Official Scrambled Discussion

HTB Content Machines
22

i will send you a message :stuck_out_tongue:

23

Does anyone else get the following error when running impacket-getUserSPNs with a Kerberos ticket?

[-] exceptions must derive from BaseException

24

You should lookup the git repo (issues section), Iā€™m sure youā€™ll find your answer there.

25

yes my friend

GetUserSpns.py fails when using -k option and NTLM auth is disabled Ā· Issue #1206 Ā· SecureAuthCorp/impacket Ā· GitHub

26

Glad to see you back Mr. VbScrub! It is my opinion that you are among the reasons HTB started to pay machine creators!

1 Like
27

Finally got The User
Thanks @VbScrub for amazing box really learned a lot and got some clarity about AD, before it was very confusing and intimidating.

Next Step to get Administrator

Edit: Scrambled has been Pwned!

1 Like
28

Glad to hear that :slight_smile: Iā€™ve made a load of videos on AD related attacks if youā€™ve not seen them, they might help in future: https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ

1 Like
29

Still have the issue even with the additional option mention on the github ā€œ-kā€ etc

30

You need to follow @VbScrub instructions on a quick fix heā€™s talking about in one of his message in the issue (tip: you need to change the code a little bit). And donā€™t forget kerberos loves the FQDN.

31

Iā€™m in his exact same position. Got the two user:pass creds but canā€™t think of a way forward. Anyone willing to give me a nudge? Tried cme ldap auth, but it doesnā€™t work for me.

32

I feel this is a hard machine for me. I got the creds but not sure if I need to use it to interact with this special service. Please ping me for a nudge, thanks.

33

I have found two users and their passwords, but have been unable to use those creds anywhere Iā€™ve tried.

I have been knocking on a secret door, assuming this is an entry point, but havenā€™t found the key.

Am I on the right track? Can someone ping me for a nudge? Thanks!

34

Nvm. Got the foothold.

35

Rooted. This was an interesting box for me since Iā€™m not too good with Windows machines. So it was a great learning experience. Iā€™ll try to give enough tips to help out but not too much to ruin the box.

Hereā€™s a bit of a summary. Most of this info is already in the thread here, I just organized it as was helpful for me.

Foothold
  • All the clues needed are in the website. The first user and password, as well as the cause for the difficulty that youā€™ll have using standard tools.
  • Once you figure out how to overcome that difficulty, getting the second account is rather straight forward as far as Windows machines are concerned. The creatorā€™s YouTube channel will help with the process.
  • As itā€™s been stated before, your goal is a ticket and even though it may not seem like you have all the information that you need, you do. Some of the tools, though they donā€™t work directly, will reveal some info when they execute as long as you run them in verbose or debug mode.
User
  • Once you are into your first service, dig around a bit for some info
  • Once you found some loot, get a shell. Thereā€™s nothing hacker about this step, itā€™s a feature of the service which really shouldnā€™t be a thing because of how it can be exploited. :grin:
  • To pivot, and this was a bit messy for me, you can get another shell as the user from your current shell. Though PowerShell lacks an ability to switch user, you still can execute commands as a different user if you have their creds.
Root
  • The website gave more info about a program that connects to the server, itā€™s custom.
  • You should now be able to find and download that program and itā€™s dependencies. When you have them, look through them for clues about how the protocol on the server works, what you can send to it via nc from your machine. I did this in a messy way which I think is unintended. The best way to get what you need in this step would be ideally to run the program. Decompiling is another avenue if youā€™re good at that, which Iā€™m not. This step took a lot of time and fuzzing and guessing for me as I made it harder than it should have been.
  • In order to perform the actual attack, the creator has a really good article of the vulnerability that youā€™ll be exploiting, and even references the tool to use.
  • I couldnā€™t get the tool to run on Linux, but since the target is Windows, you can just download it there and run it from there.

PM me with any questions, or hit me up on Discord: InfosecGreg#1683

4 Likes
36

Rooted. Excellent machine, thank you @VbScrub. Also thanks to @InfosecGreg on the help on foothold.
My thoughts on it: Everything needed to root the box is already described by others on this thread, just pay attention on the hints and the materials provided.

Curiously, your blog post helped me when I started to learn this vuln, even used it as a reference on my own post about it a few months ago @VbScrub, so thanks twice I guess :smiley:

1 Like
37

haha good stuff, glad to hear that :slight_smile:

38

rooted! this one was kinda tricky if youā€™re having issues with p*****d on root stage, try running the tool on the target machine, not sure why but wasnā€™t working for me until i did it that way

1 Like
39

Machine rooted, :partying_face: :partying_face: :partying_face:

Very funny, a very interesting attack; I got stressed a lot because I got too many errors for everything I did hahaha
Thank you @meowmeowattack @R3dHawk @InfosecGreg

2 Likes
41

Got a bit stuck due to my inexperience.

I got into the one service and pulled the doc. Need a nudge on how to get a shell out of that. Any advice would be greatly appreciated.

42

Hi everybody!
Cannot get a foothold. Read all the thread, but have no idea why my Impacket script (GetUserSPNs.py) doesnā€™t work.
Iā€™ve made source code changes, but Iā€™m getting ā€œ[-] [Errno 104] Connection reset by peerā€.
Would be appreciated for any help!