[peRd1]

User: 
1. Use Crackmapexec to get a list of users via RID bruteforcing

crackmapexec smb manager.htb -u 'anonymous' -p '' --rid-brute

2. You should have the following users:

• Zhong
  
• Cheng
  
• Ryan
  
• Raven
  
• JinWoo
  
• ChinHae
  
• Operator
  

The "Operator" account looks interesting. Try to guess the password.
Hint:

#!/usr/bin/python3

f = open('users-plain.txt', 'r')
users = ''.join(f)

print(users.lower())

f.close()

3. "Operator" can login to the MSSQL server. Use this syntax:

impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.10.11.236 "manager.htb/Operator:<password>"@10.10.11.236

4. There is a special stored procedure that lets you traverse the filesystem via MSSQL. Use that to explore an attack surface you thought wasn't exploitable. 

5. Download that interesting archive and see where it takes you 

then root is textbook shit outlined here: https://book.hacktricks.xyz/windows-hard...n#attack-2

remember to faketime / sync clock to DC.

be quick with commands. prepare them previously so you can exec faster.

grabbing that hash and trying to crack is does not lead anywhere and it is not required.

[al3]

@fl0werbomb damn bro thankssss for the hint
but how I could get the "operator" user password?

---

@fl0werbomb MSSQL Bruteforce or SMB?

---

@peRd1 please tell me bro
how did you crack the "Operator" User Password?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[peRd1]

@fl0werbomb damn bro thankssss for the hint
but how I could get the "operator" user password?

---

@fl0werbomb MSSQL Bruteforce or SMB?

---

@peRd1 please tell me bro
how did you crack the "Operator" User Password?

two posts earlier fl0werbomb's hint explains it pretty much how so. it is a really weak password. can be guessed. 

PM if you cannot.

[al3]

Yes , but how did you do
Crackmapexec?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[godzilla]

i am using rockyou.txt to brotforce password but did not work

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scraping | Contact us via https://breachforums.ai/contact if you feel this is incorrect.

[blade33]

User: 
1. Use Crackmapexec to get a list of users via RID bruteforcing

crackmapexec smb manager.htb -u 'anonymous' -p '' --rid-brute

2. You should have the following users:

• Zhong
  
• Cheng
  
• Ryan
  
• Raven
  
• JinWoo
  
• ChinHae
  
• Operator
  

The "Operator" account looks interesting. Try to guess the password.
Hint:

#!/usr/bin/python3

f = open('users-plain.txt', 'r')
users = ''.join(f)

print(users.lower())

f.close()

3. "Operator" can login to the MSSQL server. Use this syntax:

impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.10.11.236 "manager.htb/Operator:<password>"@10.10.11.236

4. There is a special stored procedure that lets you traverse the filesystem via MSSQL. Use that to explore an attack surface you thought wasn't exploitable. 

5. Download that interesting archive and see where it takes you 

could you tell more about 4 point? what attack you're talking about? im stuck on that

[peRd1]

User: 
1. Use Crackmapexec to get a list of users via RID bruteforcing

crackmapexec smb manager.htb -u 'anonymous' -p '' --rid-brute

2. You should have the following users:

• Zhong
  
• Cheng
  
• Ryan
  
• Raven
  
• JinWoo
  
• ChinHae
  
• Operator
  

The "Operator" account looks interesting. Try to guess the password.
Hint:

#!/usr/bin/python3

f = open('users-plain.txt', 'r')
users = ''.join(f)

print(users.lower())

f.close()

3. "Operator" can login to the MSSQL server. Use this syntax:

impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.10.11.236 "manager.htb/Operator:<password>"@10.10.11.236

4. There is a special stored procedure that lets you traverse the filesystem via MSSQL. Use that to explore an attack surface you thought wasn't exploitable. 

5. Download that interesting archive and see where it takes you 

could you tell more about 4 point? what attack you're talking about? im stuck on that

after mssql type help and see the list of commands. which command is about directories? nah with that command you can look around and find that something.

[blade33]

User: 
1. Use Crackmapexec to get a list of users via RID bruteforcing

crackmapexec smb manager.htb -u 'anonymous' -p '' --rid-brute

2. You should have the following users:

• Zhong
  
• Cheng
  
• Ryan
  
• Raven
  
• JinWoo
  
• ChinHae
  
• Operator
  

The "Operator" account looks interesting. Try to guess the password.
Hint:

#!/usr/bin/python3

f = open('users-plain.txt', 'r')
users = ''.join(f)

print(users.lower())

f.close()

3. "Operator" can login to the MSSQL server. Use this syntax:

impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.10.11.236 "manager.htb/Operator:<password>"@10.10.11.236

4. There is a special stored procedure that lets you traverse the filesystem via MSSQL. Use that to explore an attack surface you thought wasn't exploitable. 

5. Download that interesting archive and see where it takes you 

could you tell more about 4 point? what attack you're talking about? im stuck on that

after mssql type help and see the list of commands. which command is about directories? nah with that command you can look around and find that something.

oh fuck, i just realized i was misstyping inetpub all the time, thanks anyway

---

so how am i supposted to get shell on there? i got Ravens password, which tool should i use?
when i use evil-winrm i got that error: Error: An error of type OpenSSL:igest:igestError happened, message is Digest initialization failed: initialization error.
using it with -S flag for ssl and it just hangs, god i fucking hate windows boxes

[z03]

User: 
1. Use Crackmapexec to get a list of users via RID bruteforcing

crackmapexec smb manager.htb -u 'anonymous' -p '' --rid-brute

2. You should have the following users:

• Zhong
  
• Cheng
  
• Ryan
  
• Raven
  
• JinWoo
  
• ChinHae
  
• Operator
  

The "Operator" account looks interesting. Try to guess the password.
Hint:

#!/usr/bin/python3

f = open('users-plain.txt', 'r')
users = ''.join(f)

print(users.lower())

f.close()

3. "Operator" can login to the MSSQL server. Use this syntax:

impacket-mssqlclient -p 1433 -windows-auth -dc-ip 10.10.11.236 "manager.htb/Operator:<password>"@10.10.11.236

4. There is a special stored procedure that lets you traverse the filesystem via MSSQL. Use that to explore an attack surface you thought wasn't exploitable. 

5. Download that interesting archive and see where it takes you 

could you tell more about 4 point? what attack you're talking about? im stuck on that

after mssql type help and see the list of commands. which command is about directories? nah with that command you can look around and find that something.

oh fuck, i just realized i was misstyping inetpub all the time, thanks anyway

---

so how am i supposted to get shell on there? i got Ravens password, which tool should i use?
when i use evil-winrm i got that error: Error: An error of type OpenSSL:igest:igestError happened, message is Digest initialization failed: initialization error.
using it with -S flag for ssl and it just hangs, god i fucking hate windows boxes

i got user with evil-winrm, but something might be up with the box. got all sorts of connection probs

[ctfenjoyer3218]

I'm getting this error on the -issue-request
[-] Got access denied trying to issue certificate

Can someone help me with this?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.