That user has write access to a share, where I’ll drop files designed to provoke another auth back to my server to catch another Net NTLMv2. I’ll get a list of domain users over RPC, and password spray that password to find another user using the same password. I’ll get the PHP site to connect back to my server on SMB, leaking a Net NTLMv2, and crack that to get a plaintext password. Htb-flight hackthebox ctf nmap subdomain crackmapexec windows php apache feroxbuster file-read directory-traversal responder net-ntlmv2 password-spray lookupsid rpc ntlm-theft runascs iis webshell aspx rubeus machine-account dcsync secretsdump psexecįlight is a Windows-centered box that puts a unique twist by showing both a Apache and PHP website as well as an internal IIS / ASPX website.
0 Comments
Leave a Reply. |