Official Sharp Discussion

Official discussion thread for Sharp. Please do not post any spoilers or big hints.

«13

Comments

  • edited December 2020

    Anyone happen to know what kind of hashtype P......K....n.exe utilizes for password strings? Can't seem to find much about it online.

  • edited December 2020

    Type your comment> @wardrive said:

    Anyone happen to know what kind of hashtype P......K....n.exe utilizes for password strings? Can't seem to find much about it online.

    Debug it :-)

  • edited December 2020

    Type your comment> @Ljugtomten said:

    Type your comment> @wardrive said:

    Anyone happen to know what kind of hashtype P......K....n.exe utilizes for password strings? Can't seem to find much about it online.

    Debug it :-)

    I thought as much. lol. Before I go down this rabbit hole...is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d'Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol' boys over at hashcat and google didn't have much info on this particular software.

    I'll enumerate some more before diving into all of that mess.

    UPDATE: It's not that complicated. Think simpler.

  • Anyone know what to do with the client? Done a bunch of reading on the underlying architecture but still not sure what (if anything?) to do with R*******S*****.R******g

  • edited December 2020

    Removed.

  • edited December 2020

    Type your comment> @sl1nki said:

    Anyone know what to do with the client? Done a bunch of reading on the underlying architecture but still not sure what (if anything?) to do with R*******S*****.R******g

    The comments leave some clues, but I'm not entirely sure either. I managed to find some interesting items in the decompiled binary, but I'm no dev, so transcribing it by looking up every line and what it does is somewhat tedious. I tried using other clients to fiddle with the service but every time I send my test box some data it crashes the application, and not in a way that appears to be useful.

    I'm just not getting how to communicate with the service in a meaningful way.

    UPDATE: There's some really good blogs on interfacing with this particular service. @sl1nki pointed these out to me.

  • Rooted! Great box! If you get user, you can get root easily with similar steps

    jkana101
    OSCP | Sec+ | MCSE | VCP | CCNA

  • edited December 2020

    Type your comment> @wardrive said:

    Type your comment> @Ljugtomten said:

    Type your comment> @wardrive said:

    Anyone happen to know what kind of hashtype P......K....n.exe utilizes for password strings? Can't seem to find much about it online.

    Debug it :-)

    I thought as much. lol. Before I go down this rabbit hole...is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d'Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol' boys over at hashcat and google didn't have much info on this particular software.

    I'll enumerate some more before diving into all of that mess.

    UPDATE: It's not that complicated. Think simpler.

    So although I'm not using the same "Lady" you used, I'm using the dragon himself,
    and also notice the so called "username" and it family name, and other bunch of stuff. could use a nudge here (or even PM me would be great too).

    aimforthehead

  • edited December 2020

    @aimforthehead said:
    Type your comment> @wardrive said:

    Type your comment> @Ljugtomten said:

    Type your comment> @wardrive said:

    Anyone happen to know what kind of hashtype P......K....n.exe utilizes for password strings? Can't seem to find much about it online.

    Debug it :-)

    I thought as much. lol. Before I go down this rabbit hole...is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d'Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol' boys over at hashcat and google didn't have much info on this particular software.

    I'll enumerate some more before diving into all of that mess.

    UPDATE: It's not that complicated. Think simpler.

    So although I'm not using the same "Lady" you used, I'm using the dragon himself,
    and also notice the so called "username" and it family name, and other bunch of stuff. could use a nudge here (or even PM me would be great too).

    Reversing this particular application to decrypt the password is 100% not necessary. Step back, look at how the application saves user credentials. Have you looked at the demo version yet?

  • Type your comment> @wardrive said:

    @aimforthehead said:
    Type your comment> @wardrive said:

    Type your comment> @Ljugtomten said:

    Type your comment> @wardrive said:

    Anyone happen to know what kind of hashtype P......K....n.exe utilizes for password strings? Can't seem to find much about it online.

    Debug it :-)

    I thought as much. lol. Before I go down this rabbit hole...is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d'Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol' boys over at hashcat and google didn't have much info on this particular software.

    I'll enumerate some more before diving into all of that mess.

    UPDATE: It's not that complicated. Think simpler.

    So although I'm not using the same "Lady" you used, I'm using the dragon himself,
    and also notice the so called "username" and it family name, and other bunch of stuff. could use a nudge here (or even PM me would be great too).

