/29/2024 10:58 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
The logon script is the correct path. My mistake is that I didn't test it in my local lab before sending the payload to the HTB box, so I didn't realize my payload was wrong the whole day. PS: Use msfvenom to create a .bat backdoor.
Can you share any pointers on how to work with those scripts?
I just see a ton of empty batch files. I tried to bruteforce put some payload in all of them ? but no luck.
Something like SharpGPOAbuse?
u just need to create your own .bat script, pun on there, and then set the ScriptPath using Set-ADUser
Posts: 1
Threads: 0
Joined: Jun 2024
Check the dll file, we have some information we can use for the authentification. (Blazorized.Helpers seem to have good information)
Posts: 7
Threads: 0
Joined: Jan 2024
(Jun 30, 2024, 03:15 PM)jeff1998 Wrote: (Jun 30, 2024, 03:10 PM)ritualist Wrote: (Jun 30, 2024, 02:19 PM)jeff1998 Wrote: finally fucking rooted.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
blazorized\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2024 3:42 PM 159 note.txt
-ar--- 6/29/2024 10:58 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
The logon script is the correct path. My mistake is that I didn't test it in my local lab before sending the payload to the HTB box, so I didn't realize my payload was wrong the whole day. PS: Use msfvenom to create a .bat backdoor.
Can you share any pointers on how to work with those scripts?
I just see a ton of empty batch files. I tried to bruteforce put some payload in all of them ? but no luck.
Something like SharpGPOAbuse?
u just need to create your own .bat script, pun on there, and then set the ScriptPath using Set-ADUser
Problem is that the last login I am getting (after resetting the box) is 3 days ago. There has to be a way to force a login, else.... how?
Posts: 7
Threads: 0
Joined: Jan 2024
(Jun 30, 2024, 03:38 PM)spamdegratis5 Wrote: (Jun 30, 2024, 03:26 PM)Blackoofconsequently Wrote: (Jun 30, 2024, 03:15 PM)jeff1998 Wrote: (Jun 30, 2024, 03:10 PM)ritualist Wrote: (Jun 30, 2024, 02:19 PM)jeff1998 Wrote: finally fucking rooted.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
blazorized\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2024 3:42 PM 159 note.txt
-ar--- 6/29/2024 10:58 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
The logon script is the correct path. My mistake is that I didn't test it in my local lab before sending the payload to the HTB box, so I didn't realize my payload was wrong the whole day. PS: Use msfvenom to create a .bat backdoor.
Can you share any pointers on how to work with those scripts?
I just see a ton of empty batch files. I tried to bruteforce put some payload in all of them ? but no luck.
Something like SharpGPOAbuse?
u just need to create your own .bat script, pun on there, and then set the ScriptPath using Set-ADUser
Problem is that the last login I am getting (after resetting the box) is 3 days ago. There has to be a way to force a login, else.... how?
Aren't you looking at the pwdlastset? My box is updating the lastlogon every minute, but I haven't had any luck with the .bat.
Nope, LastLogonDate. LastLogoff is literally blank.
Posts: 49
Threads: 1
Joined: Jun 2024
Jun 30, 2024, 03:48 PM
(This post was last modified: Jun 30, 2024, 03:54 PM by bmoon10.)
(Jun 30, 2024, 03:38 PM)spamdegratis5 Wrote: (Jun 30, 2024, 03:26 PM)Blackoofconsequently Wrote: (Jun 30, 2024, 03:15 PM)jeff1998 Wrote: (Jun 30, 2024, 03:10 PM)ritualist Wrote: (Jun 30, 2024, 02:19 PM)jeff1998 Wrote: finally fucking rooted.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> whoami
blazorized\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2024 3:42 PM 159 note.txt
-ar--- 6/29/2024 10:58 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
The logon script is the correct path. My mistake is that I didn't test it in my local lab before sending the payload to the HTB box, so I didn't realize my payload was wrong the whole day. PS: Use msfvenom to create a .bat backdoor.
Can you share any pointers on how to work with those scripts?
I just see a ton of empty batch files. I tried to bruteforce put some payload in all of them ? but no luck.
Something like SharpGPOAbuse?
u just need to create your own .bat script, pun on there, and then set the ScriptPath using Set-ADUser
Problem is that the last login I am getting (after resetting the box) is 3 days ago. There has to be a way to force a login, else.... how?
Aren't you looking at the pwdlastset? My box is updating the lastlogon every minute, but I haven't had any luck with the .bat.
Tried setting the scriptpath for ssa_6010 using
get-aduser ssa_6010 | set-aduser -scriptpath "C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\startup.bat"
get-aduser ssa_6010 -properties scriptpath
ScriptPath : C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\startup.bat
Still the bat file not getting executed.
Both LastLogonDate and PasswordLastSet shows the past date in my win box
LastLogonDate : 6/27/2024 7:18:21 AM
....
