Academy : WINDOWS PRIVILEGE ESCALATION : Further Credential Theft

Hi I have got the password (which is hashed?) of sa user in .xml inside dbvis folder.
However, I tried hashid it said it is DNSSEC(NSEC3) hash, which is highly skeptical.
Can someone pls push me to the right direction?
Thank you.

1 Like

I think you have the wrong hash.
Use a tool to find the password. With it you get the password in cleartext

1 Like

Thanks man, I find it pretty stange cause file in .xml is encrypted with strange pattern. at first, it thought it was base64 or sth similar.

Hi there - having a similar issue and wondering if you figured this out.

When running Lazagne as the Jordan user, the password isn’t returned in cleartext, so wondering what I’m doing wrong.

I’ve also tried running lazagne as the htb-student user as well as trying to perform a runas command with some found credentials.

Any help would be appreciated :smiley:

Solved!

The issue lies in downloading a recently compiled (as of 2023) version of LaZagne.exe.

DON’T download a binary and attempt to run it on the box.

Instead, use the provided tools located on the VM, at c:\Tools\.

This will produce the correct results.

Hope this helps someone :slight_smile:

1 Like