rooted. and great thanks to @lim8en1
1 Like
Got root on linux container and found cache and db files. But not able to perform auth on the main box. Someone pls guide me to the point pls.
Guys I need help! Iām trying to submit the ssh key and continually get blocked by invalid key. I know the key should be valid and is correctly generated (Pretty sure). What am I missing?
For the last step, I suggest to look at this oneliner with attention, and grab the info you need (you must have metasploit updated please xD), and use the SAMLtracer extension to take that information:
root@kali:~# python3 ./CVE-2022-47966.py --url https://10.0.40.90:8443/samlLogin/<guid> --issuer https://sts.windows.net/<guid>/ --command notepad.exe
Just look at the validator in the source code. Itās easy to find by the error message. ((With or without a passphrase?))
can you share the script?
Iāve done it with both a passphrase and no passphrase. Nothing. Itās so frustrating! Iām missing something small.
openssl_pkey_get_private idk if itās already PEM
If in the last part of privesc you canāt get a response from the DC via proxy or port forwarding, just donāt try. Once everything is working and you are completely sure, you can do something else as an administrator. New admin, for example, by using metasploit payload cmd/windows/adduser.
1 Like
I think Iām making progressā¦ Iāve made it to root within the container, and Iāve found a hash for a user (who Iām guessing is my next attack point), but JTR is telling me itāll take nearly 3 hours on the knackered old laptop I use for HTBā¦
Before I leave John running, is this a rabbit holeā¦? 
On the final step and feels like I just need to find the issuer_url. Any hints or tips for this?
Ah finally got root!
congratulation 
1 Like
Hi there,
im hardly working to get root flag and now iām on adfs login. I donāt know why, but no login page will come in firefox. I see SAML in saml tracer, but there is no possibility to login ( https://dc.cerberus.local/adfs/ls/?SAMLRequest=ā¦).
Do you have any idea where problem could be ?
Because if i understand correctly, without login i will not be able to move forward.
Or there is enough to have the SAML data summary what i already see in tracer without login ?
Strange is, that next step with this data not finished successfully 
Thanx a lot for any advice.
Try to get redirected there by another service
Finally got root. It was fight but i learned a lot of new things.
Thanks a lot to @mrsBlue and @supermeisty for big help and i really appreciate their patience.
Thank you so much once more.
1 Like
Hey guys, hope yall doing well.
Iām stuck on Linux machine. Iāve already done port forwarding from dc.cerberus.local and tried to login with some users via winrm with keytab ntlm, but I think Iām on the wrong path.
Iāve also run linpeas as root, but I havenāt found anything interesting other than secrets.ldb from which I donāt have the mkey to extract.
Can anyone please give me a tip? 3 days Iāve been stuck and Iām starting to have nightmares about this machine lol.
Thanks in advance!
hi can any one tell me what I happening in this machine can you explain everything to me
please dm
So I am stuck at pivoting for Priv Esc.
Here is my most recent trial.
I have root on the Linux Machine.
Start chisel server on Kali Machine.
Connect to chisel server from Linux Machine (socks proxy).
Now I can evil-winrm on the Windows Machine.
Start a chisel server on the Linux Machine.
Connect to chisel server from Windows Machine, forward some ports.
Trying to connect to the Linux chisel server from Kali doesnāt work so I cannot listen to those ports.
Trying to access those ports LinuxIP:[localport] doesnāt work either.
Any help would be appreciated.
Thanks.
Hi there,
after you created 2 chisel tunnels like you wrote, just use proxychains firefox http://windowsHostIP:port to access saml login page