    Reversing this particular application to decrypt the password is 100% not necessary. Step back, look at how the application saves user credentials. Have you looked at the demo version yet?

    PM you.

    aimforthehead

  • If anyone manage to get the first phase while working on Linux, please PM me.

    aimforthehead

  • PS C:\Windows\system32> whoami
    nt authority\system

    PS C:\Windows\system32>hostname
    Sharp

    Such a fun box man. @cube0x0 <3

  • hello for now I got a rev shell and the user, I saw that there is Windows Communication Foundation (WCF) or could you give me a suggestion for root?

    Hack The Box

  • Did you...look at them?

  • some tip ? started now

  • Question: I only got user because I was told that the tool I had already used and thought was not going to help was indeed a route to user. Now can someone explain where you can see the justification for that tool being unable to run the simplest test possible with those creds but it goes through and works with the more advanced option? Can somebody explain?

  • edited December 2020

    Because the default configuration of that tool is using a hardcoded method that has been patched or rendered otherwise not applicable in most systems.

    Note the CVE's it's trying to abuse on the github page.

    By using the advanced feature, you are able to define your own payload and bypass the default exploitation method of the tool. You're basically just using it as a dummy client.

    Keep in mind, there are multiple equally valid methods of achieving user access. One just requires more work.

  • What was troubling was that none of the serialization tricks worked for me, but anyway, I believe your explanation makes sense. Cheers.

  • A nice box overall. Got me confused a bit (my comment above), but really enjoyed it. This was also the box that finally 'forced me' to set up a Windows attacking machine. Had to be done so happy about that. I think enough has been said about user, and once you get user access, the alternative solution (already mentioned above) will provide you with the 'vulnerable' method that will give you root access.

  • I am trying to run the exploit for the user. However, even though my exploit works on my local machine, the exploit fails on the SHARP box because my credentials are rejected. Any hint why this is happening?

  • Read the hints above. Everything you need is already here in some form.

  • Are you running wireshark?

  • Yes, I am using wireshark. By reading different forums I understand that my issue is caused because my VM and the SHARP box are not in the same domain and that's why the credentials are rejected. Do I have to do some modification on my payload regarding this issue? Or I am not on the right track?

  • edited December 2020

    Hey, I'm having troubles installing the tool allowing us to exploit something associated with old CVE's. Visual Studio is throwing me errors and I think I am missing an assembly reference, but I'm a bit confused. If someone that could compile it correctly on Windows have some time to spare to help me, I'd be really grateful.

    If someone needs tips for the very beginning of foothold, feel free to ask me.

    Thanks !

  • Type your comment> @AlPasta said:

    Hey, I'm having troubles installing the tool allowing us to exploit something associated with old CVE's. Visual Studio is throwing me errors and I think I am missing an assembly reference, but I'm a bit confused. If someone that could compile it correctly on Windows have some time to spare to help me, I'd be really grateful.

    If someone needs tips for the very beginning of foothold, feel free to ask me.

    Thanks !

    I'm exactly in the same point...

  • If you are having trouble authenticating because of a failed domain, consider this:

    How do you specify a domain when passing credentials? Have you looked at the tool itself in dnspy? How does it handle usernames?
  • Is there any way to reach out the high port without compiling software with .N**?

  • edited December 2020

    Type your comment> @phneutro said:

    Type your comment> @AlPasta said:

    Hey, I'm having troubles installing the tool allowing us to exploit something associated with old CVE's. Visual Studio is throwing me errors and I think I am missing an assembly reference, but I'm a bit confused. If someone that could compile it correctly on Windows have some time to spare to help me, I'd be really grateful.

    If someone needs tips for the very beginning of foothold, feel free to ask me.

    Thanks !

    I'm exactly in the same point...

    I still couldn't manage to get it to work, but I saw somewhere that people were able to compile it with Visual Studio 2019.
    Binaries are also accessible on github (type the name of the tool, and then -binaries. You should find a github page with it), but they seem a bit old, I don't know if all the newer options are supported

    EDIT : do not use the binaries you might find on github, you'Il get a bunch of errors while trying to use them. Everything compiles fine with VS 2019

  • Do yourself a favor and check your local firewall settings!

Sign In to comment.