Posts: 4
Threads: 0
Joined: Nov 2024
nice one  this helped me figure out a lot where i went absolutely the wrong direction ^^
Posts: 36
Threads: 0
Joined: Aug 2024
how do you get a reverse shell through bio? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Selling in HTB Subforum
Posts: 20
Threads: 0
Joined: Dec 2023
seems that got patched.
[-] RunasCsException: Selected logon type '5' is not granted to the user 'wao'. Use available logon type '3'.
so this user have no this priv for now. and with possible logon type 3 you can not get system.
Posts: 3
Threads: 0
Joined: Oct 2024
(Oct 30, 2024, 05:07 PM)whitedevilkali Wrote: (Oct 29, 2024, 06:43 PM)B00by Wrote: thanks for sharing. I unlocked this content after i solved the box to find out some questions ...
In nearly all groups we can read the Password for user wao. My question is what's the right way to get the password from wao.
Maybe someone can explain this. Thx in advanced
thanks for apprcission
ok listen
after getting the rev shell through bio you see all the users also you see web dir in that powershell
in that web you obseverve
this
custom_prompt> cd ..
custom_prompt>
custom_prompt> pwd
Path
----
C:\
custom_prompt> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 11:58 AM PerfLogs
d-r--- 10/16/2024 9:13 AM Program Files
d----- 2/15/2024 1:04 PM Program Files (x86)
d----- 2/12/2024 5:25 PM tmp
d-r--- 3/2/2024 2:39 PM Users
d----- 2/25/2024 4:42 PM Web
d----- 10/16/2024 10:24 AM Windows
custom_prompt> cd Users
custom_prompt> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/18/2024 11:20 AM Administrator
d----- 3/2/2024 2:39 PM Choco.L
d----- 2/12/2024 6:19 PM John.D
d----- 2/28/2024 1:17 PM Nya.R
d-r--- 2/12/2024 2:29 PM Public
d----- 9/13/2024 2:31 AM Rose.L
d----- 9/14/2024 9:36 AM WAO
custom_prompt> cd ..
custom_prompt> cd web
custom_prompt> dir
Directory: C:\web
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/25/2024 4:53 PM DB Backups
d----- 2/12/2024 4:54 PM nginx-1.24.0
d----- 10/29/2024 2:03 PM University
custom_prompt> cd "DB Backups"
custom_prompt> dir
Directory: C:\web\DB Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/25/2023 12:03 AM 24215 DB-Backup-2023-01-25.zip
-a---- 2/25/2023 12:03 AM 24215 DB-Backup-2023-02-25.zip
-a---- 3/25/2023 12:03 AM 24215 DB-Backup-2023-03-25.zip
-a---- 4/25/2023 12:04 AM 24215 DB-Backup-2023-04-25.zip
-a---- 5/25/2023 12:04 AM 24215 DB-Backup-2023-05-25.zip
-a---- 6/25/2023 12:04 AM 24215 DB-Backup-2023-06-25.zip
-a---- 7/25/2023 12:04 AM 24215 DB-Backup-2023-07-25.zip
-a---- 8/25/2023 12:04 AM 24215 DB-Backup-2023-08-25.zip
-a---- 9/25/2023 12:05 AM 24215 DB-Backup-2023-09-25.zip
-a---- 10/25/2023 12:05 AM 24215 DB-Backup-2023-10-25.zip
-a---- 11/25/2023 12:05 AM 24215 DB-Backup-2023-11-25.zip
-a---- 12/25/2023 12:05 AM 24215 DB-Backup-2023-12-25.zip
-a---- 1/25/2024 12:06 AM 24215 DB-Backup-2024-01-25.zip
-a---- 2/25/2024 12:06 AM 24215 DB-Backup-2024-02-25.zip
-a---- 3/25/2024 12:07 AM 24215 DB-Backup-2024-03-25.zip
-a---- 4/25/2024 12:07 AM 24215 DB-Backup-2024-04-25.zip
-a---- 10/14/2024 9:35 AM 386 db-backup-automator.ps1
custom_prompt> cat db-backup-automator.ps1
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"
$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommand
i hope you got it
happy learning
and once again thanks❤️
How did you get access to the box? With which account?
Posts: 15
Threads: 3
Joined: Sep 2024
(Nov 24, 2024, 01:06 PM)Ieloma3 Wrote: (Oct 30, 2024, 05:07 PM)whitedevilkali Wrote: (Oct 29, 2024, 06:43 PM)B00by Wrote: thanks for sharing. I unlocked this content after i solved the box to find out some questions ...
In nearly all groups we can read the Password for user wao. My question is what's the right way to get the password from wao.
