Hi Guys!
I cant perform PetitPotam (MS-EFSRPC) vulnerability. I cant cach the base64 encoded certificate.
Just trying examples, dosnt work. “ntlmrelayx error obtaining certificate”
I download another version of ntlmrelayx.py.
Even I just use certificate from example, I cant interact with that on linux/win host to recive TGT ccache.
Did you perform this attack?
I join the question.
On the attacking host ATTACK01, something does not pass this attack.((
Same, did either of you get it to work? I also could not get printnightmare to run, did that work for you?
Yea no luck here for me either using ntlmrelayx.py. Using it on the linux pivot host. Keep getting “200 OK” followed by HTTP headers and HTML in the body. I used the following certi.py command as recommended:
getTGT.py ‘inlanefreight.local/forend:Klmcargo2’
export KRB5CCNAME=forend.ccache
python3 certi.py list ‘inlanefreight.local/forend’ -k -n --dc-ip 172.16.5.5 --class ca
The response I get is
I replaced the host name presented in the example on Academy, but then the name doesn’t resolve. I checked /etc/hosts, and ‘Inlanefreight-CA’ isn’t in there. Tried adding it, but still nothing.
Really not sure what’s going on here.
Update: Had to reset the instance a few times before the certificate popped up. You have to wait several seconds. I’d say up to half a minute sometimes before it shows up.
But regardless, using gettgtpkinit.py didn’t yield any results. Python kept throwing an error mentioning “wrong padding”. Tried using double and single quotes around base64 blob. I’ve reset the instance a few times; same results.
Using Rubeus to gettgt and ptt didn’t work either; replies with
[!] Failed to find certificate for [base64 blob]
Though I did get noPac.py and printnightmare to work.
Not sure how to even start the exercise seems I cant ssh or rdp as the forend user. Can ssh as the htb-user but cant find nopac tool on that box and cant gitclone tools into the box cause it doesn’t seem to have internet access.
How id you guys start this exercise?
@truthreaper the answers to all of your questions are in the first few paragraphs of the module. If I get stuck like that then I usually just reread and find the answer.
ya realized tools needed are in the /opt directory