PasswordLastSet : 2/25/2024 11:56:55 AM
Posts: 7
Threads: 0
Joined: Jan 2024
(Jun 30, 2024, 03:48 PM)bmoon10 Wrote: (Jun 30, 2024, 03:38 PM)spamdegratis5 Wrote: (Jun 30, 2024, 03:26 PM)Blackoofconsequently Wrote: (Jun 30, 2024, 03:15 PM)jeff1998 Wrote: (Jun 30, 2024, 03:10 PM)ritualist Wrote: Can you share any pointers on how to work with those scripts?
I just see a ton of empty batch files. I tried to bruteforce put some payload in all of them ? but no luck.
Something like SharpGPOAbuse?
u just need to create your own .bat script, pun on there, and then set the ScriptPath using Set-ADUser
Problem is that the last login I am getting (after resetting the box) is 3 days ago. There has to be a way to force a login, else.... how?
Aren't you looking at the pwdlastset? My box is updating the lastlogon every minute, but I haven't had any luck with the .bat.
Both LastLogonDate and PasswordLastSet shows the past date in my win box
LastLogonDate : 6/27/2024 7:18:21 AM
....
PasswordLastSet : 2/25/2024 11:56:55 AM
Well, I feel like a fool. LastLogonDate is not updated in some cases. you need to look at LastLogon, and convert the values. Typical windows.
Posts: 49
Threads: 1
Joined: Jun 2024
(Jun 30, 2024, 03:53 PM)gihimlek Wrote: (Jun 30, 2024, 08:26 AM)bmoon10 Wrote: (Jun 30, 2024, 08:16 AM)ritualist Wrote: (Jun 30, 2024, 08:11 AM)bmoon10 Wrote: (Jun 30, 2024, 07:06 AM)ritualist Wrote: For those struggling with the same:
To access the admin dashboard, you have to set the jwt in the local storage (key=jwt).
Looks like SQL injection is next.
well i've changed to the jwt like below with the jwt symmetrical key and have set the local storage with key in key and jwt in value still no luck. Some trivial mistake?
claims/emailaddress": "superadmin@blazorized.htb",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"Super_Admin"
],
"exp": <updated timestamp>,
"iss": "http://api.blazorized.htb",
"aud": "http://admin.blazorized.htb"
}
Key is jwt, value is the content of the jwt.
jwt=eey...
Thanks a lot for that sql statement, I was still enumerating users.
Thanks a lot for the key.
Funny thing is the admin panel shows this humorous message..
The Super Admin Panel
Hello Super Admin!
Here, you can manage the digital garden.
To avoid latency issues, this super admin panel does not consume the API but speaks to the database directly.
Therefore, please ensure that nobody gets unauthorized access by stealing your JWT!
I'm having the same problem you had before, I've chaged everything that needs to be changed on jwt.io, but when I refresh the page with the key it still redirects me to loginpage
make sure to set the jwt in 'key' and the updated cookie in 'value' under localstorage in your browser.
Posts: 57
Threads: 1
Joined: Apr 2024
(Jun 30, 2024, 03:48 PM)bmoon10 Wrote: Tried setting the scriptpath for ssa_6010 using
get-aduser ssa_6010 | set-aduser -scriptpath "C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\startup.bat"
get-aduser ssa_6010 -properties scriptpath
ScriptPath : C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\startup.bat
Still the bat file not getting executed.
Both LastLogonDate and PasswordLastSet shows the past date in my win box
LastLogonDate : 6/27/2024 7:18:21 AM
....
PasswordLastSet : 2/25/2024 11:56:55 AM
I think the path has to be relative to NETLOGON
A32FF3AEAA23\startup.bat
You can check with
dir //blazorized.htb/NETLOGON
Still no luck here but I think just putting an exe path in the bat file is too naive 
Posts: 20
Threads: 0
Joined: Jun 2024
Anyone getting this error when using "setspn -Q blazorized.htb/rsa_4810" or "setspn -Q */*",
Error occurred when searching for existing SPN: 0x00000051
?
Also, do people get any feedback when running PowerView?
I did "powershell -ep bypass", then ". .\PowerView.ps1" and tried to run any powerview command but get nothing back.
Posts: 26
Threads: 6
Joined: Dec 2023
(Jun 30, 2024, 04:16 PM)fgdh Wrote: Anyone getting this error when using "setspn -Q blazorized.htb/rsa_4810" or "setspn -Q */*",
Error occurred when searching for existing SPN: 0x00000051
?
Also, do people get any feedback when running PowerView?
I did "powershell -ep bypass", then ". .\PowerView.ps1" and tried to run any powerview command but get nothing back.
I was having this issue. Fixed by using rlwrap nc -lvnp instead of just nc on its own. Then I could use ipmo powerview.ps1 and it worked fine for me.
|
