Official Sharp Discussion

Type your comment> @wardrive said:

Anyone happen to know what kind of hashtype P…K…n.exe utilizes for password strings? Can’t seem to find much about it online.

Debug it :slight_smile:

Type your comment> @Ljugtomten said:

Type your comment> @wardrive said:

Anyone happen to know what kind of hashtype P…K…n.exe utilizes for password strings? Can’t seem to find much about it online.

Debug it :slight_smile:

I thought as much. lol. Before I go down this rabbit hole…is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d’Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol’ boys over at hashcat and google didn’t have much info on this particular software.

I’ll enumerate some more before diving into all of that mess.

UPDATE: It’s not that complicated. Think simpler.

Anyone know what to do with the client? Done a bunch of reading on the underlying architecture but still not sure what (if anything?) to do with R*S*****.Rg

Removed.

Type your comment> @sl1nki said:

Anyone know what to do with the client? Done a bunch of reading on the underlying architecture but still not sure what (if anything?) to do with R*S*****.Rg

The comments leave some clues, but I’m not entirely sure either. I managed to find some interesting items in the decompiled binary, but I’m no dev, so transcribing it by looking up every line and what it does is somewhat tedious. I tried using other clients to fiddle with the service but every time I send my test box some data it crashes the application, and not in a way that appears to be useful.

I’m just not getting how to communicate with the service in a meaningful way.

UPDATE: There’s some really good blogs on interfacing with this particular service. @sl1nki pointed these out to me.

Rooted! Great box! If you get user, you can get root easily with similar steps

Type your comment> @wardrive said:

Type your comment> @Ljugtomten said:

Type your comment> @wardrive said:

Anyone happen to know what kind of hashtype P…K…n.exe utilizes for password strings? Can’t seem to find much about it online.

Debug it :slight_smile:

I thought as much. lol. Before I go down this rabbit hole…is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d’Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol’ boys over at hashcat and google didn’t have much info on this particular software.

I’ll enumerate some more before diving into all of that mess.

UPDATE: It’s not that complicated. Think simpler.

So although I’m not using the same “Lady” you used, I’m using the dragon himself,
and also notice the so called “username” and it family name, and other bunch of stuff. could use a nudge here (or even PM me would be great too).

@aimforthehead said:
Type your comment> @wardrive said:

Type your comment> @Ljugtomten said:

Type your comment> @wardrive said:

Anyone happen to know what kind of hashtype P…K…n.exe utilizes for password strings? Can’t seem to find much about it online.

Debug it :slight_smile:

I thought as much. lol. Before I go down this rabbit hole…is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d’Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol’ boys over at hashcat and google didn’t have much info on this particular software.

I’ll enumerate some more before diving into all of that mess.

UPDATE: It’s not that complicated. Think simpler.

So although I’m not using the same “Lady” you used, I’m using the dragon himself,
and also notice the so called “username” and it family name, and other bunch of stuff. could use a nudge here (or even PM me would be great too).

Reversing this particular application to decrypt the password is 100% not necessary. Step back, look at how the application saves user credentials. Have you looked at the demo version yet?

Type your comment> @wardrive said:

@aimforthehead said:
Type your comment> @wardrive said:

Type your comment> @Ljugtomten said:

Type your comment> @wardrive said:

Anyone happen to know what kind of hashtype P…K…n.exe utilizes for password strings? Can’t seem to find much about it online.

Debug it :slight_smile:

I thought as much. lol. Before I go down this rabbit hole…is this the path I should take? I managed to find the method in a library file with my good friend, Françoise d’Aubigné. Not having ever done this before, I could see this taking a lot of time. Seeing some usernames in a certain file got my hopes up, but the good ol’ boys over at hashcat and google didn’t have much info on this particular software.

I’ll enumerate some more before diving into all of that mess.

UPDATE: It’s not that complicated. Think simpler.

So although I’m not using the same “Lady” you used, I’m using the dragon himself,
and also notice the so called “username” and it family name, and other bunch of stuff. could use a nudge here (or even PM me would be great too).

Reversing this particular application to decrypt the password is 100% not necessary. Step back, look at how the application saves user credentials. Have you looked at the demo version yet?

PM you.

If anyone manage to get the first phase while working on Linux, please PM me.

PS C:\Windows\system32> whoami
nt authority\system

PS C:\Windows\system32>hostname
Sharp

Such a fun box man. @cube0x0 <3

hello for now I got a rev shell and the user, I saw that there is Windows Communication Foundation (WCF) or could you give me a suggestion for root?

Did you…look at them?

some tip ? started now

Question: I only got user because I was told that the tool I had already used and thought was not going to help was indeed a route to user. Now can someone explain where you can see the justification for that tool being unable to run the simplest test possible with those creds but it goes through and works with the more advanced option? Can somebody explain?

Because the default configuration of that tool is using a hardcoded method that has been patched or rendered otherwise not applicable in most systems.

Note the CVE’s it’s trying to abuse on the github page.

By using the advanced feature, you are able to define your own payload and bypass the default exploitation method of the tool. You’re basically just using it as a dummy client.

Keep in mind, there are multiple equally valid methods of achieving user access. One just requires more work.

What was troubling was that none of the serialization tricks worked for me, but anyway, I believe your explanation makes sense. Cheers.

A nice box overall. Got me confused a bit (my comment above), but really enjoyed it. This was also the box that finally ‘forced me’ to set up a Windows attacking machine. Had to be done so happy about that. I think enough has been said about user, and once you get user access, the alternative solution (already mentioned above) will provide you with the ‘vulnerable’ method that will give you root access.

I am trying to run the exploit for the user. However, even though my exploit works on my local machine, the exploit fails on the SHARP box because my credentials are rejected. Any hint why this is happening?

Read the hints above. Everything you need is already here in some form.