[xawahi6033]

Shell as Brandon is next step

hint for the next step after this?

[fuliye]

what s next hint ?? bro

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[chillywilly]

The script's primary function appears to be to update a set of shortcut files in a common application directory with a set from a user's AppData\links directory. Before copying, it checks if any of the existing shortcuts in the destination directory differ from those in the source. If they do, it opens the differing destination shortcut before proceeding to overwrite it (along with any other files) with the versions from the source directory.

[LkStr]

got foothold earlier, to do so it's not that hard :
1 - go to mist.htb/data/modules/albums/albums_getimage.php?image=admin_backup.php
2 - crack the password
3 - go to http://mist.htb/admin.php?action=installmodule and upload zip with an exe and a webshell, then run the exe through the webshell
now i found out there is some sort of av, i can't download or run winpeas.

How can I tell that `admin_backup.php` exists? Thank you for providing the solution ideas.

[devil22]

join our cybersec related server

https://app.hackthebox.com/public/teams/overview/6212

[peRd1]

Any hint for shell as Brandon ?

Even then, from brandon, it's really faaar away from user, let along root.

[gtastav]

For brandon:
$source = "C:\Users\Brandon.Keywarp\AppData\links"
$destination = "C:\Common Applications"
$sourceFiles = Get-ChildItem -Path $source -Filter *.lnk

foreach ($file in $sourceFiles) {
$sourceFile = $file.FullName
$destFile = Join-Path -Path $destination -ChildPath $file.Name
if (Test-Path -Path $destFile) {
$sHash = (Get-FileHash -Path $sourceFile -Algorithm SHA256).Hash
$dHash = (Get-FileHash -Path $destFile -Algorithm SHA256).Hash
write-host $sHash
write-host $dHash
if ($sHash -ne $dHash) {
Invoke-Item $destFile
start-sleep -seconds 5
}
}
}

Means you can upload a crafted .lnk file(to the directory in the code above) to trigger a shell and to get the shell as brandon.

[jonah]

I've had the shell as brandon for 3 hours but I can't find anything, has anyone made any progress? DM me if possible

[xxxbfacc]

Managed to get ntlm for Brandon.
Was a stupid amount of work.
Not sure it's necessary.
Rabbit hole?

[jonah]

we cannot crack the ntlm hash of brandon and we cannot enumerate smb shares (without creds)