Zumpyx Blog

EscapeTwo

Machines#642EasyWindows

Tags: SQLi、Hashcat、Ghauri、Cacti、CVE-2024-25641、Mysql、SSH_Proxy、Duplicati

As is common in real life Windows pentests, you will start this box with credentials for the following 
account: rose / KxEPkKe6R8su

Recon & Enum

nmap -p- --min-rate 1000 -T4 -sC -sV -O -v sequel.htb
---
gobuster vhost --random-agent --append-domain -k -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt -u 'http://[domain]'
---

type ..\Desktop\user.txt

gobuster dns -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt -d [domain_name] -r [dns_ip]
---
gobuster dir -k --random-agent -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u 'http://[domain]'
---

gobuster dir -k --random-agent -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u 'http://[subdomain]'
---
ldapsearch -H "ldap://$IP" -x -s base namingcontexts

Shell as User1

Local Enum

...
[suid]
...
[server port]
...

Shell as User2

oscar:86LxLBMgEWaKUnBG

Local Enum

...
user2 (nopasswd)
...

duJSDJQW@123qwe1123

Shell as Root

type ..\Desktop\root.txt

More and More

这个靶机的主要难点,在于发现 XSS 漏洞后,如何进一步利用 …

Dump Hash

Exploit

Other

https://app.hackthebox.com/home https://app.hackthebox.com/machines https://app.hackthebox.com/challenges

duJSDJQW@123qwe1123