Official Support Discussion

For which account?

Can somebody DM me please ? it’s not for an hint, it’s purely technical about the code.
Thanks a lot :slight_smile:

I am stuck at how to decrypt the password using the function, am i supposed to run this somewhere? could you give me any tips or hints? :slight_smile:


Update: Solved my issues… Make sure to pay attention to the tools you’re using for privesc and why one was written over another… use that type of cred to avoid auth issues.

Looking for a little help troubleshooting my issue with the PrivEsc path. Constantly getting errors when trying to access the box with privileges and not sure what the cause is. Can provide more information in DM so as not to drop too much in the way of hints here.

Hey ghosty,
have you figured out how to continue?
I am kinda stuck with the same informations like you and tried to use the (maybe) creds? against some services (I saw the **** query in the file so I tried that one) but no success so far… (atleast for me) :frowning:

dnSpy works just fine for me

try w3schools, it has nice virtual envirement to execute code from different languages

Hello batche,
Thanx for the reply !
Yes of course, i tried to access different shares with this creds but access is denied (smbmap) !!
I tried also evil-winrm, psexec, i think that arm**** user does not have access rights ! i get this error msg : SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Also, i tried to dump NTLM hashes / extract some info fromLDAP domain but no access granted !
I even tried rdesktop and then i could probably run powershell to get all LDAP users … no chance !


or if u are familiar with VB environment … u can disassemble the target_file and look for the getpassword() function !
copy that code, modify it and run it to get the decypted password.

Hello guys !
I a little bit confused about the password !
I found the LDAP users and i tried to bruteforce the LDAP with user/pass list !
The pass seems to be wrong !!!

I tried to dump the NTLM hashes from the LDAP domain, similar issue STATUS_LOGON_FAILURE !!

Is that password correct nvEfEK16^1******************* ???

Thanks @0xdf for a fun box.

Those who are stuck, there are lots of good hints above. A couple of extra pointers:

  • For user, no need to modify and run the interesting file if you aren’t sure how. A well known cook can help :wink:
  • Yes, the password looks weird but it’s correct
  • For privesc, linux tools > windows tools (at least for me)

Happy to share a nudge but not giving out spoilers. You can discord me at #2722.

Hi @camk

I struggled but managed to get the password by modifying the file - interested to know what the other ‘well known cook’ method was though. Would you DM me a hint or two please? :slight_smile:

Hi all,

I need some hint, i have 2 users from nmap script krb5, i have found the password (decrypted), but i can not access by smb, I have tried to access with evil-winrm (did not work for me with new version), and crackmapexec.

Maybe you should take care of something related to ldap in the source code you got (read it carefully, it’s not in the getpassword function). Maybe your idea to get users is not a bad idea ! After reading the code and especially the part I mentioned, you should find what to do next.

Hello batche,
The problem is i’m using a bad user … !
I enumerate carrefully the LDAP domain and get some other user.

i have password and username but getting incorrect credentials message when connecting with ldap.

any nudges

I have found the password in the spicy file by running the function code. I’ve also found the next “hint” in the source, but this is where I am stuck. ldapdomaindump returns a 52e when I try the user from the source + the generated pw. This is super confusing to me, could someone DM me and help me understand where I went wrong?

EDIT: might have been my fault despite trying multiple times, I got rid of the -p switch and pasted the pw after prompted.

do some googling about GSSAPI

i just got the username and password in a special file and can successfully connect to the ldap service using them
smbexec and tried to use smbexec, psexec, but failed. i don’t know what to do next
can anyone give me some hints? :upside_down_face:

1 Like

ask the evil management guy for help