TUTORIAL HTB pivotapi [DISCUSSION]
by pheonix2021 - May 08, 2021 at 04:59 PM
#49
(May 12, 2021 at 08:46 PM)xploiter Wrote:
(May 12, 2021 at 08:25 PM)coolencyclopedia Wrote:
(May 12, 2021 at 08:15 PM)paulwatson42016 Wrote:
(May 12, 2021 at 07:07 PM)Wp1MzFJ Wrote:
(May 12, 2021 at 06:32 PM)davebrew2 Wrote: I’m having difficulty examining the one you get from decoding the base64. I.e. the second .exe. I’m probably using the wrong tools, but haven’t been able to extract credentials.

Sometimes more active approaches are easier.

Really clueless on privescing here. Seems like the SSH-access was unintentional as that was removed.

No, that is always not there
Unintended is ways to root before user flag
how do you do it but.

crack the hash , login to SMB , read the messages, analyze the binary, get the other binary , analyze it , get into mssql, now what remains is common sense :)

Heya.. got access to mssql, os commands are successful but ping back is not happening..anyone faced the same issue?
Thanks
#50
when we execute the first binary it's create a second binary but i can't find second binary can anyone help plz i am confused
#51
use procdump. you will see the exe file creates a windows batch file. you need to capture that somehow. because when the exe file exits, it gets deleted. that batchfile will create the 2nd exe file.
#52
How did you get this hash??
#53
I am getting below error when i connect to MSSQL. Did any faced the same issue? Can someone help me out here ?

└─# mssqlclient.py -port 1433 [email protected]
Impacket v0.9.23.dev1+20210519.170900.2f5c2476 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] ERROR(PIVOTAPI\SQLEXPRESS): Line 1: Error de inicio de sesión del usuario 'sa'.
#54
CMD MSSQL$[email protected] C:\temp> printspoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

Stuck
#55
Okay, so i know this python shell to upload the printspoofer.exe to the system, however firewall blocks all the traffic, how did this script upload the file to the server ?? I dnt care about flag and root, wanna learn this . Please help
#56
(May 28, 2021 at 10:50 AM)hashbang Wrote: Okay, so i know this python shell to upload the printspoofer.exe to the system, however firewall blocks all the traffic, how did this script upload the file to the server ?? I dnt care about flag and root, wanna learn this . Please help








https://github.com/Alamot/code-snippets/...l_shell.py
#57
(May 27, 2021 at 07:04 PM)lepaklepak Wrote: CMD MSSQL$[email protected] C:\temp> printspoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

Stuck

Did anyone get Juicy Potato working here?
#58
(June 01, 2021 at 10:07 AM)Buttmuncher Wrote:
(May 27, 2021 at 07:04 PM)lepaklepak Wrote: CMD MSSQL$[email protected] C:\temp> printspoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

Stuck

Did anyone get Juicy Potato working here?

for me workedwell for user.txt but didn't for root.txt, the same problem, think it is a problem with the pipe.
#59
(June 01, 2021 at 12:42 PM)pinco4president Wrote:
(June 01, 2021 at 10:07 AM)Buttmuncher Wrote:
(May 27, 2021 at 07:04 PM)lepaklepak Wrote: CMD MSSQL$[email protected] C:\temp> printspoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

Stuck

Did anyone get Juicy Potato working here?

for me workedwell for user.txt but didn't for root.txt, the same problem, think it is a problem with the pipe.

ah, ok - i cant even get it to work for user :( :)
#60
(June 01, 2021 at 02:42 PM)Buttmuncher Wrote:
(June 01, 2021 at 12:42 PM)pinco4president Wrote:
(June 01, 2021 at 10:07 AM)Buttmuncher Wrote:
(May 27, 2021 at 07:04 PM)lepaklepak Wrote: CMD MSSQL$[email protected] C:\temp> printspoofer.exe -i -c "powershell -c type C:\Users\3v4Si0N\Desktop\user.txt"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

Stuck

Did anyone get Juicy Potato working here?

for me workedwell for user.txt but didn't for root.txt, the same problem, think it is a problem with the pipe.

ah, ok - i cant even get it to work for user :( :)

also for user.txt is not working, this way is patched

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Hancliffe [Discussion] pheonix2021 115 19,697 47 minutes ago
Last Post: h2m0nRe-d0b1e
TUTORIAL HTB Overflow (Discussion) infosecsy18 27 3,083 1 hour ago
Last Post: noobanizer
TUTORIAL HTB Fortress - Faraday (Discussion) slrrrR 14 1,906 Yesterday at 04:08 PM
Last Post: gambit1337

 Users browsing this thread: 1 Guest(s)