Just a heads up for anyone manually doing the dl privesc and stuck on root, the sesd.py from i***t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!
Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesnāt work it means somethingās wrong.
@crash0 said:
Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesnāt work it means somethingās wrong.
Only if you forget to specify the -just-dc-ntlm option. The thing with that script is that it tries to do a lot of different things, and for this attack we only actually want one of those things. So specify that flag and it will only do that method of attack
Okay a bit of newbie here. Was able to pull down 2 user accounts and passwords. Donāt have any idea where to use them tried rpc, smb, etc. Iām actually familiar with SH unfortunately the python version isnāt working, so Iām spinning up a windows box. Anyway, I could really use help here, first time actually spending time in htb. If someone could PM with a hint for tools for user or if Iām completely off there .
User done. Getting to grips with the Windows/AD thing.
EDIT: Got the dog to map the box. Imported data to local dog analytics thing. Marked my owned user and experimented with those āshortest path to xā features. Very nice tool.
Added initial pwned user to the āExā¦ā group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this userā¦?
@nando740 said:
Added initial pwned user to the āExā¦ā group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this userā¦?
Donāt add that user to anything. Think about it. Youāre affecting everyone else attacking this machine at the same time as you. If you grant that account extra permissions, now someone else who gets those creds after that will be starting with extra permissions they shouldnāt have. Create a new user account and do whatever you want with that.
Created a new user, and added āwā¦eā¦pā group to him. Canāt use him to login, since its not a service account, and that group permission canāt be added. If I understand correctly, I should use this account to grant additional permissions.
@nando740 nothing to do with being a service account. There is a standard group on modern Windows machines that controls who is allowed to log in remotely with po********
@nando740 nothing to do with being a service account. There is a standard group on modern Windows machines that controls who is allowed to log in remotely with po********
Thanks again. Logged in.
Tools like In****-AC**** and prex*** are failing with a lot of untreated errors. From what I understand, I need two aces in the domain object.
I am quite new to hacking on Windows machines. Got the user so and can login via Em.
I created another user and can login to that via E*******m.
Now I try do change the A*l with the P****S****t method A**-D*************l - sine the dog told me thatās the fastest way. But everytime I try to add righs with A** -D*************l the E********m kinda timeouts and the command does not succeeds.
Looking for a nudge here, I donāt see how this is possible with E01 server being down. Iāve read through countless articles about the E***** group issue and I get
Looking for a nudge here, I donāt see how this is possible with E01 server being down. Iāve read through countless articles about the E***** group issue and I get
socket.error: [Errno 113] No route to host
You donāt need access to another server for thisā¦