Geesh, so many resets this morning can’t do anything useful.
I was successful with mimikatz at getting admin’s password (wanted to try multiple paths to root.txt).
Did anyone have any tips for getting that password via a powershell run from security instead? I am having trouble finding any DPAPI powershell scripts that would dump the clear-text passwords out to me without requiring Admin privilege.
I’m wanting to learn and practice other methods.
I tried one powershell script that is suppose to work with older powershell versions.
c*m.ps1 and I got it to run, but the Cred.CredentialBlob just came back blank.
I guess the powershell is too old to get the data I want.
I’m curious if anyone went the ic—s route, PM me if you did, I feel like ic—s is meant to be a rabbit hole because the root file is denied no matter what type of magic you try to pull on it other than the base r—s simple method; unless you manage to reverse shell or mimikatz it from ls–s.
Would appreciate PM from anyone who was able to get shell with NT Authority/System privileges. I would like to know more on how you were able to do so.
@B1ngDa0 said:
@r0dr1gs said:
@B1ngDa0 said:
i got user.txt, it easy, the most important thing of user.txt, is the ****db should get on windows, if u get it on linux , the file is diffirent. i want hit of root.txt, i have no ideal, plz pm meI got the *.db files and found 3 credentials in a table’s , but i couldn’t connect to the service, what could i possible doing wrong?
Also i know that there is another file C****.zip but i couldn’t donwload it via f***
one credentials if for open the zip. u can use mget *.zip to download the file , then use credentials open it then…
This part seems so obvious for most but I’m still struggling. The 3 credentials I was able to find but they don’t work anywhere. I’ve tried using them for the unzip with no luck. The hints about the **db on windows is discouraging as I don’t have a windows system to open with.
@kaji said:
@B1ngDa0 said:
@r0dr1gs said:
@B1ngDa0 said:
i got user.txt, it easy, the most important thing of user.txt, is the ****db should get on windows, if u get it on linux , the file is diffirent. i want hit of root.txt, i have no ideal, plz pm meI got the *.db files and found 3 credentials in a table’s , but i couldn’t connect to the service, what could i possible doing wrong?
Also i know that there is another file C****.zip but i couldn’t donwload it via f***
one credentials if for open the zip. u can use mget *.zip to download the file , then use credentials open it then…
This part seems so obvious for most but I’m still struggling. The 3 credentials I was able to find but they don’t work anywhere. I’ve tried using them for the unzip with no luck. The hints about the **db on windows is discouraging as I don’t have a windows system to open with.
You’re looking in the right place. Have you tried using the str**s command to search the mdb file contents? Try unzipping the file using the gui interface since it’s easier (I can’t remember if I did it via command line or gui). It’ll ask you for a password to unlock it. I guarantee you one of those creds you found in the mdb file will unlock it.
I feel like my sanity is being tested here. Can anyone drop me a PM as I want to check if I am on the right path for Priv Esc, as I have never faced this output before.
Cheers
Hi guys… This is my first HTB, I don’t like to ask and I have figured a lot out myself and reading through this thread. I have passwords, I have collected data etc, but i’m just a little stuck how to progress, I know it’ll be something simple… I can’t seem to get anywhere with t…net unless this is a rabbithole? apologies for the n00b message… Any help would be appreciated
@itomtech said:
Hi guys… This is my first HTB, I don’t like to ask and I have figured a lot out myself and reading through this thread. I have passwords, I have collected data etc, but i’m just a little stuck how to progress, I know it’ll be something simple… I can’t seem to get anywhere with t…net unless this is a rabbithole? apologies for the n00b message… Any help would be appreciated
This was staring me right in the face… literally the only combination I hadn’t tried… FFS!!! haha
I was able to get the user.txt thanks to @B1ngDa0 .
Now i’m little bit lost what to do next? I know that i’ve to acess Admin’s Desktop to get the r***.
Should i keep going trough runas commands ??
@r0dr1gs said:
I was able to get the user.txt thanks to @B1ngDa0 .Now i’m little bit lost what to do next? I know that i’ve to acess Admin’s Desktop to get the r***.
Should i keep going trough runas commands ??
you can check anea.
Got user after banging my head on a corrupted file for awhile, now struggling on root. I think I know the general idea of the attack, but would love a pm for some help.
I uploaded a shell, but I don’t know where is the directory in where my file awaits for me. Can someone PM me please?
Got domain admin creds ! Remember, always a correct way to say something. Your welcome to pm if hints needed.
Access owned finally. If anyone need help, PM me. 
I was able to get user flag pretty easy but I have no idea how to priv esc. I used the c***** /list to see where stuff is located but I have no idea proper syntax for r**** command! any help please?
Trying to get root. So far I managed to upload files but I cannot execute them. Can anyone PM me a hint?
@d3ku said:
Trying to get root. So far I managed to upload files but I cannot execute them. Can anyone PM me a hint?
U don’t need to upload or download anything , this machine can be done only with runas commands.
The hint that i can give to u it’s to learn runas commands, see some examples and read some topics around the internet.
FOCUS on the runas command and anything send a PM