Maybe someone can explain this. Thx in advanced
thanks for apprcission
ok listen
after getting the rev shell through bio you see all the users also you see web dir in that powershell
in that web you obseverve
this
custom_prompt> cd ..
custom_prompt>
custom_prompt> pwd
Path
----
C:\
custom_prompt> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2022 11:58 AM PerfLogs
d-r--- 10/16/2024 9:13 AM Program Files
d----- 2/15/2024 1:04 PM Program Files (x86)
d----- 2/12/2024 5:25 PM tmp
d-r--- 3/2/2024 2:39 PM Users
d----- 2/25/2024 4:42 PM Web
d----- 10/16/2024 10:24 AM Windows
custom_prompt> cd Users
custom_prompt> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/18/2024 11:20 AM Administrator
d----- 3/2/2024 2:39 PM Choco.L
d----- 2/12/2024 6:19 PM John.D
d----- 2/28/2024 1:17 PM Nya.R
d-r--- 2/12/2024 2:29 PM Public
d----- 9/13/2024 2:31 AM Rose.L
d----- 9/14/2024 9:36 AM WAO
custom_prompt> cd ..
custom_prompt> cd web
custom_prompt> dir
Directory: C:\web
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/25/2024 4:53 PM DB Backups
d----- 2/12/2024 4:54 PM nginx-1.24.0
d----- 10/29/2024 2:03 PM University
custom_prompt> cd "DB Backups"
custom_prompt> dir
Directory: C:\web\DB Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/25/2023 12:03 AM 24215 DB-Backup-2023-01-25.zip
-a---- 2/25/2023 12:03 AM 24215 DB-Backup-2023-02-25.zip
-a---- 3/25/2023 12:03 AM 24215 DB-Backup-2023-03-25.zip
-a---- 4/25/2023 12:04 AM 24215 DB-Backup-2023-04-25.zip
-a---- 5/25/2023 12:04 AM 24215 DB-Backup-2023-05-25.zip
-a---- 6/25/2023 12:04 AM 24215 DB-Backup-2023-06-25.zip
-a---- 7/25/2023 12:04 AM 24215 DB-Backup-2023-07-25.zip
-a---- 8/25/2023 12:04 AM 24215 DB-Backup-2023-08-25.zip
-a---- 9/25/2023 12:05 AM 24215 DB-Backup-2023-09-25.zip
-a---- 10/25/2023 12:05 AM 24215 DB-Backup-2023-10-25.zip
-a---- 11/25/2023 12:05 AM 24215 DB-Backup-2023-11-25.zip
-a---- 12/25/2023 12:05 AM 24215 DB-Backup-2023-12-25.zip
-a---- 1/25/2024 12:06 AM 24215 DB-Backup-2024-01-25.zip
-a---- 2/25/2024 12:06 AM 24215 DB-Backup-2024-02-25.zip
-a---- 3/25/2024 12:07 AM 24215 DB-Backup-2024-03-25.zip
-a---- 4/25/2024 12:07 AM 24215 DB-Backup-2024-04-25.zip
-a---- 10/14/2024 9:35 AM 386 db-backup-automator.ps1
custom_prompt> cat db-backup-automator.ps1
$sourcePath = "C:\Web\University\db.sqlite3"
$destinationPath = "C:\Web\DB Backups\"
$7zExePath = "C:\Program Files\7-Zip\7z.exe"
$zipFileName = "DB-Backup-$(Get-Date -Format 'yyyy-MM-dd').zip"
$zipFilePath = Join-Path -Path $destinationPath -ChildPath $zipFileName
$7zCommand = "& `"$7zExePath`" a `"$zipFilePath`" `"$sourcePath`" -p'WebAO1337'"
Invoke-Expression -Command $7zCommand
i hope you got it
happy learning
and once again thanks❤️
How did you get access to the box? With which account?
by creating rev shell through bio
Posts: 7
Threads: 1
Joined: Nov 2024
I can't get rev shell with the CVE, I don't know what's the issue it's always returns 0 bytes is there any tweak needed ?
Posts: 11
Threads: 0
Joined: Mar 2024
Posts: 31
Threads: 2
Joined: Nov 2024
Let's take a look, I just looking for wp of this machine. Hope it's no patched.
Posts: 47
Threads: 1
Joined: Nov 2024
Looks like its been patched, but someone here posted the admin hash for PTH and you can Evil-WinRM in without issue using it. otherwise you'll need to look for the intended path instead
Posts: 56
Threads: 2
Joined: Aug 2023
Dec 27, 2024, 11:08 AM
(This post was last modified: Dec 27, 2024, 11:09 AM by ghostess256.)
thanks bruhv great share
thanks bruhv great share
(Oct 27, 2024, 09:02 AM)HTBcracker Wrote: (Oct 27, 2024, 08:15 AM)whitedevilkali Wrote:
is this a writeup or just hashes?
|
